Share this
Telnet Versus SSH: How SSH Works and Why It's Better
by PivIT Global on Sep 15, 2022 7:15:00 AM
A Pew Research Center survey found that 54% of U.S. employees prefer working from home. Additionally, the current trends suggest that a hybrid or 100% remote work model will become a standard over the next few years. This model has meant that businesses have had to create remote connections into their network to allow employees to access specific applications/services or for administrators to configure new settings on a network device.
A properly installed and configured enterprise network does not require interventions very often. However, configuration changes or upgrades are needed from time to time. Although console access is the simplest and most secure way to connect to equipment, it is impossible unless you are physically close to the equipment.
Therefore, in most cases, a remote connection is established using Telnet or SSH to monitor, configure, and troubleshoot a network. However, these protocols are not made equal.
This article will provide an overview of Telnet and SSH, their differences, and how to configure a router to deploy SSH.
View some of our other popular articles:
- The Importance of Layer 3 Redundancy: Understanding HSRP – Pt. 1
- The Importance of Layer 3 Redundancy: Understanding HSRP – Pt. 2
- The Ultimate Comparison Guide - FHRP Shootout: HSRP vs. VRRP vs. GLBP
The Need for Remote Access
In a perfect world, a set-and-forget network would be ideal. However, a network can be viewed as a live entity, requiring updates and configuration changes to keep it running smoothly. When appropriate actions are needed on a device, network administrators must first connect to the device in question. However, most of the time, the device can be on a different floor, building, or even in a completely different city or country.
As a result, console access is not always possible. This is when remote solutions such as Telnet or SSH can be used. These network protocols allow connecting to any device on demand at any location when the remote device is configured to support remote access. However, a remote connection sometimes can lead to disastrous consequences when not properly used.
Telnet – A Zero-Protection Remote Access Solution
Telnet is probably the most famous remote access solution developed about 50 years ago. It uses a text-based interface to create a virtual terminal, allowing network administrators to access applications on other devices. It is supported and enabled by default by most vendors.
As you can see from the image above, when an administrator needs to access the headquarters router from home, the only command that needs to be entered is "Telnet 203.0.113.1" and then provide the requested credentials, either just a password or username and password.
However, as simple as it is to use this approach, Telnet should be avoided whenever possible. The main reason is that Telnet does not provide any protection when data is sent from one side to the other. Even the password that is provided for authentication is sent in clear text.
For that reason, enterprises usually have a policy to avoid Telnet for remote sessions over untrusted networks like the internet. They only use it internally in the local environment, even though that is usually forbidden. The only other time to use Telnet is if a device does not support SSH.
__________________
Explore your options here at PivIT. Click below to learn more about the router solutions we can bring to your network, whether it be the hardware itself, maintenance, or the field services you need to get online.
__________________
SSH – A Secure Remote Access Solution
To overcome the limitations of Telnet, SSH was developed in the 1990s and immediately took over as the preferred solution for remote access. Unlike Telnet, SSH is designed similarly to how VPNs work and provides privacy by using encryption, data integrity, and origin authentication using hashing functions.
Even though SSHv1 was a considerable improvement over Telnet, a vulnerability was found, and later on, SSHv2 was introduced. This version is more complex and supports better and more robust security algorithms to protect the data traffic.
Symmetric and Asymmetric Algorithms
In contrast to Telnet, where nothing is really used to provide security, SSH uses asymmetric and symmetric encryption. The most efficient and stronger symmetric encryption protects the data exchanged between the devices during the SSH session.
The same key is used for the encryption and decryption processes on both sides. However, that same symmetric key must be established first; for that purpose, we need asymmetric encryption.
The asymmetric encryption uses a set of two keys, one public and one private. The public key encrypts data that can only be decrypted with the private key. The public key can be freely shared, and although it can encrypt the private key, there is no method of deriving the private key from the public key.
How SSH Works
SSH uses the RSA asymmetric algorithm to securely exchange the symmetric key needed for protecting the data during the SSH session. Let's use the example image above. An SSH session needs to be established between Admin PC and R1. When Admin PC connects to R1, the router presents the client with its public key.
After that, they negotiate the security algorithms that will be used later on. Upon an agreement, the Admin PC creates a symmetric key (known as a session key). Admin PC then encrypts the symmetric key with the public key from R1 (previously received) and sends it to R1. Since R1 is the only device with the private key, it decrypts the encrypted content and extracts the same symmetric key that will be used during the SSH session for bulk protection.
__________________
As part of PivIT's EXTEND, we offer a secure, isolated, and remote environment to pre-configure your network, compute, and storage hardware prior to deployment to your locations around the world using our out-of-band (OOB) management platform. Find out more about how our Remote Staging Environment works.
__________________
Enabling SSH
By default, only Telnet is allowed on Cisco devices. Therefore for a device such as a switch, router, or firewall to support SSH sessions, SSH must be configured. Although the configuration steps are the same on different devices, we will focus on configuring SSH on a Cisco router.
A few requirements must be met before configuring SSH: change the device's default name and define a domain name. Those are needed to generate the key pair (the private and public keys). Once defined, a local account needs to be created that will be used for authentication. Then the asymmetric keys will be generated by using the RSA algorithm.
According to today's standards, it is recommended to use at least 2048 bits for the keys.
Once configured, the mode for the virtual lines needs to be defined that the local account (username and password) will use and that Telnet should not be allowed. SSHv2 can be defined as the only version allowed on R1. The commands below show the full SSH configuration on R1:
As you can see, enabling SSH only consists of a few commands. Once enabled, the device is ready for SSH sessions. All data exchanged between connected devices is secured and safe from external threats, such as stealing passwords or other important data.
__________________
Is your hardware maintenance plan coming to an end and due for renewal? Be sure to find out the three maintenance optimization strategies you can’t afford to miss in the video below:
__________________
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- IT Hardware Solutions (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Automation (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- IT Trends (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- May 2024 (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think