I'd rather use IPSEC than SSH to connect to routers or to a secure gateway and then to routers. Flaw history in IPSEC is much better than SSH, IPSEC can easily be used to move files with FTP or TFTP (does your router/client suport SCP ? SFTP ?)...
Unfortunately, IOS costs more to have IPSEC. Rubens ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 07, 2004 7:39 AM Subject: SSH on the router - was( IT security people sleep well) > > > complaining that cisco charges extra for such a critical component is > > exactly the right thing to do; it is fucking scary. > > > > every damn network device which used to have telnet should ship with > > ssh, it's free. > > Why? > > The typical network architecture of an ISP sees routers located in > large clusters in a PoP or on a customer's site directly connected > to a PoP. Since it is dead simple to place a 1U Linux box or similar > SPARC server in a PoP to act as a secure gateway, why should router > vendors encourage laziness and sloppiness? IMHO routers should not > have SSH at all and should not accept any packets directed to them > unless they are coming from a small set of known addresses on the > network operator's management network. > > Once you open the router to SSH from arbitrary locations on the > Internet you also open the router to DDoS from arbitrary locations and > to attacks from people with inside info (SSH keys stolen or otherwise). > > It makes more sense to funnel everything through secure gateways and > then use SSH as a second level of security to allow staff to connect > to the secure gateways from the Internet. Of course these secure > gateways are more than just security proxies; they can also contain > diagnostic tools, auditing functions, scripting capability, etc. > > Now there is nothing fundamentally wrong with ADDING to that type > of architecture by enabling SSH between the routers and the security > gateways. But I believe that it is fundamentally wrong to consider > SSH on the router to be equivalent to opening the router to any staff > member, anytime, anywhere on the Internet. There are still possible > man in the middle attacks that cannot be protected against by SSH. > Consider the case of a staff member lounging in the backyard on a > lazy Saturday afternoon with their iBook. They have an 802.11 wireless > LAN at home so they telnet to their Linux box in the kitchen and run > SSH to the router. Ooops! > > The only way to protect against that sort of situation is to encourage > everyone to be security-minded and not take risks where the network is > concerned. Funneling all access to routers through a secure gateway is > part of that security-mindedness and is just plain good practice. > > --Michael Dillon > >