[j-nsp] Changing SSH port on EX switches, M routers
Stefan Fouant
sfouant at shortestpathfirst.net
Sun Apr 3 21:27:06 EDT 2011
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Kevin Oberman
> Sent: Sunday, April 03, 2011 7:50 PM
>
> 1. Limit access to the ssh port to trusted hosts, preferably tightly
> controlled hosts that are dedicated to acting a bastions. No extra
> services running that might open vulnerabilities!
>
> 2. No passwords! Even if rules for 'good' passwords are followed,
> passwords are not nearly as strong as good cyrpto keys. (yes, I know
> about the Debian issue! That was so incredibly stupid that it still
> boggles my mind! I doubt that any Unix distro will ever do anything
> so
> incomprehensibly stupid again, but it's unwise to assume stupidity
> is
> growing less common. If in doubt, run openssh directly from
> openssh.org. they KNOW what they are doing!
>
> 3. Require two factor systems to further control access. We use
> SmartCard tokens to create and store the private keys. When working
> properly, it is not possible to get the private key off of the token
> and modern openssh contains support for PKCS11 which will work with
> SmartCards, though finding tokens that work with Unix in the US is a
> problem.
>
> This sort of control is vastly superior to playing games with the ssh
> port by which smart hackers will only be mildly disturbed.
While I completely agree with all of the points, there is such a thing as
taking things too far... to the point where security actually becomes an
encumbrance and hinders normal operations...
I once worked for an employer that had the most bizarre and overly complex
process for accessing devices - they required everyone to log into a VPN
Concentrator (regardless of being remote or at the corporate location).
>From there they required SSHing into jumphosts, and then finally from the
jumphost you could SSH into your given device. The VPN, jumphosts, and the
end-devices were all using two-factor authentication (SecureID). While this
represented probably one of the most secure environments I've ever worked
in, logging into multiple devices during firedrills was a real PITA to say
the least...
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB4C956EC
More information about the juniper-nsp
mailing list