RE: IT security people sleep well
On Mon, 2004-06-07 at 23:06, Edward B. Dreger wrote: > Dynamic linking might be cheating. Static linking might be > pessimistic. Probably best to compare BSD "crunchgen" images > with and without ssh/sshd. (2MB total for statically-linked ssh > and sshd as I compile it.) Ooops.. forgot that bit :) > You haven't lived life to its fullest until you need to load a > boot image remotely via YModem. ;) Been there, Done that.. Is there a T-Shirt? :) > Eddy -- Jason H. Frisvold PenTeleData signature.asc Description: This is a digitally signed message part
Re: IT security people sleep well
* Stephen Sprunk <[EMAIL PROTECTED]> [2004-06-08 13:05]: > Thus spake "Henning Brauer" <[EMAIL PROTECTED]> > > You loose nothing with using ssh instead of telnet. > > You win a lot. > You lose money and time because you have to license more expensive code, > upgrade RAM and flash to handle larger images this, again, is an exclusive cisco problem. blame them. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IT security people sleep well
Adrian Chadd wrote: A friend of mine here at uni wrote a much, much smaller sshd replacement he calls "dropbear". Its much, much smaller than sshd. Much smaller. http://matt.ucc.asn.au/dropbear/dropbear.html I think its very very cute. Perhaps some vendors with small memory footprints would consider implementing this kind of tiny sshd? Several third party firmwares for the linksys wrt54g wireless AP + "router" (which, of course, is owned by brand C) implement sshd using dropbear. For example, the ones at sveasoft, and at h.vu.wifi-box.net srs -- suresh ramasubramanian [EMAIL PROTECTED] gpg EDEDEFB9 manager, security and antispam operations, outblaze ltd
Re: IT security people sleep well
On Mon, 07 Jun 2004 20:15:49 PDT, Randy Bush said: > do you trust YOURSELF not to? of course, i have never made such > a mistake [sounds of flying pigs from stage roof]. I'd like to plead the 5th on the grounds that it took me 3 hours to realize it was the Foundry switch that was misconfigured, and not the PC that the other PC was complaining about? ;) pgpgezc7fCQZm.pgp Description: PGP signature
Re: IT security people sleep well
On Tue, Jun 08, 2004, Edward B. Dreger wrote: > > JF> Date: Mon, 7 Jun 2004 22:31:59 -0400 > JF> From: Jason Frisvold > > JF> I don't see why they can't roll it into every ios that runs > JF> on a router capable of ssh. Ssh and sshd on my linux system > JF> barely break 500k compiled... And there's a TON of > JF> functionality in there that isn't required on a router. It > JF> would seem that you could get ssh put into these code trains > JF> in under 500k ... > > Dynamic linking might be cheating. Static linking might be > pessimistic. Probably best to compare BSD "crunchgen" images > with and without ssh/sshd. (2MB total for statically-linked ssh > and sshd as I compile it.) A friend of mine here at uni wrote a much, much smaller sshd replacement he calls "dropbear". Its much, much smaller than sshd. Much smaller. http://matt.ucc.asn.au/dropbear/dropbear.html I think its very very cute. Perhaps some vendors with small memory footprints would consider implementing this kind of tiny sshd? Adrian -- Adrian ChaddI'm only a fanboy if <[EMAIL PROTECTED]> I emailed Wesley Crusher.
Re: IT security people sleep well
> Do you trust every person you work with to not maliciously snarf > packets *and* to not accidentally route all those cleartext > packets out the wrong interface at the wrong time? do you trust YOURSELF not to? of course, i have never made such a mistake [sounds of flying pigs from stage roof]. randy
RE: IT security people sleep well
> [EMAIL PROTECTED] wrote: > OK.. Say you can get it into the code train for 200K. What do > you do with all those routers that have only 100K or 125K of > space left in the flash (if that), and the flash is NOT going > to get any bigger without massive abuse of a soldering iron Being one of these who have massively abused the soldering iron (I run 12.2T on a 3102 and I _do_ plan on running it on an IGS) the fact of the matter is that these days are gone. On my all-mighty home router (7507/RSP2) I have 64 _megs_ of flash that cost me a mere 20 bucks at Fry's and 128 megs of RAM that cost me $0 because I scrounged them from an old server. The RSP2 does not support el-cheapo digital camera flash? That's true, it's not in the list of approved memory. Nevertheless :-D cisco7507#sh diagbus Slot 2: EEPROM format version 1 Route/Switch Processor 2, HW rev 1.02, board revision F0 Flags: cisco 7000 board; 7500 compatible cisco7507#sh ver cisco RSP2 (R4700) processor with 131072K/2072K bytes of memory. R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 64000K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). In modern environments, I have to admit that 2500s are a though call but I will also point out that a 2600 goes for near-to-nothing on eBay, and even when you re-license IOS and upgrade it still costs near-to-nothing. For the enjoyment of Nanog readers, the following links display what you should _not_ do if you don't want to void the warranty on your brand new Cisco 3102 (it was before I decided to run 12.2(T) on it, more soldering has happened since). Michel. http://arneill-py.sacramento.ca.us/photo_albums/first%20album/high/cisco %203000%20decapitated%20serial.jpg http://arneill-py.sacramento.ca.us/photo_albums/first%20album/high/cisco 3000.jpg What do you mean, it's not new? It was new when I bought it!
