North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: IT security people sleep well
On Sun, 6 Jun 2004, Henning Brauer wrote:
It's quite sufficient for protecting ones routers. Also the "authentication" itself is (should be) Triple-DES protected. The DES encryption for the data exchange isnt enough to guard sensitive data, however it's still more than enough to stop real-time MITM.this is not nearly the same league as (proper) ssh.
More recent Kerberos implementations support AES-256/SHA-1 HMAC enctypes and hopefully kerberised telnet will also gain AES-256 encryption support at some point.
Right, but hand-waving about the scariness of not shipping ssh doesnt solve the immediate problem of securing network console access to ones infrastructure. And, contrary to the popular belief on this list, it *is* quite possible to secure access with the *standard* IOS images on nearly all Cisco routers shipped for at least the last few years.complaining that cisco charges extra for such a critical component is exactly the right thing to do; it is fucking scary.
Anyone who had active directory on their network can implement this easily enough. Even those who dont, setting up a KDC is pretty easy.
every damn network device which used to have telnet should ship with ssh, it's free.
However, it's not very well specified yet.
well, I understand that cisco has problems with their 3$ CPUs with the crypto load, bit that's an extremely poor excuse.Right, but on the other hand lack of ssh in ones IOS images is *not* an excuse to use plain-text telnet.
Paul Jakma email@example.com firstname.lastname@example.org Key ID: 64A2FF6A
warning: do not ever send email to email@example.com
This novel is not to be tossed lightly aside, but to be hurled with great force.
-- Dorothy Parker