ssh versus telnet validation

I am trying to validate that ssh should be used to access network equipment, Cisco or other brand, instead of telnet. Are there any credible sources out there that for best practice, one must use ssh instead of telnet. Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony PittCommented:
The reason for doing this is in order that passwords don't pass in plain text on your network.  While using telnet, there is a risk that someone could capture the data in a network sniffer and thereby obtain the passwords to the network equipment.  If you are confident that this won't happen, then I wouldn't bother with ssh.  If you are worried by that risk, then use ssh.

I'm not sure that you'll find anything definitive that says you must use ssh, but there are recommendations on the Internet.  Here's one ( from the For Dummies website, for example.

leblancAccountingAuthor Commented:
I am trying to convince my manager from converting telnet to SSH. That is why I need credible sources that can back me up, like Cisco, HP, Juniper, etc... My manager said that there is no risk for somebody to compromise the network equipment even though the password is in plain text.
Ken BooneNetwork ConsultantCommented:
Ok so here is a few.. 1st of all your manager knows nothing about network security.  Up until the last few years, most security attacks were done from the inside.  

Here are a few sources:

Read here in a cisco press book:

Network Computing - from a few years ago.

Here is another best practice guide from Cisco:

SSH does not just encrypt the passwords but all data transmitted.

All it takes is a sniffer to see everything someone did over a telnet session.  Not just username/passwords, but if someone did a show run over telnet and it was sniffed they would see the entire config.

Good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Natty GregIn Theory (IT)Commented:
Ask him what would he tell his superiors when the system gets hack through his/her stubbornness to change security protocol to heighten the security within the organization.

Every half decent IT person should know not to use TELNET because of security flaws.

here is a link explaining the difference between ssh and telnet.
Dave HoweSoftware and Hardware EngineerCommented:
Solution? have him log into a telnet client (with user and pass) having already ran ettercap on your machine. Then show him the transaction log you captured.

I have seldom seen anyone so shocked as when they get an email with something they thought was only a "theoretical" vulnerability :)
Tony PittCommented:
I don't entirely agree with the above responses.  It all depends on the way your network is built.  If (and it's a very big "IF") everything is wired back to individual ports on switches, and the cabling is physically secure along with the switches themselves, then the risk of someone running a sniffer on the network can probably be ignored.  However, there are very, very few networks where those criteria truly apply.

Nevertheless, it is up to the organisation how it handles risk.  There is no absolute authority to ask here.  I would suggest that you document the risk, and your proposed way of mitigating that risk, and ask your manager to respond with a statement that he is not accepting your proposal and thereby accepting the risk.  That way, you have covered yourself.

Ken BooneNetwork ConsultantCommented:
Well "IF" a user knew the login information to a switch perhaps core layer 3 switch then all they have to do is login in to that physically secured switch over physically secured cabling and set all other ports to span to his existing port without ever touching any physical aspects of it.   So if someone really wanted to do it they could whether or not their was physical security.  It has been a best practice for at least 10 years to run ssh instead of telnet - period.  

What is the likeyhood of that scenario playing out - probably not real likely but it can happen.  All you need is an internal catalyst to spark someone to perform malicious activity.  I have seen things like this happen several times over the past decade.

Tony brings up a very good point though.  It is your responsibility as the IT guy to make best practice recommendations.  Let your boss sign off on accepting that risk.  (Really he doesn't want to do it because he is lazy.  What is the big deal about going to ssh anyway?)  That way if if does happen the boss can't come back on you.  Ultimately its the bossman's decision.
leblancAccountingAuthor Commented:
Hi Ken,
"I have seen things like this happen several times over the past decade." Any articles on this?

His argument is our internal network (physical) is "secured" as the doors of the closets and server rooms are locked. We talked about the sniffing part. But in order for that to work, you have to physically access the switches and run SPAN or mirror port. Not sure how the sniffing will work if you come in through the FW.
Ken BooneNetwork ConsultantCommented:
leblanc - no articles on this.  These are things I have witnessed that have happened among my customer set, where internal attacks were made by employees or out going employees that have caused a lot of damage to their former employer.  Where there is a will there is a way.  There is not a network out there is 100% foolproof.  We do what we can to mitigate the risks we see.

Look here is the bottom line.  How hard is it really to freaking use ssh?  I mean for real.   There is a command line version of putty that can be installed:

But gee whiz you can set up all your stuff in putty and just click on the links to access the devices.

If you want to buy something then get SecureCRT but really how much harder is it really to issue ssh than telnet?

Your boss is either lazy or is afraid of it because he doesn't understand it.
leblancAccountingAuthor Commented:
I could not agree more. I think I will make the case and I will enable ssh on the switches. Thank you all.
Dave HoweSoftware and Hardware EngineerCommented:

needs no physical (or even logical) access to switches, but you *do* need to be in the same layer 2 domain as either the client or the server whose sessions are being attacked.
leblancAccountingAuthor Commented:

That's a good one.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSH / Telnet Software

From novice to tech pro — start learning today.