> How many of us here run anything less than SSH and even allow telnetd
to
> live on any of our hosts?
Hey, we have had to do without SSH in more than one CISCO IOS build in the last
6 months in 12.1 / 12.2.
This always made me feel very nervous.
Regards
Marshall Eubanks
Here? Probably not all that many.
[bill's password slide from the Scottsdale NANOG]
suggests that many (most?) of the NANOG attendees are shipping passwords
around in the clear (not necessarily all telnet, but indicative of a
mindset).
The system with that data on it is off right now, but my recollection was
that the top three offenders were (in no particular order)
- cleartext POP
- cleartext IMAP
- http:// (mostly people reading their email via Exchange).
Note that the final slide that I put up at the end of the meeting (with
something like 150 passwords on it) had one of my passwords too
(my Vindigo password, if anyone wants to change what cities I have
configured =), so even people who are aware of the issues sometimes
still send cleartext passwords.
One way of avoiding this is to always have a console server that has
SSH implemented into the IOS build ( or even a separate vendor that
supports SSH ). This way you centrally access your network devices from
one spot, authenticated by SSH, if any of the devices in question do not
support SSH ( yes this can be impractical, but I typically want to have
console access to every device I administer if possible anyway ).
Extermely easy solution - block telnet to your routers at your edge,
except from bastion hosts that are logically as close to your
routers as possible (say, one per POP). ssh into the bastion host, then
telnet to the Criscos from there.
This is extermely easy to implement assuming you dedicate network blocks
to network equipment in each of your sites.
Speaking of, out of curiosity (this is from a DSL line downstream from above.net)...
Three routers of various powers for the internal works
Seven for customers in nearby towns
Nine for frame relay customers and all their quirks
One for the Mae-East deep underground
In the land of Datanet where the fiber lies.
One router to route them all, One router to find them,
One router to peer with them all and with BGP bind them
In the land of MFS Datanet where the fiber lies.
User Access Verification
Password:
quit
Connection closed.
Any other "major" ISPs still allowing telnet access to their cores from
untrusted hosts?