You also might want to look at snmp v3:
Authenication is based on the Username, MD5, or SHA.
Encryption has two options: none or DES
This is the most secure of the possible models. It allows the security be
defined in the following places: SNMP-Server Host, SNMP-Server Groups and
SNMP-Server Users
SNMP-Server Host
It allows three levels of authentication: {noauth | auth | priv}
� Noauth � Specifies no authentication of a packet
� Auth � Specifies authentication of a packet without encrypting it
� Priv � Specifies authentication of a packet with encryption by scrambling
it
Command � snmp-server host (ip address of snmp server) version 3 priv
(community name)
SNMP-Server Groups
It allows three levels of authentication: {noauth | auth | priv}
� Noauth � Specifies no authentication of a packet
� Auth � Specifies authentication of a packet without encrypting it
� Priv � Specifies authentication of a packet with encryption by scrambling
it
It allows two levels of view: {read | write}
� Read � A string (up to 64 characters) that allows you to view the contents
of the agent only
� Write - A string (up to 64 characters) that allows you to write the
contents of the agent
It allows access control lists to permit or deny availability
Command � snmp-server group (group name) v3 priv read (read name) access
(access-list)
And
Command � snmp-server group (group name) v3 priv write (write name) access
(access-list)
SNMP-Server User
It allows two levels of authentication: {auth | Priv}
� Encrypted � Specifies whether a password appears in encrypted format
� Auth � Initiates an authentication level setting session
o MD5 � The HMAC-MD5-96 authentication level
o SHA � The HMAC-SHA-96 authentication level
� Priv � The option that initiates a privacy authentication level setting
session
o Des56 � The CBC-DES privacy authentication algorithm
It allows access control lists to permit or deny availability
Command � snmp-server user (user name) (group name) encrypted auth sha
(password) priv des56 (password) access (access-list)
-----Original Message-----
From: Chris Berry [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 12, 2002 1:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Telnet Security Question for a Router.
>From: "Tony Toni" <[EMAIL PROTECTED]>
>We were currently wrote up by our external auditors because we use telnet
>to access all of our routers. In some cases we use a filtered Telnet
>service...but that is not the normal practice. We are a fairly good size
>company with about 1000+ routers.
>
>I am charged with coordinating a response to the auditors. I know all of
>the security issues involved with Telnet...ie login id and password sent
>across the network in clear text, etc. My question: Is it possible to
>use SSH or CISCO TACACS+ to encrypt the entire Telnet session? Is there a
>way to ensure no one can sniff the login id and password? The Network
>Services Group is adamant that neither SSH or CISCO TACACS+ will work on a
>router to correct the security issue.
Well, you could use SSL or VPN to create a secure tunnel for the Telnet
session, but SSH would be a much better choice, its designed for that sort
of thing. SSH works on most quality routers, what brand(s) do you have?
Chris Berry
[EMAIL PROTECTED]
Systems Administrator
JM Associates
"Live dangerously, overclock your servers."
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
