Using Telnet, a TCP/IP protocol for accessing remote computers, to control your network devices is comparable to shouting your username and password when exiting a building. Pretty soon, someone will be listening, and they'll take advantage of your lack of security.

Secure Shell (SSH) is the industry standard replacement for Telnet and other remote console management applications. SSH commands are encrypted and secure in several ways.

When using SSH, a digital certificate authenticates the connection between the client (your workstation) and the server (your network device), and encryption protects passwords. SSH1 uses RSA encryption keys, and SSH2 uses Digital Signature Algorithm (DSA) keys to secure both the connection and authentication.

Encryption algorithms include Blowfish, Data Encryption Standard (DES), and 3DES. SSH protects against and helps prevent spoofing, "man-in-the-middle" attacks, and packet sniffing.

The first step to implementing SSH is to verify that your device supports SSH. Log on to your router or switch, and determine if you have an IPSec IOS image loaded that supports SSH.

For our example, we'll use Cisco IOS commands. Run the following command: 

Router> Show flash

This command displays the name of the loaded IOS image. You can compare the result with your vendors' list of supported features.

After you've verified that your device supports SSH, ensure that the device has a hostname and a properly configured host domain, as shown below: 

Router> config terminal
Router (config)# hostname hostname <the name of the router>
Router (config)# ip domain-name domainname <a domain that the router services>

At this point, you're ready to enable the SSH server on the router. To enable the SSH server, you must first generate an RSA key pair using the following command: 

Router (config)# crypto key generate rsa

Generating an RSA key pair for the router automatically enables SSH. If you delete the RSA key pair, this automatically disables the SSH server.

The last step to implementing SSH is to enable Authentication, Authorization, and Accounting (AAA). When you configure AAA, specify usernames and passwords, the session timeout, and the number of retries allowed during a connection attempt. Use the global commands, as shown below: 

Router (config)# aaa new-model
Router (config)# username <username> password <password>
Router (config)# ip ssh time-out <seconds>
Router (config)# ip ssh authentication-retries <integer>

To verify that you've configured SSH and it's running on the router, execute the following command: 

Router# show ip ssh

After verifying the configuration, you're ready to force the users that you added during the AAA configuration to use SSH instead of Telnet. You can do so by requiring SSH for virtual terminal (vty) connections. Here's an example: 

Router (config)# line vty 0 4 Router (config-line)# transport input SSH

Before you kill the current Telnet session, you need an SSH terminal client program to test your configuration. I highly recommend PuTTY; it's free, and it's an excellent terminal emulator.

Final thoughts

After you've enabled SSH on your routers and switches, make sure you modify any existing access control lists to allow the connections to these devices. You can now report to your superiors that you've plugged a huge security hole: All network management sessions are now encrypted and secure.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.