Yet we can run routing protocols on our firewalls!! To make matters worse, the OSPF implementation (on the ASA) doesn't include the "passive-interface" command. I don't know about you, but I certainly don't want my hello packets wandering aimlessly throughout the network ;) Although there are ways around this, I can't understand why this command is missing, especially from a security device! It should be noted that the "passive-interface" works just fine for EIGRP...
I'm not arguing with you Scott, because what you're saying is correct. My gripes were more selfish in nature, in that I would have liked to have had this ability during certain troubleshooting scenarios in the past. In the end this is a security forum, and we should be thinking as such. Cheers! -Steve Thanks, Steve Di Bias- CCIE #32840 On Wed, Feb 20, 2013 at 7:55 AM, Tyson Scott <[email protected]>wrote: > All, > > More components introduce vulnerabilities. Reducing the chance of > vulnerabilities in Security is what it is all about. Thus removing the > client services is a step towards that. > > examples of past vulnerabilities > http://www.securityfocus.com/bid/1006 > http://www.openssh.com/security.html > > http://isc.sans.edu/diary/Telnet+client+vulnerability%3B+DNS+posioning+re-appearing/494 > > > > On Wed, Feb 20, 2013 at 9:23 AM, Steve Di Bias <[email protected]> wrote: > >> Right, it's not a router, but that doesn't stop people from running EIGRP >> or OSPF which essentially turns it into a one. Right or wrong, I see this >> all the time in different customer environments... >> >> Of course I have the ability to see things from other peoples >> viewpoints, and so I get what you're saying here. As with all things >> security its a give and take. What i was saying was, when >> I'm troubleshooting a network from the ASA, there were times this >> feature would have come in handy. >> >> With the arrival of new commands (eg tcp ping) the need for such features >> is a thing of the past, assuming we're running 8.4 and above ;) >> >> -Steve >> >> >> On Tuesday, February 19, 2013, Piotr Matusiak wrote: >> >>> I agree that it is complete disaster when someone hacks into ASA with >>> administrator privileges. But most likely someone can get into as >>> unprivileged user and this is where he/she is looking for SSH/TELNET client >>> to connect to other devices in my network. >>> ASA is not a router, it is SECURITY device and should be hardened >>> properly. One of those hardening features is lack of ssh/telnet clients. >>> >>> Regards, >>> Piotr >>> >>> On 2/20/13 12:58 AM, Steve Di Bias wrote: >>> >>> Assuming someone hacks into your ASA, having an embedded SSH client >>> would be the least of your worries >>> >>> On Tuesday, February 19, 2013, Piotr Matusiak wrote: >>> >>> This is NOT missing feature. There is no TELNET/SSH client for >>> purpose. I wouldn't like my ASA become a hop point to the rest of my >>> network if someones breaks in. >>> >>> Regards, >>> Piotr >>> >>> >>> On 2/19/13 10:45 PM, Jimmy Larsson wrote: >>> >>> That has annoyed me since forever as well... >>> >>> http://nat0.net/another-missing-asa-feature-telnet-and-ssh-client/ >>> >>> Best regards >>> Jimmy >>> >>> >>> 2013/2/19 cisco 2006 <[email protected]> >>> >>> >>> >>> ----- Forwarded Message ----- >>> *From:* cisco 2006 <[email protected]> >>> *To:* "[email protected]" < >>> [email protected]> >>> *Sent:* Tuesday, 19 February 2013, 20:32 >>> *Subject:* Fw: SSH session >>> >>> >>> >>> Dear Sir, >>> >>> I'm preparing for CCIE Security using IPexpert materials , and I have a >>> question about ssh session .The question is that : >>> Can I opening ssh from cisco asa to another like a switch ? >>> >>> Best Regards, >>> Israa >>> >>> >>> >>> >>> >> >> -- >> Thanks, >> Steve Di Bias- CCIE #32840 >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