Re: IT security people sleep well
On Mon, 07 Jun 2004 22:40:19 EDT, Jason Frisvold <[EMAIL PROTECTED]> said: > Do you trust every person you work with? Are your internal networks > completely segmented (including the ethernet switches?) And there's different kinds of trust too.. I've got a co-worker who I totally trust not to do something malicious. However, it's 11PM, and I'm still in my lab because I just spent several hours figuring out that a pile of gear I was supposed to test was *supposed* to include a Foundry switch to use for a private network - but instead of 4 ports connected to PCs that were dual-homed to the building network and the private net, he wired up 3 ports to dual-homed boxes, and one port to the building net to reach the 4th PC. Whoops... ;) Do you trust every person you work with to not maliciously snarf packets *and* to not accidentally route all those cleartext packets out the wrong interface at the wrong time? pgphiEEXf9so7.pgp Description: PGP signature
RE: IT security people sleep well
JF> Date: Mon, 7 Jun 2004 22:31:59 -0400 JF> From: Jason Frisvold JF> I don't see why they can't roll it into every ios that runs JF> on a router capable of ssh. Ssh and sshd on my linux system JF> barely break 500k compiled... And there's a TON of JF> functionality in there that isn't required on a router. It JF> would seem that you could get ssh put into these code trains JF> in under 500k ... Dynamic linking might be cheating. Static linking might be pessimistic. Probably best to compare BSD "crunchgen" images with and without ssh/sshd. (2MB total for statically-linked ssh and sshd as I compile it.) JF> Personally, I like having a little wiggle room in the JF> flash... Putting an image on there that occupies the entire JF> flash is a bad thing... You haven't lived life to its fullest until you need to load a boot image remotely via YModem. ;) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: IT security people sleep well
On Mon, 07 Jun 2004 22:52:43 EDT, Jason Frisvold said: > But, if ssh were added to all IOS's, it would greatly reduce the number > of routers that could *not* include SSH due to flash limitations... It would however increase the number of routers that can't go to IOS 12.foo because of flash limitations. If the image won't fit, the image *won't fit*. And hand-waving it into the next IOS release won't make it fit any better. There's support issues as well - if IOS 12.foo doesn't fit, they get to carry around support for IOS 12.foo and 12.(foo-1). And it seems there's been enough released values of 'foo' already... pgpCX6cTlai6b.pgp Description: PGP signature
RE: IT security people sleep well
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > OK.. Say you can get it into the code train for 200K. What > do you do with all > those routers that have only 100K or 125K of space left in > the flash (if that), > and the flash is NOT going to get any bigger without massive > abuse of a > soldering iron because not all the needed address lines are > brought out to the > flash chip (a fine tactic dating back decades - I remember > seeing a 16K ROM > nailed to the top quarter of the 64K address space, and only > 14 address lines > brought to the chip - it was nailed to the top 16K by feeding > A14 and A15 to an > AND gate which fed the 'Chip Select' pin...) Agreed, but what are those routers used for these days? We use those routers for management (old 2511's) ... Any existing 2500's in the core network (yes, I'm ashamed to say some still exist) are ensured to have the max memory they can get ... Again, this is purely theoretical for me as management here has not deemed it appropriate to deploy ssh ... But, if ssh were added to all IOS's, it would greatly reduce the number of routers that could *not* include SSH due to flash limitations... I can say that in other networks that I consult for, I try to ensure ssh is available, as well as acl's and other security techniques... :) Jaosn Frisvold Penteledata
Re: IT security people sleep well
On Mon, 07 Jun 2004 22:31:59 EDT, Jason Frisvold <[EMAIL PROTECTED]> said: > I don't see why they can't roll it into every ios that runs on a router > capable of ssh. Ssh and sshd on my linux system barely break 500k > compiled... And there's a TON of functionality in there that isn't > required on a router. It would seem that you could get ssh put into > these code trains in under 500k ... OK.. Say you can get it into the code train for 200K. What do you do with all those routers that have only 100K or 125K of space left in the flash (if that), and the flash is NOT going to get any bigger without massive abuse of a soldering iron because not all the needed address lines are brought out to the flash chip (a fine tactic dating back decades - I remember seeing a 16K ROM nailed to the top quarter of the 64K address space, and only 14 address lines brought to the chip - it was nailed to the top 16K by feeding A14 and A15 to an AND gate which fed the 'Chip Select' pin...) pgpSwJtuzAF8a.pgp Description: PGP signature
RE: IT security people sleep well
