Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ssh vs. 3015

Our internet conenction has a PIX 520 and a VPN 3015 in parallel. Our unix boys are asking for remote access to their boxes in the DMZ and inside. My preferred method to do this is via the 3015 but they don't want to put the clients on their machines at home. They are saying all they want is ssh access, so why don't I open a port on the PIX, to the machines that they want. They don't have static IP's from their providers, so I would have to open ssh from any to their machines. I know a little about ssh, and I am opposing this. Do all you experts out there agree, and if so how do I make my case to force them to use the 3015? Or do you advise to open ssh? Thanks, -farhad

2 REPLIES
New Member

Re: ssh vs. 3015

You should convey to them that since they don't have static ips, you pretty much have to leave ssh access open to the DMZ, and inside network. From a security standpoint, this is not advisable. Does your company have a policy against allowing this sort of access? Someone here is going to have to make a compromise. Either you, by opening up your firewall, or them by installing the vpn client. I see that the company you work for does research on the medical impact of genes and gentic variations. I would think that in order to keep the companies research, and results confidential, you'd want to provide the best security posture that you could. VPN should be only way access is permited into your network.

New Member

Re: ssh vs. 3015

SSH only today, NFS, Telnet, and FTP tomorrow! I'd say from a security point of view, it is ALWAYS a bad idea to open up ports on firewalls, particularly those, like SSH, that potentially can allow total root access and control of systems.

Also, if you did open that port up, how would you (easily) monitor who made connections and when, etc? At least on the 3015 there's a fairly robust accounting methodology, especially with ACS.

SSH vulnerabilities abound. Those unix hackers out there are especially adept!

http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

http://www.vnunet.com/News/1124839

http://search.linuxsecurity.com/

I think it would be a simple matter to explain to upper management the potential liability of opening holes in firewalls; loss of sensitive data, etc.

(I sure wouldn't want to have to stand in the President's office and explain why the company's system was hacked!)

100
Views
0
Helpful
2
Replies