SSH on the router - was( IT security people sleep well)

Rubens Kuhl Jr. rubens at email.com
Mon Jun 7 12:08:09 UTC 2004



I'd rather use IPSEC than SSH to connect to routers or to a secure gateway
and then to routers. Flaw history in IPSEC is much better than SSH, IPSEC
can easily be used to move files with FTP or TFTP (does your router/client
suport SCP ? SFTP ?)...

Unfortunately, IOS costs more to have IPSEC.


Rubens

----- Original Message ----- 
From: <Michael.Dillon at radianz.com>
To: <nanog at merit.edu>
Sent: Monday, June 07, 2004 7:39 AM
Subject: SSH on the router - was( IT security people sleep well)


>
> > complaining that cisco charges extra for such a critical component is
> > exactly the right thing to do; it is fucking scary.
> >
> > every damn network device which used to have telnet should ship with
> > ssh, it's free.
>
> Why?
>
> The typical network architecture of an ISP sees routers located in
> large clusters in a PoP or on a customer's site directly connected
> to a PoP. Since it is dead simple to place a 1U Linux box or similar
> SPARC server in a PoP to act as a secure gateway, why should router
> vendors encourage laziness and sloppiness? IMHO routers should not
> have SSH at all and should not accept any packets directed to them
> unless they are coming from a small set of known addresses on the
> network operator's management network.
>
> Once you open the router to SSH from arbitrary locations on the
> Internet you also open the router to DDoS from arbitrary locations and
> to attacks from people with inside info (SSH keys stolen or otherwise).
>
> It makes more sense to funnel everything through secure gateways and
> then use SSH as a second level of security to allow staff to connect
> to the secure gateways from the Internet. Of course these secure
> gateways are more than just security proxies; they can also contain
> diagnostic tools, auditing functions, scripting capability, etc.
>
> Now there is nothing fundamentally wrong with ADDING to that type
> of architecture by enabling SSH between the routers and the security
> gateways. But I believe that it is fundamentally wrong to consider
> SSH on the router to be equivalent to opening the router to any staff
> member, anytime, anywhere on the Internet. There are still possible
> man in the middle attacks that cannot be protected against by SSH.
> Consider the case of a staff member lounging in the backyard on a
> lazy Saturday afternoon with their iBook. They have an 802.11 wireless
> LAN at home so they telnet to their Linux box in the kitchen and run
> SSH to the router. Ooops!
>
> The only way to protect against that sort of situation is to encourage
> everyone to be security-minded and not take risks where the network is
> concerned. Funneling all access to routers through a secure gateway is
> part of that security-mindedness and is just plain good practice.
>
> --Michael Dillon
>
>




More information about the NANOG mailing list