Manualshelf

Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface
201202203204205206207208209210
Chapter 5: System Security Efficient Networks
®
Router family
Technical Reference Guide
Page 5-70 Efficient Networks
®
SSH
Secure Shell (SSH) is a key-enabled feature that allows secure network services over
an insecure network such as the public Internet. The objective of SSH is to make a
secure functional equivalent for telnet. Telnet connections and command are
vulnerable to a variety of different kinds of attacks, allowing unauthorized system
access, and even allowing interception and logging of traffic to and from the system
including passwords. SSH also provides secure FTP type file transfer.
SSH protects against:
IP spoofing, where a remote hosts sends out packets which pretend to come
from another, trusted host. SSH also protects against spoofing on the local
network when attempting to deceive, posing as the router to the outside.
IP source routing, where a host can pretend that an IP packet comes from
another, trusted host.
DNS spoofing, where an attacker forges name server records.
Interception of clear text passwords and other data by intermediate hosts.
Manipulation of data by users in control of intermediate hosts.
SSH Protocol
SSH is available in two versions, SSH1 and SSH2. The two version are not
compatible as the differ in their networking implementation, authentication, and
encryption. Currently, the router supports only SSH version 2.
Operating under SSH Version 2, each host has a host-specific key (RSA or DSA)
used to identify that host. The key is used to authenticate that the client is actually
connecting to the server and not being intercepted by an intermediary. This forward
security is provided through a Diffie-Hellman key agreement. This key agreement
results in a shared session key.
The rest of the session is encrypted using a symmetric cipher. The client selects the
encryption algorithm to use from those offered by the server; Arcfour, Twofish,
Blowfish, DES, or 3DES (the default setting). Additionally, session integrity is provided
through a cryptographic message authentication code either SHA-1 or MD-5 (the
default setting).