I have many routers set up as VPN's. Sometimes I have to access the routers using their public IP via telnet, is this sent in clear text? If so do you recommend ssh? If so how can I set this up on a Cisco 877 or 1841?
Telnet data is sent in clear text. It's certainly a good idea to use SSH to access network devices especially when going through a public network like Internet. As you are probably aware SSH would encrypt all data between the client/server and even if someone gets a hand on the data it's of no use.
From a security perspective SSH is much better than telnet. If you are telnetting through the VPN to a router inside address it does not matter much since the traffic will be encrypted. But telnetting to the public address does create some exposure. It is good that you have a rule to only accept telnet from your source address. But there is still exposure. Someone could observe the traffic and could learn your user ID and password. What could they do if they knew your address, your user ID, and your password?
While that is not a high degree of risk it is still some risk and why take any risk when a better solution is available? Since the routers are running VPN they already have the crypto image and therefore will support SSH. Basically as long as they have a host name and a domain name configured all you need to do is to generate RSA keys and then SSH is ready to go. It would certainly be a best practice to use SSH - especially for access to outside interfaces of these routers.
I see what you are saying. A few things, what would my domain be, my windows domain? Would I add ssh the remove the telnet settings, sorry this a area I'm not sure about. Do you have an example Rick? Many thanks in advance.
The domain for the router is generally the domain name used in DNS. I assume that there is some DNS domain name for CBS Outdoor Ltd and that is what I would use for the router.
Telnet and SSH can coexist. If you want to continue to use telnet to inside addresses (through the VPN) and SSH to outside addresses you do not need to remove anything. If you decide that you want to change your policy and only use SSH for remote access to the routers then you could configure under the vty lines:
I do not know the authoritative answer about why it requires a domain name. My assumption is that they want a domain name because they want a complete and unique identification of the device. What I do know (from hard experience) is that without a domain name configured the key will not generate.
If you want to keep your telnet option then the config needs to have this:
transport input ssh telnet
if you only list ssh as the transport then it is the only one allowed. By listing both ssh and telnet then both are allowed.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...