Telnet? Really?

Geek1969Geek1969 Member Posts: 100 ■■□□□□□□□□
Simple question. Do you allow the use of telnet inside of your network for connecting to switches, routers, access points, firewalls, anything? Why or why not?
WIP:
ROUTE
«1

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    I've seen in done for years because people are too lazy to upgrade old devices with crypto, some of them no longer supported by the vendor, no one around to change old scripts to SSH, varied excuses for the problem. It's not always a perfect world out there!
    An expert is a man who has made all the mistakes which can be made.
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Yes, And you control access with ACL's on the VTY's with our companies NAT address and mgt subnet.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • Vask3nVask3n Member Posts: 517
    The issue with telnet is that there are so many embedded devices like printers (Hp, Ricoh, Dell) which all ship with telnet open along with a myriad of other ports like http. Sometimes it's not a voluntary decision to have telnet enabled which is why you need to hunt down any boxes that might have it available and shut it off at the border.
    Working on MS-ISA at Western Governor's University
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    I don't see any reason to do so. I'm assuming you know the difference between the two, so why do you ask?
  • J_86J_86 Member Posts: 262 ■■□□□□□□□□
    I've seen telnet still used, more then I would like to. Even in a large enterprise. It was something they are working to stop, but it takes time.
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    When you first taking certs that's all you hear about is how Telnet is bad, don't use it. Then you get into a company and find out most of the gear doesn't support Telnet/Tacacs or Radius. Then you learn creative ways to allow telnet but restrict access on who can access it from what networks. We even goes as far as port redirects on our field equipment. We set the devices to say port 33023 to port forward to 23. I even go as far as setting the method lists on the routers to use local authentication but force the local user name but use the vty/console password if the ACS is down.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    as people have said some time devices force you hand in that they don't support SSH, and i have seen plenty of companies that leave telnet enabled on the devices (locked down of course with ACL's) but require daily tasks to be carried out with SSH. With the idea (maybe misguided) that if SSH server fails on the device that telnet might still work at a pinch.

    If you have a direct hardwired cable form a server to a device and you are running telnet then you could argue that this is not insecure as you control every point of the link. with in a data center with out of band management you also have a situation where the management traffic is not accessible to would be attack and so telnet again might not be so much of a security risk.

    ITs all about knowing what the weaknesses of telent are any how you are mitigating against them. Now of course the most obvious and simplest way is to turn off telnet and running SSH. But as is always the case in IT there is no singe right or wrong way to do things. its all good and bad ways. and that is determined by having a real understanding of how the systems works and doing thorough risk analyses before putting solutions in to production.

    I have seen companies running telent across the internet unencrypted to branch sites, and at the other end of the scale investing £1000 in a fire wall to protect a single device running in the same server room as the management server. Both in my mind where foolish and showed people misunderstanding risks.

    The minimal config needed to get SSH running means there is not many cases where you can justify running telnet instead where it is available. I allow both on my devices, but should some one try to connect with telent I will be alerted, and will be asking the person using it why.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Yes, vendor issues. They eventually found some way to tunnel it or something.
  • Geek1969Geek1969 Member Posts: 100 ■■□□□□□□□□
    Thanks for the examples and details. I only ask to see if anyone would answer along the lines of it being easier to use the Windows telnet client than switching computers or downloading putty when on an end user computer. The answer that I got when I asked my new associates at a new job about Telnet being active. Telnet is only one of the questions that I have had for them. I have encountered multiple network devices Cisco and HP with both Telnet and SSH enabled as well as other configuration items neglected. No ACL's in place internally, only externally. I came from an environment that was much more secure. We are talking about an initiative to begin addressing some things. Thanks for the viewpoints.
    WIP:
    ROUTE
  • N2ITN2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■
    I used telnet for years, no complaints.
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Yeah, it's not great from a security prospective, but realistically, if it is an issue, it's too late, you either have a malicious insider or an undetected compromise.

