RE: IT security people sleep well

Mailman List Mirror (Read Only)
1

From: Robert Boyle [mailto:robert@tellurian.com]

Agreed. I really truly don't see the problem with plaintext telnet
management of routers. We have access-lists on vty 0 15
specifying which
networks can even connect. We can't connect except for from a trusted
internal management network and I control all the routers and
circuits in
the path. If someone is in the middle of one of my circuits
doing some type
of dump of the data to disk, they are probably the NSA or
CIA, and I've got
much bigger problems. Can someone please provide a situation

Yeah, that would be a concern... :slight_smile:

where doing
this can lead to compromise or any type of problem at all? I
just don't see

Do you trust every person you work with? Are your internal networks
completely segmented (including the ethernet switches?) Here, they are
not. And as much as it's been pointed out, they continue to leave
everyone in the company on the same segment. Our security guy proved
this point by hijacking a switch, convincing it that the traffic had to
pass through his computer, and sniffed a TON of traffic ... All within
a few minutes, without anyone knowing until he showed it... Through
this, he was able to grab a number of passwords all through telnet
sessions.

Unless you can completely trust everyone in your internal network, ACL's
aren't always enough...

it. However, I see people having unpatched servers running
without proper
ACLs every day and this is rarely discussed and as Stephen
Sprunk points
out, lot of people here on nanog don't apply bogon filters or
even source
filter their customers - and this doesn't require a feature
set upgrade to
IOS. (All of which we do, btw) So I'm still not convinced that SSL on
routers is needed. Nice, sure, but needed? no. Please
convince me otherwise
if you feel this is such a hugely pressing need or at least
explain your
position.

I've been converted into the "secure it if you can, ensure it's not
important if you can't" way of thinking ... I would very much like to
change our ACL's to only allow telnet from our server farm (which is SSH
*ONLY*), thus allowing a little bit of security ... This would at least
bring us into the "if someone's listening, it's gotta be the NSA or CIA"
class of security... :slight_smile:

R

Jason Frisvold
Penteledata

2

And there's different kinds of trust too..

I've got a co-worker who I totally trust not to do something malicious.

However, it's 11PM, and I'm still in my lab because I just spent several hours
figuring out that a pile of gear I was supposed to test was *supposed* to
include a Foundry switch to use for a private network - but instead of 4 ports
connected to PCs that were dual-homed to the building network and the private
net, he wired up 3 ports to dual-homed boxes, and one port to the building net
to reach the 4th PC. Whoops... :wink:

Do you trust every person you work with to not maliciously snarf packets *and*
to not accidentally route all those cleartext packets out the wrong interface
at the wrong time?

3

Do you trust every person you work with to not maliciously snarf
packets *and* to not accidentally route all those cleartext
packets out the wrong interface at the wrong time?

do you trust YOURSELF not to? of course, i have never made such
a mistake [sounds of flying pigs from stage roof].

randy

4

I'd like to plead the 5th on the grounds that it took me 3 hours to realize
it was the Foundry switch that was misconfigured, and not the PC that the
other PC was complaining about? :wink: