[c-nsp] Telnet FROM a PIX Appliance?
Eugeniu Patrascu
eugen at imacandi.net
Fri Jul 11 13:12:44 EDT 2008
Reuben Farrelly wrote:
> You also can't ssh from a PIX, but you can of course ssh to it.
>
> So it's not IMHO likely to be a case of "telnet being insecure", but
> avoiding -all- client sourced access from a PIX out to anything else
> which the PIX could potentially connect to.
>
> I suspect the thinking is that the PIX itself, if compromised, can't
> be used as a platform to launch into other devices in the network.
> Especially given it is probably one device which would normally have
> direct and unrestricted access to the private and DMZ networks in most
> topologies...
>
If the PIX would be compromised, the attacker could also setup ACLs/NATs
so that he has access to the network. So eitherway you don't get better
security by not having telnet on the device itself.
More information about the cisco-nsp
mailing list