I have many routers set up as VPN's. Sometimes I have to access the routers using their public IP via telnet, is this sent in clear text? If so do you recommend ssh? If so how can I set this up on a Cisco 877 or 1841?
Telnet data is sent in clear text. It's certainly a good idea to use SSH to access network devices especially when going through a public network like Internet. As you are probably aware SSH would encrypt all data between the client/server and even if someone gets a hand on the data it's of no use.
From a security perspective SSH is much better than telnet. If you are telnetting through the VPN to a router inside address it does not matter much since the traffic will be encrypted. But telnetting to the public address does create some exposure. It is good that you have a rule to only accept telnet from your source address. But there is still exposure. Someone could observe the traffic and could learn your user ID and password. What could they do if they knew your address, your user ID, and your password?
While that is not a high degree of risk it is still some risk and why take any risk when a better solution is available? Since the routers are running VPN they already have the crypto image and therefore will support SSH. Basically as long as they have a host name and a domain name configured all you need to do is to generate RSA keys and then SSH is ready to go. It would certainly be a best practice to use SSH - especially for access to outside interfaces of these routers.
I see what you are saying. A few things, what would my domain be, my windows domain? Would I add ssh the remove the telnet settings, sorry this a area I'm not sure about. Do you have an example Rick? Many thanks in advance.
The domain for the router is generally the domain name used in DNS. I assume that there is some DNS domain name for CBS Outdoor Ltd and that is what I would use for the router.
Telnet and SSH can coexist. If you want to continue to use telnet to inside addresses (through the VPN) and SSH to outside addresses you do not need to remove anything. If you decide that you want to change your policy and only use SSH for remote access to the routers then you could configure under the vty lines:
I do not know the authoritative answer about why it requires a domain name. My assumption is that they want a domain name because they want a complete and unique identification of the device. What I do know (from hard experience) is that without a domain name configured the key will not generate.
If you want to keep your telnet option then the config needs to have this:
transport input ssh telnet
if you only list ssh as the transport then it is the only one allowed. By listing both ssh and telnet then both are allowed.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...