Larry, that's a good solution but it was a little cryptic on the
explanation. Let me expound some for Ann's benefit.
Ann, what we're talking about is using the console on the router to do all
administration, and *never* telneting to it. But physically going to all
the routers and setting up a laptop is a little cumbersome. The solution is
to essentially set up a totally independent serial network for the
administration of the routers and switches. A serial cable is run from the
console port on the router back to a central, and *heavily secured*, server.
The server has to have atleast as many serial ports as you have routers so
you might need to buy a serial card, like Cyclades or Comtrol or something.
Comtrol supports 128 serial ports per box, last time I checked. With all
this hooked up, each tty on the server corresponds to a specific router.
Now just fire up your favorite terminal emulator and you can open a serial
connection to any router you want. And since you're ssh'ed into the server,
no one can see what you're doing or steal passwords. If you want it even
more secure, don't put the server on the network at all. If this server is
in a convenient location you can just walk over to it and log on it's
console for the ultimate in unsniffable security!
There is another option that Cisco and some switches support call AAA
(triple-A) authentication. I forget what it stands fore but basically your
off loading the authentication from the router to a remote server called an
ACE server. That stands for Access Control & Encryption. It's made by a
company called Security Dynamics (recently acquired by RSA). To access
something protected by AAA auth you have to have a physical card that
generates auth tokens. To log in you type in the token from the card plus a
PIN. The router sends this information back to the ACE server and if it's
valid lets you access the resource. This method is extremely secure because
there's essentially no fixed password to steal! Even if someone sniffs your
PIN they still can't get in because they don't have the card. If they steal
the card it's useless without your secret PIN! Combine AAA with ssh and you
have a nearly impregnable line of security.
At 02:21 PM 8/14/01 -0400, Larry Morrow wrote:
>Just my $02. AND how we do it.
>Connect a serial cable to the console port of your routers./switches and then
>ssh into your debian server and use minicom.
>At 11:05 AM 8/14/2001 -0700, ann kok wrote:
>>I learnt that sniffer program can steal password
>>and secure shell can prevent it
>>But how do I do it in Cisco router?
>>Do I have any methods to prevent the sniffer program
>>to my router and servers?
---=<ALL YOUR BASE ARE BELONG TO US>=---
___/`<YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!>`\___