6 Replies Latest reply on Oct 17, 2018 2:42 PM by kernel___panic___

Checking Cisco switches for SSH capability

alexanderf1954 Jul 7, 2017 9:58 PM

I have over 500 Cisco Switches all different models that i need to check and see if they are SSH compatible. That is if they will support SSH or not. I'm currently using telnet and need to move to SSH. Thanks.

Re: Checking Cisco switches for SSH capability

jkump Jul 10, 2017 1:08 PM (in response to alexanderf1954)

I believe there is already a compliance report you can run provided all 500 are in Solarwinds that will tell you in they are running SSH or not. I ran it when I first started with this company. Then I found out versions needed to be upgraded to support SSH. But, at least that is where I started.
Like (0)

Actions
- Re: Checking Cisco switches for SSH capability
  
  crzyr3d Oct 17, 2018 8:37 AM (in response to jkump)
  
  Do you recall or know where this report is located?
  
  Like (0)
  
  Actions
Re: Checking Cisco switches for SSH capability

d09h Jul 10, 2017 1:22 PM (in response to alexanderf1954)

Which versions of IOS are being run? Per this site (dated 2007) http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html "SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S."

Are any running CAT OS? If so, 6.1 and higher support: http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/13881-ssh-cat-switches.html
Like (0)

Actions
Re: Checking Cisco switches for SSH capability

nickzourdos Jul 10, 2017 2:05 PM (in response to alexanderf1954)

You'll need to make sure you're running a version of IOS that is k9. LAN Base and LAN Lite versions of IOS do not support SSH. If you want to quickly check if SSH is already configured, I'd suggest nmap/zenmap.
Like (0)

Actions
Re: Checking Cisco switches for SSH capability

rschroeder Jul 10, 2017 2:21 PM (in response to alexanderf1954)

While you're at the task of discovery for remediation and migration to SSH, remember SSH-V1 is no longer accepted as secure. Upgrade to SSH-V2 as your first step, bypassing V1.

If you have NCM, you can not only report on your hardware's version of codes that are compatible with SSH-V2 and are running K9 versions of code, but you can also have NCM implement SSH, generate a new key (mandatory for using SSH the first time), set the SSH source interface, lock down any/all interfaces that were using Telnet and force them to only accept SSH-V2, etc.

Further, start using ISE or ACS if you're not already doing so, and move from RADIUS to TACACS to get a complete AAA solution that Authenticates users trying to access your gear, Authorizes which commands they are allowed to run on your gear, and performs complete Accounting of their actions so you know who issued exactly what commands at any specific date & time. Nothing less works for proving you're doing right by your company's security when an audit happens.
1 of 1 people found this helpful
Like (2)

Actions
Re: Checking Cisco switches for SSH capability

kernel___panic___ Oct 17, 2018 2:42 PM (in response to alexanderf1954)

Run a report from Solarwinds for Code Version. Export to SpreadSheet and Search for 'K9' in the code version.
Like (0)

Actions

Go to original post