[Dshield] Cisco VPN Question

Johannes Ullrich jullrich at euclidian.com
Wed Sep 10 00:40:21 GMT 2003


> > SSH
> 
> Time to display a little ignorance again... is SSH simply a secure form
> of telnet? Doesn't it require the router to accept SSH communication?

Yes and no ;-)

SSH is a "security swiss army knife". In your situation, you would
probably connect to a host (typically a "bastion host" you secured very
well) within either network.

SSH can be used to tunnel various other tcp connections. E.g. you can 
use it to tunnel an http (or telnet) connection to the router. This
connection will be encrypted via ssh to the bastion host inside your
network, from which it will emerge as an inside connection.

Ultimately, you can tunnel 'PPP' over ssh. This is nothing less then a
VPN. In my opinion much easier to configure (at least with Linux on
either side of the connection. I have never done it with Windows).

Regarding authentication: ssh can use cryptographic keys, which are
quite secure as long as you safeguard the key file and the passphrase
locking them. In addition, there is 'skey', a simple one time password
scheme. Using tokens is usually overkill if you have just one or two
users. Tokens require some expensive infrastructure that needs to be
maintained, in addition to the actual tokens (about $50 each). The
backend software will easily run you $2,000 or more (just as a
ballpark). So for one or two admins, I would stick with ssh and ssh key
authentication.

BTW: The last SANS webcast covered ssh:
http://www.sans.org/webcasts/show.php?webcastid=90307

some routers/switches/terminal servers do support ssh.



-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list