FRAMINGHAM (12/15/2003) - Network World's inaugural Tester's Challenge, which aired on Nov. 17, called on vendors to address why their products support unsecure access and management protocols -- such as earlier versions of Secure Shell, SNMP and HTTP -- out of the box.
As we pointed out, with protocols such as SSH1 enabled by default, it is easy for an attacker to intercept a password and then change the device's configuration or even shut it down.
While the problem is widespread, we called on Cisco Systems Inc. as the 800-pound gorilla to set an example by changing this practice, and we offered the company this space to explain its position in its own words. Cisco declined.
In an interview, the company said it has shipped products with SSH2 since the summer. But SSH1 is still the default setting. (Since 2001, CERT has advised against using SSH1.)
Tom Russell, director of marketing for VPN and security services at Cisco, said shipping SSH2 as a default setting could disrupt some users who are not looking for that level of security. One example would be customers who use scripts to automate configuration and management on Cisco routers.
"Cisco usually does get it about security, but this SSH issue is a big exception," says David Newman, president of Network Test of Westlake Village, Calif., author of the Tester's Challenge and a member of the Network World Global Test Alliance.
A user participating in our online forum agrees. "I find it infuriating that I have to connect to my PIX firewall with an older version of SSH or telnet. For crying out loud this is my firewall you are talking about!" he says.
VanDyke Software Inc., which sells SSH commercial products, offers only SSH2 in its server products. "There are so many issues with SSH1," says VanDyke spokesman Marc Or-chant. It's easily hacked and has critical performance issues, he adds.
Phil Kwan, director of enterprise applications at Foundry Networks Inc., says upgrading to SSH2 is a major undertaking for a company with legacy gear. "You've got this big chunk of code that you're trying to jam on a router that is 6 to 7 years old. You're going to have serious memory constraints," Kwan says. He says it's understandable that an SSH2 upgrade might get put on the back burner.
Because Tester's Challenge is intended to push the industry to address pressing issues, we checked with some of Cisco's competitors -- Blue Coat Systems Inc., Check Point Software Technologies Ltd., Dell Inc., Extreme Networks Inc., Force10 Networks Inc., Foundry Networks, NetScreen Technologies Inc. and Nortel Networks Corp. -- to see how they treated this issue of unsecure default settings.
The good news is that the industry is generally moving toward strongly encrypted access to network devices. For example:
-- Foundry is upgrading to SSH2 across its product line and will ship that support sometime in the first quarter of next year.
-- When Blue Coat released its ProxySG 3.0 secure proxy appliance in August, it secured all administrative access to the box by turning on SSH2 and Secure Sockets Layer (SSL)/Transport Layer Security by default and by turning off HTTP, telnet and SNMP by default.
-- Dell ships all its PowerConnect 3300 series and Managed Switches with five in-band management capabilities: HTTP, Secure-HTTP, telnet, SSH2, SNMP versions 1 and 2. Dell will offer SNMP 3.0 support in a firmware upgrade scheduled for next summer. However, all in-band management options are disabled by default and need to be turned on by the network administrator.
-- By default, Check Point products exclusively use SSH2 for command-line management. Check Point Stateful Inspection can distinguish between SSH versions and allow access only for SSH2 traffic.
-- Extreme supports SSH2 on all its products. But Extreme officials say that because of federal export regulations, the company has to verify your identity before they'll let you download it. Extreme's EPICenter management tool can be configured to run batch commands on groups of switches using SSH2. Likewise, Extreme offers SNMP 3.0 across its products and limits browser-based access to its gear to limited jump-start capabilities.
-- NetScreen added SSH2 support to its underlying operating system with the release of ScreenOS last month.
Neither versions of SSH is enabled by default. When a user enables it on a new device, it defaults to SSH2. If upgrading an old device that previously ran SSH1, a user must manually choose to run SSH2.
-- Nortel has a mandate to provide SSH2, SNMP 3.0 and SSL encryption for Web access across its product lines. Nortel's products are in various stages of compliance with this policy.
-- Force10 says it provides a variety of security features out of the box in its switches and routers. For example, by default a limit is set on the amount of traffic that is sent to the CPUs, preventing a virus from flooding the switch /router. The company also has enabled a real-time editor as default to allow network operators to update access control lists on the fly.
In light of its competitors taking steps toward shipping products with secure default settings, we'd still like to hear from Cisco that it's planning to step up to the plate on this issue.
Network World Senior Editor Ellen Messmer and Senior Writer Phil Hochmuth contributed to this story.