Secure Shell

Secure Shell (SSH) is a protocol that provides a secure connection to a router. Cisco IOS supports version 1 of SSH, which enables clients to make a secure and encrypted connection to a Cisco router. Before SSH was implemented, the only form of security available when accessing devices such as routers was Telnet username/password authentication, which is clearly visible with a network sniffer. Telnet is insecure because a protocol analyzer can view the information in clear text form. Figure 3-8 displays a simple protocol analyzer viewing information between a source address, 10.66.32.5, and the destination address 192.168.1.13 after a Telnet session is initiated by the address (PC) 192.168.1.13/24.

Figure 3-8 Sniffer Capture of a Telnet Connection

Figure 3-8 displays a simple Telnet connection between a PC and a remote router. Figure 3-8 is a packet trace from a client PC Telnet connection to a Cisco IOS router with the IP address 10.32.66.5. The packet trace clearly captures the password prompt sent by the router. Therefore, the prompt is viewable in clear text. If you scrolled down the next few frames (frames numbered 98-103 in Figure 3-8), the password would be clearly visible. An intruder or hacker can piece together the password and gain unauthorized access. For security reasons, these frames are not shown, but it is clear that the Telnet application protocol is not a secure protocol; all data is sent as clear text (including the password exchanged).

Figure 3-8 displays a simple Telnet connection between a PC and a remote router. Figure 3-8 is a packet trace from a client PC Telnet connection to a Cisco IOS router with the IP address 10.32.66.5. The packet trace clearly captures the password prompt sent by the router. Therefore, the prompt is viewable in clear text. If you scrolled down the next few frames (frames numbered 98-103 in Figure 3-8), the password would be clearly visible. An intruder or hacker can piece together the password and gain unauthorized access. For security reasons, these frames are not shown, but it is clear that the Telnet application protocol is not a secure protocol; all data is sent as clear text (including the password exchanged).

SSH is implemented with TCP port 22 and UDP port 22, and ensures that data is encrypted and untraceable by a network sniffer. SSH can be configured on both Cisco IOS routers and Catalysts switches.

Figure 3-9 displays the SSH protocol layers.

Figure 3-9 SSH Protocol Layers

SSH Connection Layer

SSH Authentication Layer

SSH Transport Layer

Network Interface

NOTE Lightweight Directory Access Protocol (LDAP) is an Internet protocol that e-mail programs use to look up contact information from a server. For more details on LDAP, visit www.gracion.com/server/whatldap.html.

Active Directory is a Windows-defined application that stores and manages network services, resources, and information about where computers and printers are located. Active Directory allows network administrators of 2000 servers the ability to allocate and control how network resources are accessed by clients' PCs. For more information on Active Directory, visit www.microsoft.com.

SSH sits on top of the TCP/IP layers, protecting the hosts from unknown devices. The SSH transport layer is responsible for securing the data using strong encryption authentication. There are currently two versions of SSH: SSHv1 and SSHv2. Cisco IOS only supports SSHv1.

UNIX devices support SSH clients and Cisco routers can be configured to allow SSH between the UNIX device and Cisco router to ensure a secure Telnet connection. Currently, Cisco IOS 12.2 supports SSH and a number of hardware platforms, including the 2600 and 3600 series routers.

For more detailed information on SSH and the Cisco IOS functional matrix, visit www.ssh.com/products/ssh/ and www.cisco.com/warp/public/707/ssh.shtml, respectively.

0 0

Post a comment