    FYI though, IMO you should never have admins going out and downloading something like putty, it should always be stored somewhere on the network easily accessible by those who need it. Last thing you need is someone downloading a tool from an unknown source that is trojaned,
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Agree w/ SephSttorm, however, much more difficult to control in an enterprise environment. Goes back to culture/awareness training for the fix.
    Working on: staying alive and staying employed
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

    I disagree, in all the big companies I have worked using uncontrolled application for management was a disciplinary offence. Indeed in the banks management was out of band and carried out on controlled workstation that where locked down completely. There was a default set of tools you could install from a company controlled repository.

    Control of application is much easier in a medium / large company than small under resorced networks
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    In my experience, being that restrictive is the exception, not the norm. And I work at a bank.
    Working on: staying alive and staying employed
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

    you work in a bank and they let unrestricted application manage the IT? I would love to see that get a financial audit!! are we talking a bank branch network or the banks datacenters? Every bank/major company I have had as a client has used OOB management from devices that are either restricted from access the internet or often completely air gapped from it.

    System that have multi billion dollar transaction running though them every second you generally don't take chances. People shown the door for having an out of place MP3.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    I work in a lab environment, most engineers don't even turn SSH on (which really annoys me when I try to SSH and can't).

    I can also tell you cisco and cisco with consecutive numbers are very common passwords. Which brings up another point, I hate it when passwords don't alternate keystrokes between your left and right hand. If I have to type 5+ characters in a row with my left hand, someone decided on a horrible password.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    Priston wrote: »
    I work in a lab environment, most engineers don't even turn SSH on (which really annoys me when I try to SSH and can't).

    That would be me :), when I lab up the full solutions I put in all the credentials, but when playing with ideas I will only configure the minimum needed to see if some thing will work.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • JockVSJockJockVSJock Member Posts: 1,118
    Could be useful for basic troubleshooting if a session can be established with a remote device, however I wouldn't want to use it for anything else.

    AND, I would make sure that this is all that it is used for. Nothing else.

    Only use SSH for internal/external connections.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • snadamsnadam Member Posts: 2,234 ■■■■□□□□□□
    SSH for our production devices. Juniper makes it pretty easy to use SSH icon_cool.gif . I can think of only a handful of cisco devices (mainly VGs) that were using telnet "just because" at my place of employment. That changed quickly, however.
    **** ARE FOR CHUMPS! Don't be a chump! Validate your material with certguard.com search engine

    :study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    DevilWAH wrote: »
    you work in a bank and they let unrestricted application manage the IT?

    Yes. Didn't say it was a perfect environment. :) And it's a a decent-sized bank as well (5-7billion). We have three server admins, 3 network admins, one firewall guy, 4 desktop admins, and 2 VDI admins. A lot needs to change, but we aren't set up for success the way other comparable orgs are in terms of processes and policies.
    DevilWAH wrote: »
    I would love to see that get a financial audit!! are we talking a bank branch network or the banks datacenters?
    Datacenter mainly. Very little admin work done at 75-80 branches
    DevilWAH wrote: »
    Every bank/major company I have had as a client has used OOB management from devices that are either restricted from access the internet or often completely air gapped from it.

    I've never seen that in use, even in the military. Besides current job, I've dealt mainly with small community banks, and I assure you they do not do OOB mgmt.
    DevilWAH wrote: »
    System that have multi billion dollar transaction running though them every second you generally don't take chances. People shown the door for having an out of place MP3.
    Just because we don’t use OOB mgmt. doesn’t mean that there aren’t other precautions and layers that are in place… ;)
    Working on: staying alive and staying employed
  • bermovickbermovick Member Posts: 1,135 ■■■■□□□□□□
    DOD here. Closed network, but telnet system-wide.

