topic They want to keep both telnet in Network Security

Telnet vs SSH

Bob Greer — Fri, 21 Feb 2020 13:57:59 GMT

Hi there,

Thanks for reading.

I’m the new admin at my organization (it’s a big, world-wide org). I’m fighting the entrenched senior leadership about telnet and ssh. We have a few devices with telnet-only enabled. The devices I’ve discovered are access layer in the center of a site known for rogue-IT and –users! Of course, telnet has to go, right?

I’ve encountered major, unexpected pushback. The argument is ease over security. I’m at the CCNA level. They’re at NP or IE level. Their talking points are:

Too busy to draft a strategy (they only work the REALLY complicated issues)
SSH overhead – Can’t reach a device experiencing 99% CPU usage, telnet can
They want to keep both telnet & ssh enabled and (somehow) force admins to use SSH while leaving telnet as a backdoor / backup

My only idea to “meet” this ‘requirement’: line vty 0 14 transport input ssh; line vty 15 transport telnet.

I assume even that would fail: a session requesting telnet would go straight to line 15?

Thanks again!

Bob

SSH overhead – Can’t reach a

Leo Laohoo — Tue, 22 Nov 2016 20:30:38 GMT

SSH overhead – Can’t reach a device experiencing 99% CPU usage, telnet can

Bull$hit! If the CPU is at 99%, not even console works. Ask them to prove it. I have 15.0(2)SE3 which can send CPU up to 100%.

Next, HOW OFTEN does an appliance gets loaded with a buggy IOS that sends CPU up to 99%. IF there is one right now in the network, then it's not a telnet vs SSH but rather the reluctance to do anything attitude.

Finally, going from telnet to SSH requires the appliance to load Crypto software image. Question: Does anyone actually know how to upgrade the appliance? (You don't want to know the answer to this question.)

They want to keep both telnet

Leo Laohoo — Tue, 22 Nov 2016 20:49:14 GMT

They want to keep both telnet & ssh enabled and (somehow) force admins to use SSH while leaving telnet as a backdoor / backup

A lot of new Cisco models now sport a Management port. This is now the new method of OoBM.

I agree with everything that

nspasov — Wed, 23 Nov 2016 00:28:00 GMT

I agree with everything that Leo said. I would try to dig a bit deeper and figure out the exact reasons behind this. If no good reasons are provided then your peers are just being lazy 🙂

Leaving telnet enabled is a bad idea. Mgmt traffic can be captured and credentials extracted. This can be a huge issue especially if OOM is not used.

Also, leaving telnet enabled will lead to failures all sorts of audits and assessments. I don't know which organization you work for but if it is a big/world-wide then I would not be surprised if you are failing several compliance/legal requirements.

You can leave line 15 with telnet but in order for that to work you will need to use "rotaries" and tie a specific port to that vty line. For more info take a look at this link:

http://www.packetu.com/2012/08/09/using-an-alternate-telnet-port-in-cisco-ios/

I hope this helps!

Thank you for rating helpful posts!

Hi guys,Thanks for writing.

Bob Greer — Wed, 23 Nov 2016 17:44:15 GMT

Hi guys,
Thanks for writing. The rotary solution looks like it might fit. I am stunned by the militant pushback I'm getting. I was expecting red-faced agreement!

Anyway, thanks again for your input!