[cisco-voip] Reliable SFTP server for Windows to backup CCM5?

Jonathan Charles jonvoip at gmail.com
Fri Jun 8 19:50:44 EDT 2007 

OK, first off, you security-types have gone completely overboard with
the security crap. The fact that you somehow convinced the planet to
be afraid of you is interesting, but shouldn't become my problem.

I think the choice should be the customer's, not some security weenie
who wants to show off that he went to a SANS class.

I have heard nothing but complaints about this from EVERY customer I
have installed CCM5 on. Not a single one of them has said to me 'thank
god Cisco made this forty-five times more complex and secure!' They
say the same thing, over and over:

"Gee, before I could just backup to my Windows backup server by
creating a share... why can't I do that any more?"

For the Cisco people reading this, let's make this an official feature
request: for the Disaster Recovery System, give the CUSTOMER a
choice... if they are paranoid, tell them to adjust the tin-foil hat
on their heads and let them use SFTP. If they realize that the
likelihood that they have a professional voip hacker on their LAN (who
is more interested in the backups than in the conversations streaming
around the network) is so improbable as to be not worth mentioning.

Yes, I do realize that Cisco wants to VoIP the DOD, I would too, there
are a crap-load of phones there, but they shouldn't be forcing DOD
security requirements on the rest of us.

I think, at the bare minimum, Cisco should be providing a
TAC-supported SFTP server for Windows.



Jonathan

On 6/8/07, Jeffrey C. Ollie <jeff at ocjtech.us> wrote:
> On Fri, 2007-06-08 at 07:21 -0500, Jonathan Charles wrote:
> > Yes, and I think Cisco screwed the pooch on this one.
> >
> > Why not allow an FTP option? You can use regular FTP to upgrade CCM,
> > why not allow it for a backup?
> >
> > It just doesn't make sense.
>
> That's because FTP is not a secure protocol.  The backups contain
> security-sensitive information and I wouldn't want to be passing that
> information around on a non-secure protocol.  Using FTP for upgrades is
> fine (as long as you don't log into the FTP server using a sensitive
> password) because the updates are cryptographically signed anyway.
>
> If you really don't want to set up a Linux or *BSD box (or really any
> Unix box - they all come with SSH these days), check out VShell from Van
> Dyke:
>
> http://www.vandyke.com/products/vshell/index.html
>
> I haven't used VShell myself but I've used SecureCRT/SecureFX from them
> and have been suitably impressed with the quality of their products.
>
> Jeff
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>
>

More information about the cisco-voip mailing list