IT security people sleep well

Mon Jun 7 01:52:51 UTC 2004

At 07:14 PM 6/6/2004, you wrote:
>On the SSH/SSL front: IMHO these technologies give a false sense of
>security.  Sniffing cleartext management sessions is a concern, yes, but
>actual incidents where it occurs, especially within your own network
>infrastructure, are vanishingly rare compared to the commonplace compromise
>of individual hosts.  Creating a secure link between hosts is wasted effort
>at best if you can't trust the host at the other end of that link.

Agreed. I really truly don't see the problem with plaintext telnet 
management of routers. We have access-lists on vty 0 15 specifying which 
networks can even connect. We can't connect except for from a trusted 
internal management network and I control all the routers and circuits in 
the path. If someone is in the middle of one of my circuits doing some type 
of dump of the data to disk, they are probably the NSA or CIA, and I've got 
much bigger problems. Can someone please provide a situation where doing 
this can lead to compromise or any type of problem at all? I just don't see 
it. However, I see people having unpatched servers running without proper 
ACLs every day and this is rarely discussed and as Stephen Sprunk points 
out, lot of people here on nanog don't apply bogon filters or even source 
filter their customers - and this doesn't require a feature set upgrade to 
IOS. (All of which we do, btw) So I'm still not convinced that SSL on 
routers is needed. Nice, sure, but needed? no. Please convince me otherwise 
if you feel this is such a hugely pressing need or at least explain your 
position.

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey