[fw-wiz] What's the deal with SSH? (was: PIX software release 5.2)

sean.kelly@lanston.com sean.kelly@lanston.com
Mon, 25 Sep 2000 14:15:15 -0400

> From: shewitt@cdw.com [mailto:shewitt@cdw.com]
> Pardon my ignorance with this, but what's the big deal about 
> using something like SecureCRT?  That's basically a secure
> telnet, right?

In its simplest incarnation, yes, though in reality just about anything can
be tunneled through the SSH protocol.

> I do all my configuring of my PIXen from the inside interface,
> and I'm on a almost completely switched network.  So, I'm not
> too concerned about somebody sniffing my telnet session.

As other people have noted, don't mistake switching for some sort of network
security panacea.  And you should certainly be concerned if you're using
telnet to connect to locations you'd prefer be kept off-limits.  All it
takes to grab a username/password is have a box in a position to pick up
traffic with its ethernet card set in promiscuous mode.

> Do you use SSH to protect against people
> sniffing on local segments, or is the concern when going across the
> internet?

SSH serves to help prevent someone from snooping on the packet stream
passing between two computers.  This includes the authentication process,
which is why it is so widely favored over telnet (because telnet does its
authentication via plaintext).  It should be noted, however, that all SSH
does is secure the datastream between the two endpoints.  There are a ton of
ways the security of the actual session could still be broken.  Still, it's
far better than telnet.

>  Also, I only enable telnet on the inside 
> interface, so I don't even worry about people connecting 
> from the outside interface.

Then I guess it depends on whether you trust everyone with either physical
access to your network or remote access to any PC that may be in a position
to monitor your telnet session (your own PC notwithstanding, since that
would circumvent even the security SSH offers).