Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1720
Views
0
Helpful
9
Replies

PCI and SSH

rsik
Level 1
Level 1

‎04-30-2007 01:55 PM - edited ‎03-03-2019 04:46 PM

Hi All,

PCI requires SSH access to networking devices. I have following questions regarding to that:

1) I have IOS IP image on my cisco routers. I found that I need 3DES support in IOS for SSH, which comes with IP Plus 3DES feature set. So, do I need to purchase a license to use new feature set just to get SSH support?

2) I have been told that we also needed SSH support for our layer 2 switches. First of all, is that correct? If it is, how can I get SSH support for the following cisco switch:

cisco29-1.vancouver (enable) sh version

WS-C2948 Software, Version NmpSW: 4.5(9)

Copyright (c) 1995-2000 by Cisco Systems, Inc.

NMP S/W compiled on Sep 28 2000, 15:48:46

GSP S/W compiled on Sep 28 2000, 15:02:24

System Bootstrap Version: 5.4(1)

Hardware Version: 2.3 Model: WS-C2948 Serial #: JAB045106BT

Mod Port Model Serial # Versions

--- ---- ---------- -------------------- ---------------------------------

1 0 WS-X2948 JAB045106BT Hw : 2.3

Gsp: 4.5(9.0)

Nmp: 4.5(9)

2 50 WS-C2948G JAB045106BT Hw : 2.3

DRAM FLASH NVRAM

Module Total Used Free Total Used Free Total Used Free

------ ------- ------- ------- ------- ------- ------- ----- ----- -----

1 65536K 17479K 48057K 12288K 3801K 8487K 480K 112K 368K

Uptime is 204 days, 20 hours, 33 minutes

Labels:
0 Helpful
9 Replies 9

bmcgloth
Cisco Employee
Cisco Employee

‎05-02-2007 02:27 PM

In answer to your first question, if you change the feature set of your router you may need to purchase an additional license, you should consult your Account Manager regarding this. Many router models include SSH in the Base IP image, you can do a feature search to find these images if you do not wish to purchase a license, but may need to move to version 12.4

As for your Switch, yes you need to use encrypted protocols for management of all network devices. Looking for versions of your switch I do see that there is SSH support in release trains 6,7 and 8 of the crypto images which will run on your version of bootstrap software. As I remember the 2948G runs the same code as a Cat4000, but you may want to open a TAC case and have them recommend versions specific to your network environment just to be sure.

http://www.cisco.com/cgi-bin/tablebuild.pl/cat4000-crypto

0 Helpful

mpipkin
Level 1
Level 1

‎05-07-2007 01:35 PM

not only do you need ssh but ssh v2. we are in the process of PCI remediation as well and have run into this issue on more than a few of our devices. I have several 2600's that apparently do not support ssh v2 and i cannot find the right IOS that will support v2.

0 Helpful

mlarsson1
Level 1
Level 1
In response to mpipkin

‎10-11-2007 11:25 PM

I wonder where did you find that it should be SSHv2?

Thanks in advance!

Br,

Mattias

0 Helpful

e.ta
Level 1
Level 1

‎05-16-2007 12:59 PM

On this very same topic, how do you ensure that you do not loose access to the router or switch if ssh is the only remote access enabled? For instance, you loose your subnet and no longer can ssh from your desktop subnet to the router/switch. Or if the active Sup become standby and the standby one become Active, does this not change the session encryption key?

Under this circumstance, what is the compliance way to have a backdoor to the router/switch for operational support per PCI?

I am going thru the PCI remediation process right now as well and needing to address this same topic. But I am very concern about have a backdoor access to the router/switch that is PCI compliance as well.

Thank you,

Emily

0 Helpful

chjanoff
Cisco Employee
Cisco Employee
In response to e.ta

‎05-16-2007 02:09 PM

If your router loses connection to the ACS server for remote role based authentication (via active directory or other directory services), we have configured local adminstrator authentication as a back up method.

Depending on your network and support model you might require localized personel to be present in the event of a WAN failure but the router would be capable of authentication and secure.

We also enabled a Cisco feature "no password recovery" that prohibits the password recovery feature if some one was to get physical access to the router. The config gets wiped back to store default protecting the retailers configuration information.

This avoids "back doors" and makes it more secure while preserving a remote and failure method of authentication.

Does this help?

0 Helpful

laurent.geyer
Level 1
Level 1
In response to e.ta

‎05-21-2007 08:06 AM

We went through PCI compliance and implemented out of band access through console servers.

The console server uses a combination of TACACS+ and local user accounts for SSH authentication. The layer2/layer3 devices have console authentication via TACACS turned on and fall back to local user accounts.

0 Helpful

pplsi
Level 1
Level 1
In response to laurent.geyer

‎12-26-2007 12:35 PM

I also would like to see the reference for having to use sshv2 please.

0 Helpful

tech.support
Level 1
Level 1
In response to pplsi

‎01-03-2008 07:31 AM

We also had to move to using SSHv2, due to the fact that devices with only SSHv1 support failed vulnerability scans (we use QualysGuard)

0 Helpful

douhanm
Level 1
Level 1
In response to tech.support

‎01-04-2008 01:35 PM

for the record SSH is NOT a PCI requirement if you use one time passwords

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card