> -----Original Message----- > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > boun...@puck.nether.net] On Behalf Of Kevin Oberman > Sent: Sunday, April 03, 2011 7:50 PM > > 1. Limit access to the ssh port to trusted hosts, preferably tightly > controlled hosts that are dedicated to acting a bastions. No extra > services running that might open vulnerabilities! > > 2. No passwords! Even if rules for 'good' passwords are followed, > passwords are not nearly as strong as good cyrpto keys. (yes, I know > about the Debian issue! That was so incredibly stupid that it still > boggles my mind! I doubt that any Unix distro will ever do anything > so > incomprehensibly stupid again, but it's unwise to assume stupidity > is > growing less common. If in doubt, run openssh directly from > openssh.org. they KNOW what they are doing! > > 3. Require two factor systems to further control access. We use > SmartCard tokens to create and store the private keys. When working > properly, it is not possible to get the private key off of the token > and modern openssh contains support for PKCS11 which will work with > SmartCards, though finding tokens that work with Unix in the US is a > problem. > > This sort of control is vastly superior to playing games with the ssh > port by which smart hackers will only be mildly disturbed.
While I completely agree with all of the points, there is such a thing as taking things too far... to the point where security actually becomes an encumbrance and hinders normal operations... I once worked for an employer that had the most bizarre and overly complex process for accessing devices - they required everyone to log into a VPN Concentrator (regardless of being remote or at the corporate location). >From there they required SSHing into jumphosts, and then finally from the jumphost you could SSH into your given device. The VPN, jumphosts, and the end-devices were all using two-factor authentication (SecureID). While this represented probably one of the most secure environments I've ever worked in, logging into multiple devices during firedrills was a real PITA to say the least... Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB4C956EC _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp