Telnet? Really?

Geek1969

Simple question. Do you allow the use of telnet inside of your network for connecting to switches, routers, access points, firewalls, anything? Why or why not?

networker050184

I've seen in done for years because people are too lazy to upgrade old devices with crypto, some of them no longer supported by the vendor, no one around to change old scripts to SSH, varied excuses for the problem. It's not always a perfect world out there!

Hondabuff

Yes, And you control access with ACL's on the VTY's with our companies NAT address and mgt subnet.

Vask3n

The issue with telnet is that there are so many embedded devices like printers (Hp, Ricoh, Dell) which all ship with telnet open along with a myriad of other ports like http. Sometimes it's not a voluntary decision to have telnet enabled which is why you need to hunt down any boxes that might have it available and shut it off at the border.

markulous

I don't see any reason to do so. I'm assuming you know the difference between the two, so why do you ask?

J_86

I've seen telnet still used, more then I would like to. Even in a large enterprise. It was something they are working to stop, but it takes time.

Hondabuff

When you first taking certs that's all you hear about is how Telnet is bad, don't use it. Then you get into a company and find out most of the gear doesn't support Telnet/Tacacs or Radius. Then you learn creative ways to allow telnet but restrict access on who can access it from what networks. We even goes as far as port redirects on our field equipment. We set the devices to say port 33023 to port forward to 23. I even go as far as setting the method lists on the routers to use local authentication but force the local user name but use the vty/console password if the ACS is down.

DevilWAH

as people have said some time devices force you hand in that they don't support SSH, and i have seen plenty of companies that leave telnet enabled on the devices (locked down of course with ACL's) but require daily tasks to be carried out with SSH. With the idea (maybe misguided) that if SSH server fails on the device that telnet might still work at a pinch.

If you have a direct hardwired cable form a server to a device and you are running telnet then you could argue that this is not insecure as you control every point of the link. with in a data center with out of band management you also have a situation where the management traffic is not accessible to would be attack and so telnet again might not be so much of a security risk.

ITs all about knowing what the weaknesses of telent are any how you are mitigating against them. Now of course the most obvious and simplest way is to turn off telnet and running SSH. But as is always the case in IT there is no singe right or wrong way to do things. its all good and bad ways. and that is determined by having a real understanding of how the systems works and doing thorough risk analyses before putting solutions in to production.

I have seen companies running telent across the internet unencrypted to branch sites, and at the other end of the scale investing £1000 in a fire wall to protect a single device running in the same server room as the management server. Both in my mind where foolish and showed people misunderstanding risks.

The minimal config needed to get SSH running means there is not many cases where you can justify running telnet instead where it is available. I allow both on my devices, but should some one try to connect with telent I will be alerted, and will be asking the person using it why.

SephStorm

Yes, vendor issues. They eventually found some way to tunnel it or something.

Geek1969

Thanks for the examples and details. I only ask to see if anyone would answer along the lines of it being easier to use the Windows telnet client than switching computers or downloading putty when on an end user computer. The answer that I got when I asked my new associates at a new job about Telnet being active. Telnet is only one of the questions that I have had for them. I have encountered multiple network devices Cisco and HP with both Telnet and SSH enabled as well as other configuration items neglected. No ACL's in place internally, only externally. I came from an environment that was much more secure. We are talking about an initiative to begin addressing some things. Thanks for the viewpoints.

N2IT

I used telnet for years, no complaints.

SephStorm

Yeah, it's not great from a security prospective, but realistically, if it is an issue, it's too late, you either have a malicious insider or an undetected compromise.

FYI though, IMO you should never have admins going out and downloading something like putty, it should always be stored somewhere on the network easily accessible by those who need it. Last thing you need is someone downloading a tool from an unknown source that is trojaned,

colemic

Agree w/ SephSttorm, however, much more difficult to control in an enterprise environment. Goes back to culture/awareness training for the fix.

DevilWAH

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

I disagree, in all the big companies I have worked using uncontrolled application for management was a disciplinary offence. Indeed in the banks management was out of band and carried out on controlled workstation that where locked down completely. There was a default set of tools you could install from a company controlled repository.

Control of application is much easier in a medium / large company than small under resorced networks

colemic

In my experience, being that restrictive is the exception, not the norm. And I work at a bank.

DevilWAH

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

you work in a bank and they let unrestricted application manage the IT? I would love to see that get a financial audit!! are we talking a bank branch network or the banks datacenters? Every bank/major company I have had as a client has used OOB management from devices that are either restricted from access the internet or often completely air gapped from it.

System that have multi billion dollar transaction running though them every second you generally don't take chances. People shown the door for having an out of place MP3.

Priston

I work in a lab environment, most engineers don't even turn SSH on (which really annoys me when I try to SSH and can't).

I can also tell you cisco and cisco with consecutive numbers are very common passwords. Which brings up another point, I hate it when passwords don't alternate keystrokes between your left and right hand. If I have to type 5+ characters in a row with my left hand, someone decided on a horrible password.

DevilWAH

Priston wrote: »

I work in a lab environment, most engineers don't even turn SSH on (which really annoys me when I try to SSH and can't).

That would be me , when I lab up the full solutions I put in all the credentials, but when playing with ideas I will only configure the minimum needed to see if some thing will work.