> -Original Message- > From: Robert Boyle [mailto:[EMAIL PROTECTED] > > Agreed. I really truly don't see the problem with plaintext telnet > management of routers. We have access-lists on vty 0 15 > specifying which > networks can even connect. We can't connect except for from a trusted > internal management network and I control all the routers and > circuits in > the path. If someone is in the middle of one of my circuits > doing some type > of dump of the data to disk, they are probably the NSA or > CIA, and I've got > much bigger problems. Can someone please provide a situation Yeah, that would be a concern... :) > where doing > this can lead to compromise or any type of problem at all? I > just don't see Do you trust every person you work with? Are your internal networks completely segmented (including the ethernet switches?) Here, they are not. And as much as it's been pointed out, they continue to leave everyone in the company on the same segment. Our security guy proved this point by hijacking a switch, convincing it that the traffic had to pass through his computer, and sniffed a TON of traffic ... All within a few minutes, without anyone knowing until he showed it... Through this, he was able to grab a number of passwords all through telnet sessions. Unless you can completely trust everyone in your internal network, ACL's aren't always enough... > it. However, I see people having unpatched servers running > without proper > ACLs every day and this is rarely discussed and as Stephen > Sprunk points > out, lot of people here on nanog don't apply bogon filters or > even source > filter their customers - and this doesn't require a feature > set upgrade to > IOS. (All of which we do, btw) So I'm still not convinced that SSL on > routers is needed. Nice, sure, but needed? no. Please > convince me otherwise > if you feel this is such a hugely pressing need or at least > explain your > position. I've been converted into the "secure it if you can, ensure it's not important if you can't" way of thinking ... I would very much like to change our ACL's to only allow telnet from our server farm (which is SSH *ONLY*), thus allowing a little bit of security ... This would at least bring us into the "if someone's listening, it's gotta be the NSA or CIA" class of security... :) > R Jason Frisvold Penteledata
RE: IT security people sleep well
> -Original Message-
> From: Edward B. Dreger [mailto:[EMAIL PROTECTED]
>
> Correct. One must shell out more money for a bigger feature set
> to obtain SSH. I don't recall specifics off the top of my head,
> and don't have a javascript-cable machine handy to use Feature
> Navigator[*], but certain { feature sets | trains } only support
> SSHv1.
I don't see why they can't roll it into every ios that runs on a router
capable of ssh. Ssh and sshd on my linux system barely break 500k
compiled... And there's a TON of functionality in there that isn't
required on a router. It would seem that you could get ssh put into
these code trains in under 500k ...
Personally, I like having a little wiggle room in the flash ... Putting
an image on there that occupies the entire flash is a bad thing...
> [*] Quick gripe: Did anyone at Cisco ever consider that people
> might like to use Feature Navigator without javascript?
> What's next? Mandatory Flash Player?
I concur.. Mandatory Javascript sucks... Esp when Mozilla and Firefox
have problems viewing the pages... Cisco's site became decidedly
un-useful when they switched it over to this new design...
> Eddy
Jason Frisvold
Penteledata
Re: IT security people sleep well
On Mon, 07 Jun 2004 20:46:36 CDT, Stephen Sprunk said: > In spite of all that, I do encourage using SSH whenever possible, but > believing there is no cost associated with doing so is foolhardy. Depending > on the perceived level of threat, one might consider other security projects > to be a higher priority. We all have to deal with limited funding and > staffing for projects, even for critical functions like security. Amen to that. It's the rare shop indeed that internal security projects are high priority - are there *any* shops where "track down user XYZ and smack them upside the head *again*" isn't the most pressing issue, with "Find a way to muzzle XYZ so they can't click on it *again*" is number 2? (I suspect the two categories of shops are "Yes, *again*", and "Usage of live ammo is a realistic option"... ;) pgpV2aEoU8lCc.pgp Description: PGP signature
Re: IT security people sleep well
Thus spake "Henning Brauer" <[EMAIL PROTECTED]> > * Robert Boyle <[EMAIL PROTECTED]> [2004-06-07 14:08]: > > I really truly don't see the problem with plaintext telnet > > management of routers. > > It is exactly this belief in the security of your networks that gets > this industry in so deep shit. Mostly agreed. > You loose nothing with using ssh instead of telnet. > You win a lot. You lose money and time because you have to license more expensive code, upgrade RAM and flash to handle larger images, have to train your staff how to use SSH, have to test and roll out changes enabling SSH and disabling telnet, have to deal with sub-300-baud interactive performance on older router models, etc. In spite of all that, I do encourage using SSH whenever possible, but believing there is no cost associated with doing so is foolhardy. Depending on the perceived level of threat, one might consider other security projects to be a higher priority. We all have to deal with limited funding and staffing for projects, even for critical functions like security. S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Re: IT security people sleep well
Thus spake "Priscilla Oppenheimer" <[EMAIL PROTECTED]> > It's egregious that SSH isn't standard in all IOS images, especially > when you consider that choosing the right image is almost an > NP-complete problem even with feature navigator! :-) There are plenty of folks at Vendor C that would love crypto in every image, but that would run afoul of export regulations; the BXA has lightened up, particularly for open source projects, but it's still not trivial to export commercial crypto. Vendor C's anemic flash and RAM limitations in various platforms also restricts what's possible to put in a default image. The code continues to bloat, so it's only going to get worse. S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Re: IT security people sleep well
* Robert Boyle <[EMAIL PROTECTED]> [2004-06-07 21:40]: > which is why I am > against running ssh AND leaving it open to the world the only one who talks about that is you. > >You loose nothing with using ssh instead of telnet. > >You win a lot. > I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. not the point - cisco is to blame for that. > Should it be included by default, yes. that is the entire point. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IT security people sleep well
