Is it a security hole?

Discussion in 'Cisco' started by AM, Jan 5, 2005.

  1. AM

    AM Guest

    Hi all,
    I have an 837 configured with IPsec tunnel.
    I would enable ssh server on the public IP of my 837 to access it if something goes with the tunnel.
    Is it possible to enable access only from one IP? And how?
    Is it a security hole?

    Thanks,
    Alex.
     
    AM, Jan 5, 2005
    #1
    1. Advertising

  2. In article <9mNCd.15260$>, AM <> wrote:
    :I have an 837 configured with IPsec tunnel.
    :I would enable ssh server on the public IP of my 837 to access it if something goes with the tunnel.
    :Is it possible to enable access only from one IP? And how?

    You can always set an ACL on the outside interface that permits
    ssh only to the outside IP.

    :Is it a security hole?

    Cisco updates their ssh whenever a security problem is found with it.

    On the other hand, the supported SSH might only be version 1.5
    (i.e, version 1 modified to not have the big security problem that
    affected version 1), and so might only support DES encryption.
    How determined are your enemies to break into your 837?
    Determined enough to spend tens of thousands of dollars on
    building a DES cracker that will run in a reasonable amount
    of time?
    --
    Rump-Titty-Titty-Tum-TAH-Tee -- Fritz Lieber
     
    Walter Roberson, Jan 5, 2005
    #2
    1. Advertising

  3. AM

    AM Guest

    Walter Roberson wrote:

    > In article <9mNCd.15260$>, AM <> wrote:
    > :I have an 837 configured with IPsec tunnel.
    > :I would enable ssh server on the public IP of my 837 to access it if something goes with the tunnel.


    Obviously I meant if something goes wrong...

    > :Is it possible to enable access only from one IP? And how?
    >
    > You can always set an ACL on the outside interface that permits
    > ssh only to the outside IP.
    >
    > :Is it a security hole?


    I meant in general.

    > Cisco updates their ssh whenever a security problem is found with it.


    I was sure Cisco takes care about its products

    >
    > On the other hand, the supported SSH might only be version 1.5
    > (i.e, version 1 modified to not have the big security problem that
    > affected version 1), and so might only support DES encryption.
    > How determined are your enemies to break into your 837?
    > Determined enough to spend tens of thousands of dollars on
    > building a DES cracker that will run in a reasonable amount
    > of time?


    I looked for ssh's options but I haven't found a key "match" to aplly my ssh's access-list.
    How can I apply the ACL to achieve my purpose?

    Thanks,
    Alex
     
    AM, Jan 5, 2005
    #3
  4. AM

    PES Guest

    AM wrote:
    > Walter Roberson wrote:
    >
    >> In article <9mNCd.15260$>, AM <>
    >> wrote:
    >> :I have an 837 configured with IPsec tunnel.
    >> :I would enable ssh server on the public IP of my 837 to access it if
    >> something goes with the tunnel.

    >
    >
    > Obviously I meant if something goes wrong...
    >
    >> :Is it possible to enable access only from one IP? And how?
    >>
    >> You can always set an ACL on the outside interface that permits
    >> ssh only to the outside IP.
    >>
    >> :Is it a security hole?

    >
    >
    > I meant in general.


    I would say in general, no. However that is relative. Any additional
    services that you permit have *SOME* associated risk. I would equate
    this to less risk than inbound www, or telnet (far less risk than
    telnet). Be sure that you use passwords that have never traversed an
    untrusted network as clear text.

    >
    >> Cisco updates their ssh whenever a security problem is found with it.

    >
    >
    > I was sure Cisco takes care about its products
    >
    >>
    >> On the other hand, the supported SSH might only be version 1.5
    >> (i.e, version 1 modified to not have the big security problem that
    >> affected version 1), and so might only support DES encryption.
    >> How determined are your enemies to break into your 837?
    >> Determined enough to spend tens of thousands of dollars on
    >> building a DES cracker that will run in a reasonable amount
    >> of time?

    >
    >
    > I looked for ssh's options but I haven't found a key "match" to aplly my
    > ssh's access-list.
    > How can I apply the ACL to achieve my purpose?


    That depends on how you are currently blocking it (if you are). You can
    apply it to the router's outside interface as an inbound acl, or you can
    apply it to the line vty as an access-class * in.

    >
    > Thanks,
    > Alex



    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Jan 5, 2005
    #4
  5. AM

    AM Guest

    PES wrote:
    > AM wrote:
    >
    >> Walter Roberson wrote:
    >>
    >>> In article <9mNCd.15260$>, AM
    >>> <> wrote:
    >>> :I have an 837 configured with IPsec tunnel.
    >>> :I would enable ssh server on the public IP of my 837 to access it if
    >>> something goes with the tunnel.

    >>
    >>
    >>
    >> Obviously I meant if something goes wrong...
    >>
    >>> :Is it possible to enable access only from one IP? And how?
    >>>
    >>> You can always set an ACL on the outside interface that permits
    >>> ssh only to the outside IP.
    >>>
    >>> :Is it a security hole?

    >>
    >>
    >>
    >> I meant in general.

    >
    >
    > I would say in general, no. However that is relative. Any additional
    > services that you permit have *SOME* associated risk. I would equate
    > this to less risk than inbound www, or telnet (far less risk than
    > telnet). Be sure that you use passwords that have never traversed an
    > untrusted network as clear text.
    >
    >>
    >>> Cisco updates their ssh whenever a security problem is found with it.

    >>
    >>
    >>
    >> I was sure Cisco takes care about its products
    >>
    >>>
    >>> On the other hand, the supported SSH might only be version 1.5
    >>> (i.e, version 1 modified to not have the big security problem that
    >>> affected version 1), and so might only support DES encryption.
    >>> How determined are your enemies to break into your 837?
    >>> Determined enough to spend tens of thousands of dollars on
    >>> building a DES cracker that will run in a reasonable amount
    >>> of time?

    >>
    >>
    >>
    >> I looked for ssh's options but I haven't found a key "match" to aplly
    >> my ssh's access-list.
    >> How can I apply the ACL to achieve my purpose?

    >
    >
    > That depends on how you are currently blocking it (if you are). You can
    > apply it to the router's outside interface as an inbound acl, or you can
    > apply it to the line vty as an access-class * in.


    Thank you PES.
    I apologize for my banal questions, but where have to apply? On interface sub-menu? On vty menu?
    Alex.
     
    AM, Jan 5, 2005
    #5
  6. AM

    rave Guest

    Re: Is it a security hole?

    type in the following:
    line vty 0 4
    transport input ssh
    access class <access-list-no> in
    the second line is only for ssh enabled on the outside interface.
     
    rave, Jan 5, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Z
    Replies:
    1
    Views:
    444
    Splibbilla
    Jul 23, 2005
  2. Alex Vinokur
    Replies:
    23
    Views:
    942
    Kenneth E. Spress
    Jul 15, 2003
  3. Dr. Harvie Wahl-Banghor

    G-mail Security Hole

    Dr. Harvie Wahl-Banghor, Nov 1, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    433
    G. Morgan
    Nov 2, 2004
  4. mchiper
    Replies:
    0
    Views:
    411
    mchiper
    Sep 12, 2003
  5. Ivan Yonge

    Is this a DNS Security hole??

    Ivan Yonge, Apr 30, 2004, in forum: Computer Security
    Replies:
    4
    Views:
    504
    Chris
    May 13, 2004
Loading...

Share This Page