telnet vs ssh on Core equipment , looking for reasons why ?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Jul 31 23:22:41 UTC 2001
On Tue, 31 Jul 2001 13:45:33 PDT, Dan Hollis said:
> Hmmm, how about I lockdown all MAC addresses on switch ports and configure
> port IP filters and set the switch so filter violations automatically
> disable your port?
I'd love to do this to our users. I've suggested it.
I was promptly told that if implemented, I'd be the guy answering the phone
each time one of our 30K users replaced an Ethernet card or moved a
computer across a room and plugged it into another "Known Working" portal. ;)
However, we *do* dump the ARP caches on every switch every 5 minutes and
keep a database on every time we see a change on a port. Good thing disk
space is cheap, we've got the data going back to <when the heck did managed
switches/hubs hit the markend>. No, it's not as secure - but I'd like
to get work done once in a while too. ;)
You want *security*? I'm surprised nobody has suggested running cable
in pressurized conduit - I fully believe some paranoid TLA's use 400PSI
and a pressure-drop alarm as a deterrent. I keep hearing rumors that
involve 400PSI nerve gas, and I'm not sure if anybody is THAT paranoid. ;)
The rest of us need to balance security against getting work done. Sure,
there's MIM attacks against SSH. On the other hand, I'm pretty sure
that if somebody talented enough that they can man-in-middle an SSH session
*without* me seeing a "host key has changed" message decides to attack me,
there isn't much I'll be able to do to stop him anyhow.
On the other hand, I need to smack the admins of the 48 machines of ours
that got CodeRed'ed. Guess which is considered more important by our
management, smacking the CodeRed machines, or worrying about SSH holes? ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 211 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010731/dc4b2c44/attachment.sig>
More information about the NANOG
mailing list