At 12:11 PM 6/7/2004, you wrote: ever heard of multilayer security? Absolutely and I am a huge believer in it and all of our systems and our network is designed with many layers of protection... which is why I am against running ssh AND leaving it open to the world since that leaves only a single layer of security. My point is simply that having SSH is a good tool, but I still don't think that having SSH relieves any of the other responsibility for proper network security. some little problem somewhere that allows an attacker to sniff your telnet traffic and you are d00med. that might be as simple as a routing fuckup. That would have to be a pretty major screwup. You loose nothing with using ssh instead of telnet. You win a lot. I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. Should it be included by default, yes. ssh is a basic component for secure network management. it is not the one magic piece that turns a collection of crap into an ubersecure network of course, as some people seem to imply. Exactly and that is my point. Especially when leaving SSH open to the world on all routers because it is "secure" is LESS secure than having secure passwords and ACLs and using telnet from the local LAN only. In an ideal world, you would have an ACL, a secure password, AND SSL. not seeing the problem with cleartext telnet for remote logins in 2004, wether ACL'd or not, is just ... oh man, I don't have words for this. I see the theoretical problem with telnet, but in the real world, I think there are many other more basic security practices which should be focused on perhaps even before worrying about ssh for routers. How many people have a dictionary word as their password for SSH? How many times have you purchased a used router which was used by (insert big ISP here) and found the password to be a simple dictionary word - on multiple routers purchased from multiple ISPs. My only point is that there are many other things to worry about for building comprehensive security as part of a network than simply enabling a protocol for remote management. That should be one of MANY issues which should constantly be addressed. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
RE: IT security people sleep well
On Mon, 7 Jun 2004, Michel Py wrote: > > Henning Brauer wrote: > > not seeing the problem with cleartext telnet for remote > > logins in 2004, wether ACL'd or not, is just ... oh man, > > I don't have words for this. > I have: I encourage my competitors to do it. Now you see the motivation behind a lot of the (bogus) responses on nanog :-) -Dan
Re: IT security people sleep well
On Jun 6, 2004, at 5:38 PM, Daniel Senie wrote: At 12:50 AM 6/6/2004, Paul Jakma wrote: On Sat, 5 Jun 2004, Mike Lewinski wrote: And that provides protection against MITM attacks how? kerberised telnet can be encrypted (typically DES - sufficient to guard MITM). Am I the only one who really likes devices to handle their own login authentication? I've had more than one occasion to need to get into and manage a device when the link between the device any anything resembling an authentication server is toast, and the reason I'm bothering to talk to the device in the first place? I'm with you. I've had lots of occasions where I'm accessing the router because of a problem that would also affect the router's ability to reach an authentication server. It's egregious that SSH isn't standard in all IOS images, especially when you consider that choosing the right image is almost an NP-complete problem even with feature navigator! :-) Of course, there are workarounds to no SSH, and SSH for routers is only one aspect of a multifaceted "security defense in depth" approach, but a rather important aspect... Priscilla Yes, terminal servers can be an answer. But SSH can be a perfectly good path in across whatever link(s) are still functional. Even an inexpensive managed layer 2 switch I installed recently for a client had decent ssh support (yes, it supported other methods of authentication too, including the use of server-based authentication). __ Priscilla Oppenheimer www.topdownbook.com "Life's a gift, and then you die."
RE: IT security people sleep well
> Henning Brauer wrote: > not seeing the problem with cleartext telnet for remote > logins in 2004, wether ACL'd or not, is just ... oh man, > I don't have words for this. I have: I encourage my competitors to do it. Michel.
Re: IT security people sleep well
* Robert Boyle <[EMAIL PROTECTED]> [2004-06-07 14:08]: > I really truly don't see the problem with plaintext telnet > management of routers. It is exactly this belief in the security of your networks that gets this industry in so deep shit. ever heard of multilayer security? some little problem somewhere that allows an attacker to sniff your telnet traffic and you are d00med. that might be as simple as a routing fuckup. You loose nothing with using ssh instead of telnet. You win a lot. ssh is a basic component for secure network management. it is not the one magic piece that turns a collection of crap into an ubersecure network of course, as some people seem to imply. not seeing the problem with cleartext telnet for remote logins in 2004, wether ACL'd or not, is just ... oh man, I don't have words for this. -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: IT security people sleep well
## On 2004-06-07 10:29 -0400 Daniel Corbe typed:
DC>
DC>
DC> You have to have an IOS image with the 3DES feature set to run ssh
Not quite: single DES will do fine
(if you use an SSH client that supports it)
--
Rafi
DC>
DC> Edward B. Dreger wrote:
DC>
DC> >DS> Date: Thu, 03 Jun 2004 17:56:55 -0400
DC> >DS> From: Daniel Senie
DC> >
DC> >
DC> >DS> Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
DC> >DS> support in the basic loads that I can find. Telnet is the
DC> >DS> only way in other than the console port.
