Thanks Scott, that's good to know! I've been missing this command for quite some time now.
Thanks, Steve Di Bias- CCIE #32840 On Wed, Feb 20, 2013 at 10:18 AM, Tyson Scott <[email protected]>wrote: > Routing protocols don't allow device access. Passive interface can be > accomplished with interface ACL's. Passive-interface and other routing > features will be there in the future. > > > On Wed, Feb 20, 2013 at 12:01 PM, Steve Di Bias <[email protected]> wrote: > >> Yet we can run routing protocols on our firewalls!! >> >> To make matters worse, the OSPF implementation (on the ASA) doesn't >> include the "passive-interface" command. I don't know about you, but I >> certainly don't want my hello packets wandering aimlessly throughout the >> network ;) Although there are ways around this, I can't understand why this >> command is missing, especially from a security device! It should be noted >> that the "passive-interface" works just fine for EIGRP... >> >> I'm not arguing with you Scott, because what you're saying is correct. >> >> My gripes were more selfish in nature, in that I would have liked to have >> had this ability during certain troubleshooting scenarios in the past. In >> the end this is a security forum, and we should be thinking as such. >> >> Cheers! >> >> -Steve >> >> >> >> >> >> >> Thanks, >> Steve Di Bias- CCIE #32840 >> >> >> On Wed, Feb 20, 2013 at 7:55 AM, Tyson Scott < >> [email protected]> wrote: >> >>> All, >>> >>> More components introduce vulnerabilities. Reducing the chance of >>> vulnerabilities in Security is what it is all about. Thus removing the >>> client services is a step towards that. >>> >>> examples of past vulnerabilities >>> http://www.securityfocus.com/bid/1006 >>> http://www.openssh.com/security.html >>> >>> http://isc.sans.edu/diary/Telnet+client+vulnerability%3B+DNS+posioning+re-appearing/494 >>> >>> >>> >>> On Wed, Feb 20, 2013 at 9:23 AM, Steve Di Bias <[email protected]>wrote: >>> >>>> Right, it's not a router, but that doesn't stop people from running >>>> EIGRP or OSPF which essentially turns it into a one. Right or wrong, I see >>>> this all the time in different customer environments... >>>> >>>> Of course I have the ability to see things from other peoples >>>> viewpoints, and so I get what you're saying here. As with all things >>>> security its a give and take. What i was saying was, when >>>> I'm troubleshooting a network from the ASA, there were times this >>>> feature would have come in handy. >>>> >>>> With the arrival of new commands (eg tcp ping) the need for such >>>> features is a thing of the past, assuming we're running 8.4 and above ;) >>>> >>>> -Steve >>>> >>>> >>>> On Tuesday, February 19, 2013, Piotr Matusiak wrote: >>>> >>>>> I agree that it is complete disaster when someone hacks into ASA >>>>> with administrator privileges. But most likely someone can get into as >>>>> unprivileged user and this is where he/she is looking for SSH/TELNET >>>>> client >>>>> to connect to other devices in my network. >>>>> ASA is not a router, it is SECURITY device and should be hardened >>>>> properly. One of those hardening features is lack of ssh/telnet clients. >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> On 2/20/13 12:58 AM, Steve Di Bias wrote: >>>>> >>>>> Assuming someone hacks into your ASA, having an embedded SSH client >>>>> would be the least of your worries >>>>> >>>>> On Tuesday, February 19, 2013, Piotr Matusiak wrote: >>>>> >>>>> This is NOT missing feature. There is no TELNET/SSH client for >>>>> purpose. I wouldn't like my ASA become a hop point to the rest of my >>>>> network if someones breaks in. >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> >>>>> On 2/19/13 10:45 PM, Jimmy Larsson wrote: >>>>> >>>>> That has annoyed me since forever as well... >>>>> >>>>> http://nat0.net/another-missing-asa-feature-telnet-and-ssh-client/ >>>>> >>>>> Best regards >>>>> Jimmy >>>>> >>>>> >>>>> 2013/2/19 cisco 2006 <[email protected]> >>>>> >>>>> >>>>> >>>>> ----- Forwarded Message ----- >>>>> *From:* cisco 2006 <[email protected]> >>>>> *To:* "[email protected]" < >>>>> [email protected]> >>>>> *Sent:* Tuesday, 19 February 2013, 20:32 >>>>> *Subject:* Fw: SSH session >>>>> >>>>> >>>>> >>>>> Dear Sir, >>>>> >>>>> I'm preparing for CCIE Security using IPexpert materials , and I have >>>>> a question about ssh session .The question is that : >>>>> Can I opening ssh from cisco asa to another like a switch ? >>>>> >>>>> Best Regards, >>>>> Israa >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Thanks, >>>> Steve Di Bias- CCIE #32840 >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
