On 03/27/2016 10:02 AM, James Knott wrote: > On 03/27/2016 08:55 AM, Alvin Starr wrote: >> Even with SSH the first thing coming back from the switch is a set of >> well defined headers and prompts so I would be willing to bet that SSH >> on a switch is fairly crackable. > I thought ssh was secure. IIRC, the key changes frequently, with the > public/private key pair used only to set up the connection, with a > random key used to carry the data. I do not know for sure but It was my understanding that if you know the payload it is possible to back calculate the encryption keys and invariably switches sent a standard banner and a Username: Password:. There may be better security with key based login and no password. On the other hand I am sure the encryption is good enough to stop all but nation states or folks like SPECTRE or KAOS.
>> A lot of the lower end switches use a http web interface which is no >> more secure than telnet. > Many use https, instead of plain http. Again, it's the same key > situation as with ssh. True but you also end up with standard pages on each login. >> Sadly switch configuration has not changed much in the last 20+ years. >> It would be interesting to see cheap Openflow switches but that >> technology is still a few years away from permeating the SME market. > I normally use the console port, when working with equipment. However, > with large networks, you have to rely on some remote connection. > > As I mentioned earlier, in order to attack a password, you have to see > the data. That doesn't happen much with switches, though it was quite > easy prior to switches. Also, remote management is generally done via > vlan, which makes it a bit more difficult for a casual eavesdropper. > > I have to lots of switch management remotely. I do login to the local networks via VPN but you never know what is in the middle on the internet or even the local network. -- Alvin Starr || voice: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 [email protected] || --- Talk Mailing List [email protected] https://gtalug.org/mailman/listinfo/talk