True for(at least) 72XX and 75XX as well
SSH support is definitely in "IP IPSEC" (or or SP/SSH ;-) feature sets
DC> >
DC> >Correct. One must shell out more money for a bigger feature set
DC> >to obtain SSH. I don't recall specifics off the top of my head,
DC> >and don't have a javascript-cable machine handy to use Feature
DC> >Navigator[*], but certain { feature sets | trains } only support
DC> >SSHv1.
DC> >
DC> >[*] Quick gripe: Did anyone at Cisco ever consider that people
DC> >might like to use Feature Navigator without javascript?
DC> >What's next? Mandatory Flash Player?
DC> >
DC> >
DC> >Eddy
Re: IT security people sleep well
On Sun, 06 Jun 2004 18:14:39 CDT, Stephen Sprunk said: > When I read that, I immediately thought of a quote by Colin Powell: > > "I sleep like a baby, too. Every two hours I wake up screaming!" Just as an aside, I first remember seeing this quote in a Computerworld article in the '80s, regarding JCPenney consolidating 4 data centers outside Texas into one large Dallas center over a weekend. I suspect both Powell and the guy quoted in the CW article got it from some other, yet earlier, source pgp9CtpeL09ae.pgp Description: PGP signature
Re: IT security people sleep well
You have to have an IOS image with the 3DES feature set to run ssh
Edward B. Dreger wrote:
DS> Date: Thu, 03 Jun 2004 17:56:55 -0400
DS> From: Daniel Senie
DS> Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
DS> support in the basic loads that I can find. Telnet is the
DS> only way in other than the console port.
Correct. One must shell out more money for a bigger feature set
to obtain SSH. I don't recall specifics off the top of my head,
and don't have a javascript-cable machine handy to use Feature
Navigator[*], but certain { feature sets | trains } only support
SSHv1.
[*] Quick gripe: Did anyone at Cisco ever consider that people
might like to use Feature Navigator without javascript?
What's next? Mandatory Flash Player?
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses :
[EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
Re: IT security people sleep well
At 07:14 PM 6/6/2004, you wrote: On the SSH/SSL front: IMHO these technologies give a false sense of security. Sniffing cleartext management sessions is a concern, yes, but actual incidents where it occurs, especially within your own network infrastructure, are vanishingly rare compared to the commonplace compromise of individual hosts. Creating a secure link between hosts is wasted effort at best if you can't trust the host at the other end of that link. Agreed. I really truly don't see the problem with plaintext telnet management of routers. We have access-lists on vty 0 15 specifying which networks can even connect. We can't connect except for from a trusted internal management network and I control all the routers and circuits in the path. If someone is in the middle of one of my circuits doing some type of dump of the data to disk, they are probably the NSA or CIA, and I've got much bigger problems. Can someone please provide a situation where doing this can lead to compromise or any type of problem at all? I just don't see it. However, I see people having unpatched servers running without proper ACLs every day and this is rarely discussed and as Stephen Sprunk points out, lot of people here on nanog don't apply bogon filters or even source filter their customers - and this doesn't require a feature set upgrade to IOS. (All of which we do, btw) So I'm still not convinced that SSL on routers is needed. Nice, sure, but needed? no. Please convince me otherwise if you feel this is such a hugely pressing need or at least explain your position. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Good will, like a good name, is got by many actions, and lost by one." - Francis Jeffrey
Re: IT security people sleep well
At 12:50 AM 6/6/2004, Paul Jakma wrote: On Sat, 5 Jun 2004, Mike Lewinski wrote: And that provides protection against MITM attacks how? kerberised telnet can be encrypted (typically DES - sufficient to guard MITM). Am I the only one who really likes devices to handle their own login authentication? I've had more than one occasion to need to get into and manage a device when the link between the device any anything resembling an authentication server is toast, and the reason I'm bothering to talk to the device in the first place? Yes, terminal servers can be an answer. But SSH can be a perfectly good path in across whatever link(s) are still functional. Even an inexpensive managed layer 2 switch I installed recently for a client had decent ssh support (yes, it supported other methods of authentication too, including the use of server-based authentication).
