[GTALUG] Netgear 5-port Gigabit switch -- $10 ?

Sun Mar 27 11:46:40 UTC 2016

On 03/27/2016 11:39 AM, Alvin Starr wrote:
> On 03/27/2016 10:02 AM, James Knott wrote:
>> On 03/27/2016 08:55 AM, Alvin Starr wrote:
>>> Even with SSH the first thing coming back from the switch is a set of
>>> well defined headers and prompts so I would be willing to bet that SSH
>>> on a switch is fairly crackable.
>> I thought ssh was secure.  IIRC, the key changes frequently, with the
>> public/private key pair used only to set up the connection, with a
>> random key used to carry the data.
> I do not know for sure but It was my understanding that if you know the
> payload it is possible to back calculate the encryption keys and
> invariably switches sent a standard banner and a Username: Password:.
> There may be better security with key based login and no password.
> On the other hand I am sure the encryption is good enough to stop all
> but nation states or folks like SPECTRE or KAOS.

You may want to read up on how public/private encryption systems work. 
The public/private key pair is used only to exchange the actual key
that's used for encrypting the data.  This key is used only once and is
essentially a random number.  It's hard to find patterns with it.  That
key is then used with secret key encryption, such as AES, to carry the
data.  Again, with a a single use key, it's unlikely to be cracked.

>>> A lot of the lower end switches use a http web interface which is no 
>>> more secure than telnet.
>> Many use https, instead of plain http.  Again, it's the same key
>> situation as with ssh.
> True but you also end up with standard pages on each login.
>>> Sadly switch configuration has not changed much in the last 20+ years.
>>> It would be interesting to see cheap Openflow switches but that
>>> technology is still a few years away from permeating the SME market.
>> I normally use the console port, when working with equipment.  However,
>> with large networks, you have to rely on some remote connection.
>>
>> As I mentioned earlier, in order to attack a password, you have to see
>> the data.  That doesn't happen much with switches, though it was quite
>> easy prior to switches.  Also, remote management is generally done via
>> vlan, which makes it a bit more difficult for a casual eavesdropper.
>>
>>
> I have to lots of switch management remotely.
> I do login to the local networks via VPN but you never know what is in
> the middle on the internet or even the local network.
>
>
That's why I said ssh should be used.  Telnet may be fine on the local
network or via vpn, but never bare on the Internet.  Protocols such as
https, ssh and even some vpns use public/private key pairs.  Even with a
static AES key, you've got quite a battle to break it.