“Cignoro hrobosa sukares hin mange la pchagavas doi me kamavas na beslas lele pal hrobas!”
It was the man to their right calling out across the basin.
To Paul, the words were gibberish, but out of her Bene Gesserit training, Jessica recognized the speech. It was Chakobsa, one of the ancient hunting languages, and the man above them was saying that perhaps these were the strangers they sought.
Dune
Frank Herbert
For the same tactical reason that military commands should not be revealed to your opponent, management connections to the Cisco ASA should be secured. This can be done either by encrypting the management traffic over an unsecured network, or by using a protected, out-of-band connection.
The ASA is the guardian to your network, and all commands sent to it should be protected from snooping. If an attacker can eavesdrop on an administrator’s session, they may be able to see what is being configured, or perhaps snaffle the administrator’s username and password. In that case, the ASA is compromised. (See here for an administrator’s plaintext Telnet session intercepted by a packet sniffer.)
Unlike Telnet, SSH provides data confidentiality as well as authentication. For SSH management sessions, the Cisco ASA supports:
- Both SSH version 1 and SSH version 2
- 3DES and AES for data encryption
- HMAC-SHA and HMAC-MD5 for integrity
- RSA for host authentication
- Diffie-Hellman Group 1 for key exchange
The default SSH config on the Cisco ASA can be seen with a show run or a show ssh. Management access to the ASA via SSH is disabled by default. The default config only specifies the timeout and versions, as seen with a show ssh:
ciscoasa# sh ssh Timeout: 5 minutes Versions allowed: 1 and 2
To enable SSH management access on the Cisco ASA:
- Generate a RSA keypair
ciscoasa# con t ciscoasa(config)# crypto key generate rsa INFO: The name for the keys will be: Keypair generation process begin. Please wait...
- Specify the hosts that are allowed to SSH into the ASA and the interface that they will use to connect
ciscoasa(config)# ssh 11.11.11.2 255.255.255.255 outside
Now you can login to the ASA via SSH by using the default username pix and the default password cisco.
- (Optional but recommended) If you do not want to use the default password, change the password with the password command. This will set the password for Telnet and SSH connections to the ASA. For example, to set the password to “atreides”:
ciscoasa(config)# password atreides
- (Optional but recommended) Enable authentication for SSH. Otherwise, create a local user.
ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# username duncan password distrans
The aaa authentication ssh console LOCAL command overrides the password set via the password command.
Additional Information:
Password command in the Cisco ASA 8.4 Command Reference.
Ssh command in the Cisco ASA 8.4 Command Reference.
Show ssh command in the Cisco ASA 8.4 Command Reference.
Show run command in the Cisco ASA 8.4 Command Reference.
Aaa authentication console command in the Cisco ASA 8.4 Command Reference.
Username command in the Cisco ASA 8.4 Command Reference.