Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6738
Views
0
Helpful
6
Replies

The VTY sessions are set for SSH, is telnet still open?

samuel.d.knox
Beginner
Beginner

‎03-13-2009 07:03 PM

I'm in the process of enabling SSH on all of my routers, switches and firewalls.  After upgrading the IOS to one that supports SSH, generating the crypto key and then setting all of the VTY sessions to SSH only, my security team informs me that telnet is still vulnerable to IP spoofing.  They can demonstrate that when they launch a telnet session to one of my routers, the telnet session will pause for maybe 2 seconds before receivign the message that the session was terminated by the router.  They claim this indicates that the router is responding to the telnet session and before the actual disconnect is forced they could IP spoof the box and cause a DOS.

I say boulderdash but without any proof I am forced to create a bunch of ACL's to specifically deny telnet.  Here is an example of my VTY's:

line vty 0 4
access-class 23 in
exec-timeout 30 0
password 7 xxxxxxxxxxxxx
logging synchronous
transport preferred ssh
transport input ssh
transport output ssh

*The access list here is limiting access from a certain internal set of IP's.

Any thoughts?

Labels:
0 Helpful
6 Replies 6