-
Re: Checking Cisco switches for SSH capability
jkump Jul 10, 2017 1:08 PM (in response to alexanderf1954)I believe there is already a compliance report you can run provided all 500 are in Solarwinds that will tell you in they are running SSH or not. I ran it when I first started with this company. Then I found out versions needed to be upgraded to support SSH. But, at least that is where I started.
-
Re: Checking Cisco switches for SSH capability
crzyr3d Oct 17, 2018 8:37 AM (in response to jkump)Do you recall or know where this report is located?
-
-
Re: Checking Cisco switches for SSH capability
d09hJul 10, 2017 1:22 PM (in response to alexanderf1954)
Which versions of IOS are being run? Per this site (dated 2007) http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html "SSH Version 1.0 (SSH v1) server was introduced in some Cisco IOS platforms and images that start in Cisco IOS Software Release 12.0.5.S."
Are any running CAT OS? If so, 6.1 and higher support: http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/13881-ssh-cat-switches.html
-
Re: Checking Cisco switches for SSH capability
nickzourdosJul 10, 2017 2:05 PM (in response to alexanderf1954)
You'll need to make sure you're running a version of IOS that is k9. LAN Base and LAN Lite versions of IOS do not support SSH. If you want to quickly check if SSH is already configured, I'd suggest nmap/zenmap.
-
Re: Checking Cisco switches for SSH capability
rschroederJul 10, 2017 2:21 PM (in response to alexanderf1954)
1 of 1 people found this helpfulWhile you're at the task of discovery for remediation and migration to SSH, remember SSH-V1 is no longer accepted as secure. Upgrade to SSH-V2 as your first step, bypassing V1.
If you have NCM, you can not only report on your hardware's version of codes that are compatible with SSH-V2 and are running K9 versions of code, but you can also have NCM implement SSH, generate a new key (mandatory for using SSH the first time), set the SSH source interface, lock down any/all interfaces that were using Telnet and force them to only accept SSH-V2, etc.
Further, start using ISE or ACS if you're not already doing so, and move from RADIUS to TACACS to get a complete AAA solution that Authenticates users trying to access your gear, Authorizes which commands they are allowed to run on your gear, and performs complete Accounting of their actions so you know who issued exactly what commands at any specific date & time. Nothing less works for proving you're doing right by your company's security when an audit happens.
-
Re: Checking Cisco switches for SSH capability
kernel___panic___ Oct 17, 2018 2:42 PM (in response to alexanderf1954)1 of 1 people found this helpfulRun a report from Solarwinds for Code Version. Export to SpreadSheet and Search for 'K9' in the code version.