    DEVICE#sh ver | i bootflash
    Sytem image file is "bootflash:cat4500e-ipbase-mz.122-53.SG2.bin"

    No k9 image. I've brought up the need for it for the past year but the GS's don't care. Admittedly only 2 are missing a k9 image so I should enforce ssh on the others, but I hate having it be inconsistent.
    Latest Completed: CISSP

    Current goal: Dunno
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    and to clarify, no we do NOT use telnet. mainly putty.
    Working on: staying alive and staying employed
  • --chris----chris-- Member Posts: 1,518 ■■■■■□□□□□
    We (MSP) took over a client that is 90% telnet on switches and 10%SSH even though all devices can support SSH. We did everything just shy of demand the authorization to move everything to SSH, but due to the labor (minimal) costs they said no.

    icon_sad.gif
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    colemic wrote: »
    and to clarify, no we do NOT use telnet. mainly putty.

    how do you mean you don't use telnet you use putty?

    Telnet is a protocol
    putty is a client application that supports telent/ssh and other protocols?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • xinyxiny Member Posts: 46 ■■□□□□□□□□
    Admins should be aware enough to download tools from credible sources. You wouldn't download HP Printer drives from a random website would you? Of course not.

    Am i saying all Admins are impervious to making bad decisions, heck no!

    I work for a bank as well and I took the "painful" approach to this and blocked all websites and only white listed what employees needed to use.
    Very painful, very angry employees, but the malware and potentially malicious software being downloaded dropped by roughly 98%.

    I also use Application Control to enhance this further when SSL Sites want to pull a fast one.
    I even block communication to all countries (beside the US) since by law US Bank information cannot leave the US (unless you do international business).

    I also use putty, but am I going to go and download putty from Pirates Bay? obviously not.
    "Hacking is like sex. You get in, you get out, and hope that you didn't leave something that can be traced back to you."
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    That's what I meant, we use putty for SSH. Not sure but telnet is probably blocked.
    DevilWAH wrote: »
    how do you mean you don't use telnet you use putty?

    Telnet is a protocol
    putty is a client application that supports telent/ssh and other protocols?
    Working on: staying alive and staying employed
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    xiny wrote: »
    Admins should be aware enough to download tools from credible sources. You wouldn't download HP Printer drives from a random website would you? Of course not.

    Am i saying all Admins are impervious to making bad decisions, heck no!

    I work for a bank as well and I took the "painful" approach to this and blocked all websites and only white listed what employees needed to use.
    Very painful, very angry employees, but the malware and potentially malicious software being downloaded dropped by roughly 98%.

    I also use Application Control to enhance this further when SSL Sites want to pull a fast one.
    I even block communication to all countries (beside the US) since by law US Bank information cannot leave the US (unless you do international business).

    I also use putty, but am I going to go and download putty from Pirates Bay? obviously not.

    You seriously whitelisted Internet sites? Kudos to you, sir! :)

    We use Ironport for that. Although our new CIO is probably going to change things up a bit, he's all about UX and right now it's pretty awful and painful for users, across the board.
    Working on: staying alive and staying employed
  • IristheangelIristheangel Mod Posts: 4,133 Mod
    DevilWAH wrote: »
    you work in a bank and they let unrestricted application manage the IT?

    System that have multi billion dollar transaction running though them every second you generally don't take chances. People shown the door for having an out of place MP3.

    Sadly, I've seen some pretty crazy stuff in large financial institutions such has still having PIX firewalls as their data center edge firewalls, no traffic analytics, no content filtering, no syslog, no alerts, etc. You can advise and try your best to bring a horse to water, but you can't force it to drink.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Meh we've still got a few VPN3005 concentrators kicking about. And yeah we telnet into those too - but they are client owned devices, not our fault.
  • xinyxiny Member Posts: 46 ■■□□□□□□□□
    colemic wrote: »
    You seriously whitelisted Internet sites? Kudos to you, sir! :)

    We use Ironport for that. Although our new CIO is probably going to change things up a bit, he's all about UX and right now it's pretty awful and painful for users, across the board.

    Ya, users will hate you and maybe plot your demise, lol , but it dropped our annual malware intake to the point that i thought our Host AV was no longer working =P.
    "Hacking is like sex. You get in, you get out, and hope that you didn't leave something that can be traced back to you."
Sign In or Register to comment.