You are still vulnerable from within your own network (any of your
customer). So you need to install filters everywhere, including
*every* dialup port.
>
> Also, it hard to spoof an entire TCP session setup. The spoofer can't
> see the responses coming back from your server, so he/she needs to guess.
> I don't see how you get very far into a session before you loose control.
Read Mitnick's case (www.takedown.com).
>
> ssh logins require a lot of CPU power. I don't see ever happening,
> except for the PM3 & the unannouced encryption daughter card.
Considering rather rare occasions this authentication is needed
it should not be a big deal.
>
> Also there are copyright and licensing issues. This could be solved
> with a PM3 daughter card, by including licensing costs when you buy the
> hardware.
That's true. Also export/import restrictions, though I'm not sure if they
are applicable in this case (if there will be no session encryption -
only authentication).
-- Igor V. Semenyuk Internet: iga@sovam.com SOVAM Teleport Phone: +7 095 258 4170 Moscow, Russia Fax: +7 095 258 4133