[fw-wiz] Re: What's the deal with SSH?

Brian Ford brford@cisco.com
Tue, 26 Sep 2000 10:54:22 -0400


Sean made some excellent, important points.  But we can't overlook the fact that security policy varies from site to site, and technology to technology.  It boils down to knowing your network and knowing your environment.  

 >> Pardon my ignorance with this, but what's the big deal about 
 >> using something like SecureCRT?  That's basically a secure
 >> telnet, right?
 >
 >In its simplest incarnation, yes, though in reality just about anything can
 >be tunneled through the SSH protocol.

True.  This is a very important point.

 >> I do all my configuring of my PIXen from the inside interface,
 >> and I'm on a almost completely switched network.  So, I'm not
 >> too concerned about somebody sniffing my telnet session.
 >>
 >>As other people have noted, don't mistake switching for some sort of network
 >>security panacea.  And you should certainly be concerned if you're using
 >>telnet to connect to locations you'd prefer be kept off-limits.  All it
 >>takes to grab a username/password is have a box in a position to pick up
 >>traffic with its ethernet card set in promiscuous mode.

 >>  Also, I only enable telnet on the inside 
 >> interface, so I don't even worry about people connecting 
 >> from the outside interface.
 >
 >Then I guess it depends on whether you trust everyone with either physical
 >access to your network or remote access to any PC that may be in a position
 >to monitor your telnet session (your own PC notwithstanding, since that
 >would circumvent even the security SSH offers).

So in that switched environment, with good control over access to equipment rooms, an adequate access control policy implemented at your network boundaries, and management that includes review of all the log files generated by network devices; this seems OK.  Remember, you have to have some degree of acceptable risk.  Or else you're not going to sleep at night.  

Regards,

Brian

Brian Ford
brford@cisco.com