IT security people sleep well
Robert Boyle
robert at tellurian.com
Mon Jun 7 01:52:51 UTC 2004
At 07:14 PM 6/6/2004, you wrote:
>On the SSH/SSL front: IMHO these technologies give a false sense of
>security. Sniffing cleartext management sessions is a concern, yes, but
>actual incidents where it occurs, especially within your own network
>infrastructure, are vanishingly rare compared to the commonplace compromise
>of individual hosts. Creating a secure link between hosts is wasted effort
>at best if you can't trust the host at the other end of that link.
Agreed. I really truly don't see the problem with plaintext telnet
management of routers. We have access-lists on vty 0 15 specifying which
networks can even connect. We can't connect except for from a trusted
internal management network and I control all the routers and circuits in
the path. If someone is in the middle of one of my circuits doing some type
of dump of the data to disk, they are probably the NSA or CIA, and I've got
much bigger problems. Can someone please provide a situation where doing
this can lead to compromise or any type of problem at all? I just don't see
it. However, I see people having unpatched servers running without proper
ACLs every day and this is rarely discussed and as Stephen Sprunk points
out, lot of people here on nanog don't apply bogon filters or even source
filter their customers - and this doesn't require a feature set upgrade to
IOS. (All of which we do, btw) So I'm still not convinced that SSL on
routers is needed. Nice, sure, but needed? no. Please convince me otherwise
if you feel this is such a hugely pressing need or at least explain your
position.
R
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." -
Francis Jeffrey
More information about the NANOG
mailing list