PCI and SSH

Unanswered Question

Hi All,

PCI requires SSH access to networking devices. I have following questions regarding to that:

1) I have IOS IP image on my cisco routers. I found that I need 3DES support in IOS for SSH, which comes with IP Plus 3DES feature set. So, do I need to purchase a license to use new feature set just to get SSH support?

2) I have been told that we also needed SSH support for our layer 2 switches. First of all, is that correct? If it is, how can I get SSH support for the following cisco switch:

cisco29-1.vancouver (enable) sh version

WS-C2948 Software, Version NmpSW: 4.5(9)

Copyright (c) 1995-2000 by Cisco Systems, Inc.

NMP S/W compiled on Sep 28 2000, 15:48:46

GSP S/W compiled on Sep 28 2000, 15:02:24

System Bootstrap Version: 5.4(1)

Hardware Version: 2.3 Model: WS-C2948 Serial #: JAB045106BT

Mod Port Model Serial # Versions

--- ---- ---------- -------------------- ---------------------------------

1 0 WS-X2948 JAB045106BT Hw : 2.3

Gsp: 4.5(9.0)

Nmp: 4.5(9)

2 50 WS-C2948G JAB045106BT Hw : 2.3

DRAM FLASH NVRAM

Module Total Used Free Total Used Free Total Used Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1 65536K 17479K 48057K 12288K 3801K 8487K 480K 112K 368K

Uptime is 204 days, 20 hours, 33 minutes

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bmcgloth Wed, 05/02/2007 - 14:27

In answer to your first question, if you change the feature set of your router you may need to purchase an additional license, you should consult your Account Manager regarding this. Many router models include SSH in the Base IP image, you can do a feature search to find these images if you do not wish to purchase a license, but may need to move to version 12.4

As for your Switch, yes you need to use encrypted protocols for management of all network devices. Looking for versions of your switch I do see that there is SSH support in release trains 6,7 and 8 of the crypto images which will run on your version of bootstrap software. As I remember the 2948G runs the same code as a Cat4000, but you may want to open a TAC case and have them recommend versions specific to your network environment just to be sure.

http://www.cisco.com/cgi-bin/tablebuild.pl/cat4000-crypto

mpipkin Mon, 05/07/2007 - 13:35

not only do you need ssh but ssh v2. we are in the process of PCI remediation as well and have run into this issue on more than a few of our devices. I have several 2600's that apparently do not support ssh v2 and i cannot find the right IOS that will support v2.

mlarsson1 Thu, 10/11/2007 - 23:25

I wonder where did you find that it should be SSHv2?

Thanks in advance!

Br,

Mattias

e.ta Wed, 05/16/2007 - 12:59

On this very same topic, how do you ensure that you do not loose access to the router or switch if ssh is the only remote access enabled? For instance, you loose your subnet and no longer can ssh from your desktop subnet to the router/switch. Or if the active Sup become standby and the standby one become Active, does this not change the session encryption key?

Under this circumstance, what is the compliance way to have a backdoor to the router/switch for operational support per PCI?

I am going thru the PCI remediation process right now as well and needing to address this same topic. But I am very concern about have a backdoor access to the router/switch that is PCI compliance as well.

Thank you,

Emily

chjanoff Wed, 05/16/2007 - 14:09

If your router loses connection to the ACS server for remote role based authentication (via active directory or other directory services), we have configured local adminstrator authentication as a back up method.

Depending on your network and support model you might require localized personel to be present in the event of a WAN failure but the router would be capable of authentication and secure.

We also enabled a Cisco feature "no password recovery" that prohibits the password recovery feature if some one was to get physical access to the router. The config gets wiped back to store default protecting the retailers configuration information.

This avoids "back doors" and makes it more secure while preserving a remote and failure method of authentication.

Does this help?

laurent.geyer Mon, 05/21/2007 - 08:06

We went through PCI compliance and implemented out of band access through console servers.

The console server uses a combination of TACACS+ and local user accounts for SSH authentication. The layer2/layer3 devices have console authentication via TACACS turned on and fall back to local user accounts.

pplsi Wed, 12/26/2007 - 12:35

I also would like to see the reference for having to use sshv2 please.

Actions

This Discussion