By:
On:
In: client, linux
With: 0 Comments

It’s a two step process to get rid of insecure username/password-authentication. Generate a RSA keypair at your SSH-client btw. Cisco-IOS doesn’t support DSA-keys Configure your network device(s) to assign the (public-)key of this keypair to an user-account This user-account could get privileges from a Radius/TACACS+-Server which could provide access-logs, too. Generate RSA-Key: Windows as SSH-Client I prefer Putty, usually in form of „mRemoteNG“, so i use PuttyGen to generate the RSA keypair. Windows.Start => PuttyGen (x) RSA, 4096-bits are supported, use it [Generate] move the mouse to improve the randomgenerator change the „comment“ – for example replace it by an username add a passphrase –Read More →

By:
On:
In: automation
With: 0 Comments

Works out of the box. if you’re fine with AES128-Encryption. AES256 might not be a requirement in all cases, but having the opportunity to choose seems to be not absolutely absurd in 2017… Good news: The NetSNMP-AES192/256-patch is on the way. EasySNMP installation and usage I’d like to refer to Linux: SNMP with Python for the basics. IOS-Config: VIEW/GROUP/USER Take the opportunity and leverage SMP-Views to limit access to several SNMP-OIDs. EasySNMP: „Session“-Object with SNMPv3-Credentials Find the official docs here: EasySNMP Session-API Security level could be: no_auth_or_privacy If you want to use the user-based authentication without need for security auth_without_privacy Authentication only might be „goodRead More →

By:
On:
In: wan
With: 0 Comments

Not talking about ATM, PPP, HDLC, Frame Relay WAN. Ethernet is the new WAN. Sometimes you need an easy to use encryption, which is just added to a Link between two devices – and you don’t want to invent IPSec-VPNs which at least add complexity to the design. MACsec solved this problem bringing absolutely transparent encryption, but – since MACsec-Sessions are sent to a „link-local“ ethernet destination address (01-80-c2-00-00-03) they aren’t allowed to be forwarded by any device. A typical „non-dark-fiber“ WAN-Link can’t be encrypted using MACsec. http://www.ieee802.org/1/files/public/docs2013/ae-seaman-macsec-hops-0213-v02.pdf discussed years ago the elegant technical solution. Years later these thoughts are moving into production: Cisco inventedRead More →

By:
On:
In: client
With: 0 Comments

Security is important. But sometimes it’s important, too, to be productive, for example during work hours. Maybe at a trusted customer site with a restrictive security policy to intercept all HTTPs-Traffic using a customer-provided certificate which never fits to the visited web-sites. Most of my technical research jobs using Google aren’t secret, otherwise I won’t pass them to Google, so HSTS for at least Google-Sites doesn’t makes sense in these cases. Google knows that and invented the no-HSTS-Switch: –ignore-certificate-errors Thank you!Read More →