I guess I should have expected this by positing that plaintext isn't
neccessarily bad. ;)
Let me put things into some perspective, first - I administer many edge
routers. Most of them don't support SSH. For low-threat ones I have strong
passwords and only allow access from designated IP blocks. My key threat
model is a compromised LAN segment in one of the transit ISPs or carriers
between me and the customers. Most routers will not let you get packet
_bodies_ out of them without hard work. This is ignoring the issue of how
amazingly _hard_ it would be to sniff a core bearer in a telco - think about
the volume for a second. You'd almost certainly need to actually be there.
This is where I was coming from with my "Telnet not always bad" comments. Of
course a number of people jumped on me about DMZ boxen being administered
and the risks involved with cleartext administration of _them_. Quite
reasonably, I might add - which got me to thinking.
Assume that we have a DMZ, and it's like this:
[gateway] -- DMZ -- [FW] -- [Trusted]
(The sort that Mike doesn't like)
Exactly how bad is telnet administration of a box in this DMZ? We assume
that another box in the DMZ is compromised (needs to happen for sniffing to
work).
If I owned this putative DMZ box, I'd go straight for the session hijacking.
Given that I've now got access to the wire I can (fairly) trivially hijack
any TCP session into or out of the trusted network. That's likely to be much
more interesting to me than compromising another DMZ box by running a
sniffer. Besides, with full access to the wire I've got a raft of possible
hacks available to me - I don't neccessarily need a password.
So, if people have complete control over your DMZ boxes it's very bad. The
fact that in the event of such a compromise cleartext administration turns
out to be easy picking is the least of one's worries.
What I'm really saying here is that I think the biggest risk with cleartext
administration is still en-route compromise. I think of that threat as
requiring the compromise of a carrier or an ISP. We can't always assume that
small, random ISPs will not become transit networks, but it's fairly likely
that you can work out which telcos / carriers your data will traverse. It's
then a matter of how much you trust their networks. That's the risk I weigh
when I decide whether cleartext is "good enough".
For high threat sites, it's not good enough. If encryption is an easy option
that doesn't cost a lot of money - then sure, it's a no brainer. However if
I need to install / secure / administer yet another box to provide me with
an encrypted gateway into the network for admin work then I weigh the risks.
Have I lost it? Am I way off-base here?
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
