Chapter 5
There isn't really an official "secure Telnet," per se; SSH was, in fact, developed to overcome
the security vulnerabilities in Telnet and can be considered an official "secure Telnet" protocol.
Implementations of Telnet exist that utilize SSL/TLS to encrypt the data channel (or some other
cryptographic means of encrypting data), but these implementations aren't widespread or
generally supported by a broad range of network devices.
Search Google for "secure telnet" and you'll get several thousand hits; most of what you'll see,
however, are pages referring to SSH by the name "secure Telnet." The two protocols share a similar
purpose and work in much the same way, but SSH provides encryption and authentication. SSH was
built from the foundation established by Telnet, so it's fair enough to call it "secure Telnet." In fact,
several RFCs refer to it by that name, although there's a lively debate among purists to call it SSH
instead.
You'll also find references to a Cisco offering named "secure Telnet," which is, in fact, a gateway
service that provides Cisco support engineers with secure access to Cisco CallManager products
inside your network. It isn't really a generic "secure Telnet" that you can deploy for your own use.
Telnet Use in Network Configuration Management
Telnet is a part of daily life for most network administrators--most of whom, should be using
SSH, as I'll discuss next--and can be a big part of network configuration management.
Configuration management solutions can use Telnet to log on to network devices, request a
configuration dump via TFTP (or upload a new configuration via TFTP), and much more. These
tasks can be performed equally well with SSH in most cases.
Telnet Considerations
Simply put, there is no such thing as secure Telnet, unless you're referring to SSH, which I've
discussed already. The complete lack of any security in the basic Telnet protocol is reason
enough not to use it unless you have absolutely no choice. Although you might believe that your
network is secure and safe behind a firewall and a bevy of virus scanners, there is always the
possibility that someone will gain access to your network despite those measures.
Take the Nimda worm as an example: When it first arrived on the scene, it infected thousands of
computers before antivirus vendors realized it even existed and created a definition for it so that
their products would start catching it. It was probably weeks later before everyone installed that
definition. Had Nimda contained a clever enough "backdoor" capability, plenty of supposedly
secure networks would have been opened to the worm's creators. The fact that backdoor viruses
haven't become common (until recently, with MyDoom) is due more to luck than any actual
technological hurdle.
The point is that Telnet is an incredibly unsafe way to be transmitting device administration
credentials, including passwords, across your network. It's an insecure way to pass any kind of
configuration data, and you should try not to use it. Most network devices support SSH as a more
secure alternative, and most network configuration management solutions are just as capable of
using SSH as they are Telnet to access your devices.
101