From: "Tony Toni" <[EMAIL PROTECTED]> Sent: Tuesday, December 10, 2002 21:45
> > We were currently wrote up by our external auditors because we use telnet to > access all of our routers. In some cases we use a filtered Telnet > service...but that is not the normal practice. We are a fairly good size > company with about 1000+ routers. > > I am charged with coordinating a response to the auditors. I know all of > the security issues involved with Telnet...ie login id and password sent > across the network in clear text, etc. My question: Is it possible to > use SSH or CISCO TACACS+ to encrypt the entire Telnet session? Is there a > way to ensure no one can sniff the login id and password? The Network > Services Group is adamant that neither SSH or CISCO TACACS+ will work on a > router to correct the security issue. > Just a quick scan through the Cisco website shows that (at a minimum), all IOS versions from 12.0 and up have Kerberos 5 authentication, as well as RADIUS and TACACS+. My understanding (and it is limited, to be sure) is that any of those authentication methods will not send login id and password in clear-text. It will not encrypt the entire telnet session, to my knowledge. This all assuming that you use Cisco equipment. If you use other vendors, you will have to make sure that they support TACACS+ or RADIUS. But if the auditor's concern is only that authentication is done via clear-text, using TACACS+ or RADIUS will resolve it. I don't know if SSH is supported on the routers but I know that all of their PIX line support ssh as an option. > Tony CIA,CISA,CDP,MBA > Security and Audit Services > Nations Banking & Trust > Ever lovable and always scrappy, kawaii "Cunnilingus and psychiatry brought us to this." - Tony Soprano
