[Ach] bettercrypto.org document

Aaron Zauner azet at azet.org
Thu Jan 2 19:31:49 CET 2014

On 02 Jan 2014, at 09:11, mario.zabrocki at evonik.com wrote:
> I read the document "Applied-Crypto-Hardening.pdf" at bettercrypto.org and found that the provided configuration for CISCO ASA SSH hardening (2.2.2. page 18) is not correct: 
> line vty 0 4 
> transport input ssh 
> ...is only applicable on IOS devices but not on ASA firewalls. On ASA firewalls SSH access must be explicitly granted per IP or IP range via "ssh <interface-name>" command. Please move the mentioned line-commands to section "2.2.3. Cisco IOS”. 
Removed accordingly. Thanks.


BTW: what I usually do is to regard SSH like telnet on firewalls and for that reason just connect management ports to unrouted vLANs. Should we write something in there explicitly? There have been quite a few issues with remote management of Cisco devices over the years and some exploits.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/46a785bf/attachment.sig>

More information about the Ach mailing list