Using Telnet, a TCP/IP protocol for accessing
remote computers, to control your network devices is comparable to
shouting your username and password when exiting a building. Pretty
soon, someone will be listening, and they’ll take advantage of your
lack of security.
Secure Shell (SSH) is the industry standard
replacement for Telnet and other remote console management
applications. SSH commands are encrypted and secure in several
ways.
When using SSH, a digital certificate
authenticates the connection between the client (your workstation)
and the server (your network device), and encryption protects
passwords. SSH1 uses RSA encryption keys, and SSH2 uses Digital
Signature Algorithm (DSA) keys to secure both the connection and
authentication.
Encryption algorithms include Blowfish, Data
Encryption Standard (DES), and 3DES. SSH protects against and helps
prevent spoofing, “man-in-the-middle” attacks, and packet
sniffing.
The first step to implementing SSH is to verify
that your device supports SSH. Log on to your router or switch, and
determine if you have an IPSec IOS image loaded that supports
SSH.
For our example, we’ll use Cisco IOS commands.
Run the following command:
Router> Show flash
This command displays the name of the loaded
IOS image. You can compare the result with your vendors’ list of
supported features.
After you’ve verified that your device supports
SSH, ensure that the device has a hostname and a properly
configured host domain, as shown below:
Router> config terminal
Router (config)# hostname hostname <the name of the router>
Router (config)# ip domain-name domainname <a domain that the router services>
At this point, you’re ready to enable the SSH
server on the router. To enable the SSH server, you must first
generate an RSA key pair using the following command:
Router (config)# crypto key generate rsa
Generating an RSA key pair for the router
automatically enables SSH. If you delete the RSA key pair, this
automatically disables the SSH server.
The last step to implementing SSH is to enable
Authentication, Authorization, and Accounting (AAA). When you
configure AAA, specify usernames and passwords, the session
timeout, and the number of retries allowed during a connection
attempt. Use the global commands, as shown below:
Router (config)# aaa new-model
Router (config)# username <username> password <password>
Router (config)# ip ssh time-out <seconds>
Router (config)# ip ssh authentication-retries <integer>
To verify that you’ve configured SSH and it’s
running on the router, execute the following command:
Router# show ip ssh
After verifying the configuration, you’re ready
to force the users that you added during the AAA configuration to
use SSH instead of Telnet. You can do so by requiring SSH for
virtual terminal (vty) connections. Here’s an example:
Router (config)# line vty 0 4 Router (config-line)# transport input SSH
Before you kill the current Telnet session, you
need an SSH terminal client program to test your configuration. I
highly recommend PuTTY;
it’s free, and it’s an excellent terminal emulator.
Final thoughts
After you’ve enabled SSH on your routers and
switches, make sure you modify any existing access control lists to
allow the connections to these devices. You can now report to your
superiors that you’ve plugged a huge security hole: All network
management sessions are now encrypted and secure.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.