Re: IT security people sleep well
Thus spake "Sean Donelan" <[EMAIL PROTECTED]> > Two issues tied as being of prime concern to those network administrators > surveyed: 32% responded that they worry most about "the next virus/worm" > and an equal percentage answered they worry most about "a security breach > to the enterprise's network." The big surprise was that 34% of survey > respondents said they had "no worries and sleep like a baby." When I read that, I immediately thought of a quote by Colin Powell: "I sleep like a baby, too. Every two hours I wake up screaming!" Too many people in this industry either ignore security completely or think that it's the sole province of the "security department". Some vendors have gotten their act together, even Microsoft, but they haven't made a dent in the mindset of their customers. Even among NANOGers, it's pretty obvious most networks don't even do the most rudimentary of source filtering, so how can we expect more advanced technologies to be adopted? On the SSH/SSL front: IMHO these technologies give a false sense of security. Sniffing cleartext management sessions is a concern, yes, but actual incidents where it occurs, especially within your own network infrastructure, are vanishingly rare compared to the commonplace compromise of individual hosts. Creating a secure link between hosts is wasted effort at best if you can't trust the host at the other end of that link. S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
Re: IT security people sleep well
On Sun, 6 Jun 2004, Henning Brauer wrote: this is not nearly the same league as (proper) ssh. It's quite sufficient for protecting ones routers. Also the "authentication" itself is (should be) Triple-DES protected. The DES encryption for the data exchange isnt enough to guard sensitive data, however it's still more than enough to stop real-time MITM. More recent Kerberos implementations support AES-256/SHA-1 HMAC enctypes and hopefully kerberised telnet will also gain AES-256 encryption support at some point. complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary. Right, but hand-waving about the scariness of not shipping ssh doesnt solve the immediate problem of securing network console access to ones infrastructure. And, contrary to the popular belief on this list, it *is* quite possible to secure access with the *standard* IOS images on nearly all Cisco routers shipped for at least the last few years. Anyone who had active directory on their network can implement this easily enough. Even those who dont, setting up a KDC is pretty easy. every damn network device which used to have telnet should ship with ssh, it's free. However, it's not very well specified yet. well, I understand that cisco has problems with their 3$ CPUs with the crypto load, bit that's an extremely poor excuse. Right, but on the other hand lack of ssh in ones IOS images is *not* an excuse to use plain-text telnet. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: This novel is not to be tossed lightly aside, but to be hurled with great force. -- Dorothy Parker
Re: IT security people sleep well
* Paul Jakma <[EMAIL PROTECTED]> [2004-06-06 09:03]: > On Sat, 5 Jun 2004, Mike Lewinski wrote: > >And that provides protection against MITM attacks how? > kerberised telnet can be encrypted (typically DES - sufficient to > guard MITM). this is not nearly the same league as (proper) ssh. complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary. every damn network device which used to have telnet should ship with ssh, it's free. well, I understand that cisco has problems with their 3$ CPUs with the crypto load, bit that's an extremely poor excuse.
Re: IT security people sleep well
On Sat, 5 Jun 2004, Mike Lewinski wrote: And that provides protection against MITM attacks how? kerberised telnet can be encrypted (typically DES - sufficient to guard MITM). regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: The people sensible enough to give good advice are usually sensible enough to give none.
Re: IT security people sleep well
Paul Jakma wrote: What's really scary is that the people here complaining about a certain vendor charging extra for SSH and hence forcing them to use "insecure" telnet havnt the cop-on to read that vendor's "AAA" documentation and realise that the base feature set _already_ includes capability to do secure authentication. And that provides protection against MITM attacks how?
Re: IT security people sleep well
On Thu, 3 Jun 2004, Eric Kuhnke wrote: The part about Telnet is truly scary... What's really scary is that the people here complaining about a certain vendor charging extra for SSH and hence forcing them to use "insecure" telnet havnt the cop-on to read that vendor's "AAA" documentation and realise that the base feature set _already_ includes capability to do secure authentication. Eg, challenge/response via RADIUS or even Kerberised telnet (and many people here probably already have kerberos servers in their organisations, aka Windows Active Directory). regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: You can't take damsel here now.
Re: IT security people sleep well
On Thu, 3 Jun 2004, Jonathan Nichols wrote: > > > > > > I've been reasonably pleased with using the Idokorro client. It's at > > http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for > > emergencies, but nothing of great detail or scope for the screen > > size on my 6820. > > > > -John openssh on the zarus is exactly like openssh on any other platform. with the bluez bluetooth stack I can leave my phone in my pocket. > Wow. $195 for the Blackberry client? I'll carry around the PowerBook and > get a T-Mobile account, thanks! :) It's a lot easier to find a Starbucks > in San Francisco than anything else. Just spin around a few times and > you'll find one. > > > > I wonder how many "IT Security" folks sit down at free Wi-Fi hotspots > and telnet into various machines... quite a bit scarier than SSH1 on a > PDA, especially after seeing it happen. =/ > > > > > -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: IT security people sleep well
JS> Date: Thu, 3 Jun 2004 14:26:01 -0700 JS> From: Jeff Shultz JS> I wonder if they asked the people using Telnet if they were JS> using over the internet - or inside a corporate intranet, JS> shielded from the outside? Good to know that malicious things are always on the other side of the router. I must be hallucinating when I encounter pwned boxes with sniffers running inside of a network. Everyone restricts MAC addresses at their switches. Nobody is vulnerable to cable taps, wireless sniffing, ICMP redirects, or any other trickery. Sarcasm aside, I don't think being shielded from the outside makes that much difference. It's foolish to assume that a corporate intranet is squeaky clean. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: IT security people sleep well
DS> Date: Thu, 03 Jun 2004 17:56:55 -0400
DS> From: Daniel Senie
DS> Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh
DS> support in the basic loads that I can find. Telnet is the
DS> only way in other than the console port.
