IT security people sleep well
Paul Jakma
paul at clubi.ie
Sun Jun 6 21:35:59 UTC 2004
On Sun, 6 Jun 2004, Henning Brauer wrote:
> this is not nearly the same league as (proper) ssh.
It's quite sufficient for protecting ones routers. Also the
"authentication" itself is (should be) Triple-DES protected. The DES
encryption for the data exchange isnt enough to guard sensitive data,
however it's still more than enough to stop real-time MITM.
More recent Kerberos implementations support AES-256/SHA-1 HMAC
enctypes and hopefully kerberised telnet will also gain AES-256
encryption support at some point.
> complaining that cisco charges extra for such a critical component is
> exactly the right thing to do; it is fucking scary.
Right, but hand-waving about the scariness of not shipping ssh doesnt
solve the immediate problem of securing network console access to
ones infrastructure. And, contrary to the popular belief on this
list, it *is* quite possible to secure access with the *standard* IOS
images on nearly all Cisco routers shipped for at least the last few
years.
Anyone who had active directory on their network can implement this
easily enough. Even those who dont, setting up a KDC is pretty easy.
> every damn network device which used to have telnet should ship with
> ssh, it's free.
However, it's not very well specified yet.
> well, I understand that cisco has problems with their 3$ CPUs with
> the crypto load, bit that's an extremely poor excuse.
Right, but on the other hand lack of ssh in ones IOS images is *not*
an excuse to use plain-text telnet.
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam at dishone.st
Fortune:
This novel is not to be tossed lightly aside, but to be hurled with great force.
-- Dorothy Parker
More information about the NANOG
mailing list