[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] telnet access to users?

"Andrew D. Forkes" wrote:
> 

For those interested (hemm),  you might want to take a look at the
following:

   http://www.interesting-people.org/200001/0060.html
   http://www.interesting-people.org/200001/0061.html

The reality is that even SSH isn't secure (just ask slashdot, rootshell,
the internet security survey project and many others how easy it is to
get burned by making assumptions about security).

> Telnet itself is inherently insecure, be aware of the security issues -
> 1.      Telnet access can be 'sniffed' very easily by attackers.

Another argument for heavy use of switches and to revive long lost Token
Ring configuration skills.

> 2.      Everything entered in a telnet session is broadcast in 'plain text'

quibble:
s/broadcast/transmitted/

> (passwords, account usernames, IP addresses - the lot)
> 3.      Once an attacker has the information, your machine is compromised.  And
> tracing an attack is difficult as you don't usually know you have been
> attacked.

Actually, the trend for telnet is to hijack sessions in the middle
without needing a password at either end.  Yes, it's gotten that bad. 
Just search for +"juggernaut" +hijack +security at your favorite search
engine.  Nmap should give you some indicator of sequence predictability;
however, even with Service Packs/OpenBSD, the answer to the problem
doesn't like within the TCP/IP protocol itself.  I won't even go into
hacked router IOSen floating around.  If you think people/organizations
get kicks out of looking for NT buffer overflows to this degree:

   http://www.insecure.org/news/P55-15.txt

What makes you think they don't hack router firmware as well?  It's a
rhetorical question: Answer?  They do.

> 4.      If you do implement telnet access, ensure you enforce a strict practice
> of password changing (although not from telnet - obviously!)
> 5.      Best bet - disable telnet for ALL users and implement a Secure (SSL)
> Telnet app.

Frequent password changes won't do you any good.  Don't even get me
started about key escrow/certificate authorities.  The basic remote
access nut was cracked a long time ago; the reasonably adequate solution
is called "one time passwords+tokens with an encrypted tunnel and
boarder auth".  I believe you'll find that most firewall vendors will be
more than glad to sell you their implementation, along with their
partners' add-ons (and it costs more money than a rack full of RaQs; a
Netra T1 150 with a PCI quad ethernet card and unlimited Checkpoint
license is, well, just plain expensive... maybe the situation will
change when they release a linux version, but I doubt it... on the other
hand, a SS20 + Sbus quad + Russian key generator is downright cheap...
maybe less than half the price of a RaQ3i.)

> You can get hold of secure telnet clients, but I'm unsure as to the support
> for them on the RaQ2 - anyone know ?

There isn't an answer that just involves adding a bit of software on
your RaQ.  If you want security, it needs to be built into your network
design from the bottom up and usually creates usability issues.  If this
doesn't suit your comfort level, then you're just going to have become
adept at managing the compromises as they happen.  

You didn't honestly expect this to be easy, did you?  Life sucks when
you find out about the reality of the situation (of course, you could
just take the Blue Pill and let the FBI's crime-and-punishment
prevention technique protect you...)