Correct. One must shell out more money for a bigger feature set
to obtain SSH. I don't recall specifics off the top of my head,
and don't have a javascript-cable machine handy to use Feature
Navigator[*], but certain { feature sets | trains } only support
SSHv1.
[*] Quick gripe: Did anyone at Cisco ever consider that people
might like to use Feature Navigator without javascript?
What's next? Mandatory Flash Player?
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_
DO NOT send mail to the following addresses :
[EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
Re: IT security people sleep well
This is very bad - they have SSH in extended versions, why did not they included it into all versions, where it was possible without running out of flash memory. Through, it is not so unsecured - in most cases people restricts access to a few IP sources, which are located on the internal network, or even allows only console access; but anyway, not a good thing. They could (at least) allow changing telnet port > > > > > >On Thu, 03 Jun 2004 13:16:44 PDT, Eric Kuhnke <[EMAIL PROTECTED]> said: > > > > > The part about Telnet is truly scary... Among people who have "clue", > > > the biggest reason I have heard to continue running ssh1 is for > > > emergency access via hand-held smartphones or other pocket sized > > > devices. The Handspring Treo 180 and similar keyboarded cellphone-pda > > > devices don't have the CPU power necessary for a SSH2 key exchange, > > > unless I'm drastically mistaken about the FPU abilities of a 33 MHz > > > Motorola Dragonball... > > Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh support in the > basic loads that I can find. Telnet is the only way in other than the > console port. > >
Re: IT security people sleep well
I like my Tungsten C, but I don't do security-stupid things with it. :) Another neat trick, for those who haven't seen - Intel has maps.yahoo.com setup so it'll show you where alot of the hotspots are - here's a map of downtown SF as an example: http://tinyurl.com/36s5y John On Thu, Jun 03, 2004 at 10:13:24PM -0700, Jonathan Nichols wrote: > Wow. $195 for the Blackberry client? I'll carry around the PowerBook and > get a T-Mobile account, thanks! :) It's a lot easier to find a Starbucks > in San Francisco than anything else. Just spin around a few times and > you'll find one.
Re: IT security people sleep well
I've been reasonably pleased with using the Idokorro client. It's at http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for emergencies, but nothing of great detail or scope for the screen size on my 6820. -John Wow. $195 for the Blackberry client? I'll carry around the PowerBook and get a T-Mobile account, thanks! :) It's a lot easier to find a Starbucks in San Francisco than anything else. Just spin around a few times and you'll find one. I wonder how many "IT Security" folks sit down at free Wi-Fi hotspots and telnet into various machines... quite a bit scarier than SSH1 on a PDA, especially after seeing it happen. =/
RE: IT security people sleep well
> I've heard there's an SSH2 client for the Treo. > Ah, here it is: http://sealiesoftware.com/pssh/ > > The Danger Sidekick can do SSH2 with "Terminal Monkey" which was free up > until recently. :) It's fun, but kind of hard to get any real work done > with the tiny screen. I've been reasonably pleased with using the Idokorro client. It's at http://www.idokorro.com It uses SSH2 w/3DES & AES. It's useful for emergencies, but nothing of great detail or scope for the screen size on my 6820. -John
Re: IT security people sleep well
The part about Telnet is truly scary... Among people who have "clue", the biggest reason I have heard to continue running ssh1 is for emergency access via hand-held smartphones or other pocket sized devices. The Handspring Treo 180 and similar keyboarded cellphone-pda devices don't have the CPU power necessary for a SSH2 key exchange, unless I'm drastically mistaken about the FPU abilities of a 33 MHz Motorola Dragonball... I've heard there's an SSH2 client for the Treo. Ah, here it is: http://sealiesoftware.com/pssh/ The Danger Sidekick can do SSH2 with "Terminal Monkey" which was free up until recently. :) It's fun, but kind of hard to get any real work done with the tiny screen. -Jonathan
Re: IT security people sleep well
On Thu, 03 Jun 2004 13:16:44 PDT, Eric Kuhnke <[EMAIL PROTECTED]> said: > The part about Telnet is truly scary... Among people who have "clue", > the biggest reason I have heard to continue running ssh1 is for > emergency access via hand-held smartphones or other pocket sized > devices. The Handspring Treo 180 and similar keyboarded cellphone-pda > devices don't have the CPU power necessary for a SSH2 key exchange, > unless I'm drastically mistaken about the FPU abilities of a 33 MHz > Motorola Dragonball... Cisco 26xx, 36xx routers at least, current 12.3 IOS, no ssh support in the basic loads that I can find. Telnet is the only way in other than the console port.
