IT security people sleep well

• Previous message (by thread): IT security people sleep well
• Next message (by thread): IT security people sleep well
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:11 PM 6/7/2004, you wrote:
>ever heard of multilayer security?

Absolutely and I am a huge believer in it and all of our systems and our 
network is designed with many layers of protection... which is why I am 
against running ssh AND leaving it open to the world since that leaves only 
a single layer of security. My point is simply that having SSH is a good 
tool, but I still don't think that having SSH relieves any of the other 
responsibility for proper network security.

>some little problem somewhere that allows an attacker to sniff your
>telnet traffic and you are d00med. that might be as simple as a routing
>fuckup.

That would have to be a pretty major screwup.

>You loose nothing with using ssh instead of telnet.
>You win a lot.

I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. 
Should it be included by default, yes.

>ssh is a basic component for secure network management.
>it is not the one magic piece that turns a collection of crap into an
>ubersecure network of course, as some people seem to imply.

Exactly and that is my point. Especially when leaving SSH open to the world 
on all routers because it is "secure" is LESS secure than having secure 
passwords and ACLs and using telnet from the local LAN only. In an ideal 
world, you would have an ACL, a secure password, AND SSL.

>not seeing the problem with cleartext telnet for remote logins in 2004,
>wether ACL'd or not, is just ... oh man, I don't have words for this.

I see the theoretical problem with telnet, but in the real world, I think 
there are many other more basic security practices which should be focused 
on perhaps even before worrying about ssh for routers. How many people have 
a dictionary word as their password for SSH? How many times have you 
purchased a used router which was used by (insert big ISP here) and found 
the password to be a simple dictionary word - on multiple routers purchased 
from multiple ISPs. My only point is that there are many other things to 
worry about for building comprehensive security as part of a network than 
simply enabling a protocol for remote management. That should be one of 
MANY issues which should constantly be addressed.

R


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

• Previous message (by thread): IT security people sleep well
• Next message (by thread): IT security people sleep well
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]