[Ma-linux] Two Sun Announcements
ma-linux at jasons.us
Tue Feb 13 15:41:28 EST 2007
On Tue, 13 Feb 2007, Michael Stone wrote:
> Why not? Sorry, this thread just touched a nerve--I've heard more than I
> want over the last couple of days about how telnet is inherently
> problematic and ssh is the answer. WHY? How can anyone make that kind of
> statement without enumerating the risks in their environment, their
> mitigations, etc.? What if I'm running ipsec? What does ssh get for me
> over telnet in that environment? (Other than a more complicated protocol
> with more inherent opportunities for coding errors and less ability to
> monitor what's happening?) What if I'm on a trusted local network? What
> if I'm worried about other things than network sniffing? See, the big
> threat in today's world (not the world of 15 years ago) is sniffing *at
> a compromised endpoint*. People by and large aren't sniffing wan links,
> and switched networks have made it hard _enough_ that most people don't
> bother trying to sniff lan links, either. But sniffing at a compromised
> host? *That's* where the action is--and ssh doesn't buy you bupkis in
> that scenario. This kneejerk "turn off telnet, use ssh" meme tends to
> contribute to a shallow risk assessment that completely misses the
> thrust of the major attack trends of the past few years.
Normally I would think you're joking, but that's not your style.
If someone has compromised your box there are a variety of ways that ssh
still helps. Use keys and no passwords get transferred. If they're
sniffing on the NIC watching an SSH session is no use. Sure if they have
root they have the box, but telnet makes it much easier to capture a
password which can be used to access other boxen. SSH doesn't make it
impossible, any more than WAP makes a wireless link secure, but it's like
the red, blinking LED in a car: it'll encourage the average miscreant to
look elsewhere. If you have hard-core miscreants after you (or your car)
you're in deeper trouble already.
People aren't sniffing WAN links? How can you be sure? Why take the
risk? You want some snot-nose at your ISP to have your passwords and other
SSH will help dramatically if your switch gets compromised. The majority
of cracking comes from inside.
Like onions and ogres, security should have layers. Plain and simple. A
knee-jerk reaction (disable telnet, close unnecessary ports, restrict
access when possible, etc) isn't a bad one if it's well thought-out and
not the only reaction. Why *not* use ssh? What complexity does it add?
Unless you're running mid 90's hardware there's plenty of CPU and memory
to handle the minimal overhead.
You say SSH makes it harder to monitor what's going on? Well, if SSH adds
so little to security it should be easy enough to get around, right? If
it's hard for you, the legitimate admin, to get around it'll make it
harder for the black-hat too.
-Jason, amazed that this discussion is going on all.
--- There are no ABSOLUTE STATEMENTS I'm very probably wrong. ---
"The difference between genius and stupidity is that genius has its limits."
- Albert Einstein
More information about the Ma-linux