Consider the case of a staff member lounging in the backyard on
a lazy Saturday afternoon with their iBook. They have an 802.11
wireless LAN at home so they telnet to their Linux box in the
kitchen and run SSH to the router. Ooops!
I see. SSH doesn't solve all problems, and therefore
Hmm.
I watched it _exactly_ as you described, and guess where? In hacker's
sniffered files. (4 years ago, sorry)
One idiot telnet to his scientific lab (which has not any security and had a
few layers of sniffers installed by a few generations of hackers), and then
slogin by the chain of 4 more
complaining that cisco charges extra for such a critical component is
exactly the right thing to do; it is fucking scary.
every damn network device which used to have telnet should ship with
ssh, it's free.
Why?
The typical network architecture of an ISP sees routers located in
large
I'd rather use IPSEC than SSH to connect to routers or to a secure gateway
and then to routers. Flaw history in IPSEC is much better than SSH, IPSEC
can easily be used to move files with FTP or TFTP (does your router/client
suport SCP ? SFTP ?)...
Unfortunately, IOS costs more to have IPSEC.
Ok back to the previous premise..
Linux with an IPSEC server load..
IPSEC to the Linux box, use Telnet or ???
to connect to the routers on the management VLAN/Net
and your done
Aside from that, Use ACL's out the wazoo on the VTY lines and limit access to
that to say 1 SSH enabled router or
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2004-06-07 14:15]:
complaining that cisco charges extra for such a critical component is
exactly the right thing to do; it is fucking scary.
every damn network device which used to have telnet should ship with
ssh, it's free.
Why?
The
[use telnet+ACL instead of SSH]
while this protects the router such that it allows packets in only
from known addresses, it does not allow packets in only from known
MACHINES. Addresses can be spoofed. Vendor C (at least in recent
history) did/does not allow binding of the host stack only to
Date: Mon, 7 Jun 2004 11:39:57 +0100
From: [EMAIL PROTECTED]
Consider the case of a staff member lounging in the backyard on
a lazy Saturday afternoon with their iBook. They have an 802.11
wireless LAN at home so they telnet to their Linux box in the
kitchen and run SSH to the router.
Once you open the router to SSH from arbitrary locations on
the Internet
i don't think anyone (sane) was suggesting that. but my
competitors are encouraged to do so.
It makes more sense to funnel everything through secure gateways and
then use SSH as a second level of security to allow
--On 07 June 2004 11:10 -0700 Randy Bush [EMAIL PROTECTED] wrote:
It makes more sense to funnel everything through secure gateways and
then use SSH as a second level of security to allow staff to connect
to the secure gateways from the Internet. Of course these secure
gateways are more than just
and all the other things single points of failure need.
like pixie dust, chicken entrails, ...
Where did the word single come from, given he had an s
on gateways? Replicate them across POPs
glib, but ignores the massive cost and bureaucratic insanity it
takes to install yet one more box in
On Mon, 07 Jun 2004 22:12:36 BST, Alex Bligh said:
Where did the word single come from, given he had an s on gateways?
Replicate them across POPs. Having lots of routers accessible from a small
number of machines, which are (relatively) widely accessible but can be
firewalled to hell, seems a
--On 07 June 2004 17:50 -0400 [EMAIL PROTECTED] wrote:
Well, either you have one per POP (and that, as Randy Bush points out, can
be quite the headache in itself), which is still a single point of
failure for that POP, or you're advocating that the routers be reachable
from the magic box at *any*
Well the way we did it, all routers were accessible from 2
(large) POPs, two being in the NOC, and one being elsewhere
well, in my life (pop != noc). but access usually is from noc,
engineering hq, and, if she's lucky, somewhere easy for the
escalation victim of last resort to reach.
whether
14 matches
Mail list logo
