North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?)
There are lots of ways to make this work: Digiboard or Rocketport in the Linux box. Real terminal server (Livingston is good, Computone Powerrack is cheaper, has more ports per Rack Unit, and is good enough for this usage) in the rack with direct Ethernet connect to a Linux box racked right above it, so physical security is still easy, then SSH to the Linux box. If you lock that Linux (or Open/Free/Net-BSD) box down so it accepts NOTHING other than that SSH traffic, you could even slap a hub down and use it to direct Ethernet management traffic, although that opens you up to possible sniffing if a router is cracked. Best to stick with the serial solutions, but they can be pretty damn cheap. Certainly cheaper than breakins. Figure anywhere from $500 to $1,500 for the Linux server (depending upon the quality of components, and whether you put it in a rack-mount case or just drop it on top of the terminal server), and $2,500 for a Computone Powerrack (with ISP discounts, and using the pricing I remember from years ago, which could very well have changed), with no expenditure on software at all (unless you count $1.99 for a CD from CheapBytes) and you're looking at a damned cheap, damned secure system that your entire staff can use. You could even log all the traffic on the Linux box, provide scripts for common tasks and keep them on the isolated server where they're safe, or even (if you needed to) tcpdump all the traffic to the terminal server for infinite levels of security micromanagement. All for less than the cost of the consultants who'd sell you the less-secure versions of securing this traffic. On Fri, 28 Apr 2000, "Roeland Meyer (E-mail)" wrote: > Date: Fri, 28 Apr 2000 19:24:32 -0700 > To: "'John Fraizer'" <nanog@EnterZone.Net>, > "'Jason Ackley'" <email@example.com> > From: "Roeland Meyer (E-mail)" <firstname.lastname@example.org> > Reply-To: <email@example.com> > Subject: RE: SSH on IOS (was RE: ABOVE.NET SECURITY TRUTHS?) > > > Actually doing that now, with a Linux box and an old Livingston PM2E. > Linux box runs SSHD, the portmaster runs directly into console ports > 'stead of modems. I figured that was obvious. However, I don't run a > co-lo either. Most of my systems reside in them. This is okay, until your > ladders have to run through semi-public space. There is also a 50 foot > length restriction, on RS-232 lines, unless you like running at less than > 115K baud. Also, figure the expense of the extra hardware. In my case, it > was unused sunk-cost anyway (surplus, for you non-suits).