Re: IT security people sleep well
** Reply to message from Eric Kuhnke <[EMAIL PROTECTED]> on Thu, 03 Jun 2004 13:16:44 -0700 > > The part about Telnet is truly scary... Among people who have "clue", > the biggest reason I have heard to continue running ssh1 is for > emergency access via hand-held smartphones or other pocket sized > devices. The Handspring Treo 180 and similar keyboarded cellphone-pda > devices don't have the CPU power necessary for a SSH2 key exchange, > unless I'm drastically mistaken about the FPU abilities of a 33 MHz > Motorola Dragonball... I wonder if they asked the people using Telnet if they were using over the internet - or inside a corporate intranet, shielded from the outside? -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
Re: IT security people sleep well
On Thu, 03 Jun 2004 13:16:44 PDT, Eric Kuhnke <[EMAIL PROTECTED]> said: > The part about Telnet is truly scary... Among people who have "clue", > the biggest reason I have heard to continue running ssh1 is for > emergency access via hand-held smartphones or other pocket sized > devices. The Handspring Treo 180 and similar keyboarded cellphone-pda > devices don't have the CPU power necessary for a SSH2 key exchange, > unless I'm drastically mistaken about the FPU abilities of a 33 MHz > Motorola Dragonball... Unless the Dragonball is an 8-bit CPU, it shouldn't be *too* painful - looking at the ssh 3.2.9.1 tree from ssh.com, the *only* reference to 'float' or 'double' in the entire include/*.h tree is a "typedef double SshTimeT;". Since a sane key wont fit in an int, float, or double, it's all done using integer/logical operations on arrays (more or less). I just retired an IBM RS6000/350 - that had a whole whopping 50mz Power chipset in it, and ran ssh2 just fine. I know that the model 220 was a 33MHz ppc 601 chipset, and that did SSH without burping too (The 601 chipset was also used in the Macintosh 6600 machines). If it's got enough CPU to connect to an SSL webpage, it's got enough for SSH. pgp9rccTvisUA.pgp Description: PGP signature
Re: IT security people sleep well
I liked this quote, About 43% of respondents said they're using the Secure Shell (SSH) protocol to protect data, secure remote access, and perform network management. But while the current SSH2 is considered to be significantly more secure, nearly 45% said they are continuing to mostly use the older SSH1 protocol. A cause for greater concern, according to the surveyors, is that 54.9% said they continue to configure their network devices via Telnet, which is known by network security experts to be severely vulnerable to intruders because it sends data as clear text and offers only weak password authentication. The part about Telnet is truly scary... Among people who have "clue", the biggest reason I have heard to continue running ssh1 is for emergency access via hand-held smartphones or other pocket sized devices. The Handspring Treo 180 and similar keyboarded cellphone-pda devices don't have the CPU power necessary for a SSH2 key exchange, unless I'm drastically mistaken about the FPU abilities of a 33 MHz Motorola Dragonball...
Re: IT security people sleep well
Crist Clark wrote: Anyone from the real world knows that there are real and significant costs to convert an existing infrucstructure with telnet, the r-protocols, ftp, and all of their unencrypted, unauthenticated friends to SSH and SSL secured connections. Yeah, maybe the software licencing costs are little to nothing, but the administrative overehead of converting all of your other scripts and software, plus lots and LOTS of retraining of admin and users can be very expensive or simply infeasible. NTM all that legacy hardware for which the vendor simply never released an SSH-capable version. And lots of deployed CPE which lacks sufficient flash space to load an SSH-capable version where one was released. I can think of a hundred cases where there's a definite measurable hardware upgrade cost associated with enabling SSH and the like. Internally, our policy is to establish telnet connections from the closest upstream point possible, in most cases, the other side of a serial interface where our biggest possible cleartext exposure is gremlins at the CO.
Re: IT security people sleep well
Sean Donelan wrote: Survey: Despite dangers, IT personnel sleep well By Bill Brenner, News Writer 27 May 2004 | SearchSecurity.com I liked this quote, About 43% of respondents said they're using the Secure Shell (SSH) protocol to protect data, secure remote access, and perform network management. But while the current SSH2 is considered to be significantly more secure, nearly 45% said they are continuing to mostly use the older SSH1 protocol. A cause for greater concern, according to the surveyors, is that 54.9% said they continue to configure their network devices via Telnet, which is known by network security experts to be severely vulnerable to intruders because it sends data as clear text and offers only weak password authentication. For Marc Orchant, head of communications at VanDyke, that was one of the biggest shockers, especially since it costs little or nothing to upgrade these protocols. It "costs little or nothing to upgrade?" Does it seem a bit disingenuous for a remark like that to come from someone at a company that sells a commerical SSH distribution? Anyone from the real world knows that there are real and significant costs to convert an existing infrucstructure with telnet, the r-protocols, ftp, and all of their unencrypted, unauthenticated friends to SSH and SSL secured connections. Yeah, maybe the software licencing costs are little to nothing, but the administrative overehead of converting all of your other scripts and software, plus lots and LOTS of retraining of admin and users can be very expensive or simply infeasible. And just one more quote, "I guess the message here is that ignorance is bliss," said Steve Birnkrant, chief executive officer of Amplitude Research Inc., which conducted the survey on behalf of Albuquerque, N.M.-based VanDyke Software Inc. "What most surprised me was the general sense of complacency. Much has been written in the media about security issues, and this makes me wonder if people are listening." Why aren't people listening? I think Mr. Birnkrant needs to go way back to old childhood fables and have a refresher on the boy who cried, "Wolf!" -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
