SSH on the router - was( IT security people sleep well)
Edward B. Dreger
eddy+public+spam at noc.everquick.net
Mon Jun 7 18:07:19 UTC 2004
> Date: Mon, 7 Jun 2004 11:39:57 +0100
> From: Michael.Dillon at rad...
> Consider the case of a staff member lounging in the backyard on
> a lazy Saturday afternoon with their iBook. They have an 802.11
> wireless LAN at home so they telnet to their Linux box in the
> kitchen and run SSH to the router. Ooops!
I see. SSH doesn't solve all problems, and therefore must be
worthless.
Now let's look at kerberized telnet. Someone logs in via
kerberized telnet over an insecure network, then decides to
change his/her password. Oops.
Someone could screw up OTP SSH+KRB5 logins over IPSec if using a
compromised box with a keylogger installed. Does that mean each
of these technologies is worthless?
> The only way to protect against that sort of situation is to
> encourage everyone to be security-minded and not take risks
> where the network is concerned.
Definitely. Alas, I'm seeing more "it won't happen to me" than
in the past. It's almost as if the "logic" is "I hear more about
this, but haven't noticed anything awful, and therefore must be
invincible."
Eddy
--
EverQuick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
DO NOT send mail to the following addresses :
blacklist at brics.com -or- alfra at intc.net -or- curbjmp at intc.net
Sending mail to spambait addresses is a great way to get blocked.
More information about the NANOG
mailing list