JockVSJock

Could be useful for basic troubleshooting if a session can be established with a remote device, however I wouldn't want to use it for anything else.

AND, I would make sure that this is all that it is used for. Nothing else.

Only use SSH for internal/external connections.

snadam

SSH for our production devices. Juniper makes it pretty easy to use SSH . I can think of only a handful of cisco devices (mainly VGs) that were using telnet "just because" at my place of employment. That changed quickly, however.

colemic

DevilWAH wrote: »

you work in a bank and they let unrestricted application manage the IT?

Yes. Didn't say it was a perfect environment. And it's a a decent-sized bank as well (5-7billion). We have three server admins, 3 network admins, one firewall guy, 4 desktop admins, and 2 VDI admins. A lot needs to change, but we aren't set up for success the way other comparable orgs are in terms of processes and policies.

DevilWAH wrote: »

I would love to see that get a financial audit!! are we talking a bank branch network or the banks datacenters?

Datacenter mainly. Very little admin work done at 75-80 branches

DevilWAH wrote: »

Every bank/major company I have had as a client has used OOB management from devices that are either restricted from access the internet or often completely air gapped from it.

I've never seen that in use, even in the military. Besides current job, I've dealt mainly with small community banks, and I assure you they do not do OOB mgmt.

DevilWAH wrote: »

System that have multi billion dollar transaction running though them every second you generally don't take chances. People shown the door for having an out of place MP3.

Just because we don’t use OOB mgmt. doesn’t mean that there aren’t other precautions and layers that are in place…

bermovick

DOD here. Closed network, but telnet system-wide.

DEVICE#sh ver | i bootflash
Sytem image file is "bootflash:cat4500e-ipbase-mz.122-53.SG2.bin"

No k9 image. I've brought up the need for it for the past year but the GS's don't care. Admittedly only 2 are missing a k9 image so I should enforce ssh on the others, but I hate having it be inconsistent.

colemic

and to clarify, no we do NOT use telnet. mainly putty.

--chris--

We (MSP) took over a client that is 90% telnet on switches and 10%SSH even though all devices can support SSH. We did everything just shy of demand the authorization to move everything to SSH, but due to the labor (minimal) costs they said no.

DevilWAH

colemic wrote: »

and to clarify, no we do NOT use telnet. mainly putty.

how do you mean you don't use telnet you use putty?

Telnet is a protocol
putty is a client application that supports telent/ssh and other protocols?

xiny

Admins should be aware enough to download tools from credible sources. You wouldn't download HP Printer drives from a random website would you? Of course not.

Am i saying all Admins are impervious to making bad decisions, heck no!

I work for a bank as well and I took the "painful" approach to this and blocked all websites and only white listed what employees needed to use.
Very painful, very angry employees, but the malware and potentially malicious software being downloaded dropped by roughly 98%.

I also use Application Control to enhance this further when SSL Sites want to pull a fast one.
I even block communication to all countries (beside the US) since by law US Bank information cannot leave the US (unless you do international business).

I also use putty, but am I going to go and download putty from Pirates Bay? obviously not.

colemic

That's what I meant, we use putty for SSH. Not sure but telnet is probably blocked.

DevilWAH wrote: »

how do you mean you don't use telnet you use putty?

Telnet is a protocol
putty is a client application that supports telent/ssh and other protocols?

colemic

xiny wrote: »

Admins should be aware enough to download tools from credible sources. You wouldn't download HP Printer drives from a random website would you? Of course not.

Am i saying all Admins are impervious to making bad decisions, heck no!

I work for a bank as well and I took the "painful" approach to this and blocked all websites and only white listed what employees needed to use.
Very painful, very angry employees, but the malware and potentially malicious software being downloaded dropped by roughly 98%.

I also use Application Control to enhance this further when SSL Sites want to pull a fast one.
I even block communication to all countries (beside the US) since by law US Bank information cannot leave the US (unless you do international business).

I also use putty, but am I going to go and download putty from Pirates Bay? obviously not.

You seriously whitelisted Internet sites? Kudos to you, sir!

We use Ironport for that. Although our new CIO is probably going to change things up a bit, he's all about UX and right now it's pretty awful and painful for users, across the board.

Iristheangel

DevilWAH wrote: »

you work in a bank and they let unrestricted application manage the IT?

System that have multi billion dollar transaction running though them every second you generally don't take chances. People shown the door for having an out of place MP3.

Sadly, I've seen some pretty crazy stuff in large financial institutions such has still having PIX firewalls as their data center edge firewalls, no traffic analytics, no content filtering, no syslog, no alerts, etc. You can advise and try your best to bring a horse to water, but you can't force it to drink.

gorebrush

Meh we've still got a few VPN3005 concentrators kicking about. And yeah we telnet into those too - but they are client owned devices, not our fault.

xiny

colemic wrote: »

You seriously whitelisted Internet sites? Kudos to you, sir!

We use Ironport for that. Although our new CIO is probably going to change things up a bit, he's all about UX and right now it's pretty awful and painful for users, across the board.

Ya, users will hate you and maybe plot your demise, lol , but it dropped our annual malware intake to the point that i thought our Host AV was no longer working =P.