September 2013 Page 2
Given the widespread use of Telnet and its stated limitations/concerns, the industry responded through
the development of security enhancements, such as Transport Layer Security (TLS) and Simple
Authentication and Security Layer (SASL). However, these enhancements are not supported by all
Telnet applications and require both the server and the client to be using compatible versions of Telnet.
Therefore, the standard SSH network protocol, developed in 1995, is favored over Telnet as it provides
much of the same functionality plus compatibility while being significantly more secure.
As of this writing, there are two commonly used SSH protocols. As often happens, the initial protocol,
SSH1, has been shown to contain security vulnerabilities that its successor, SSH2, does not. Therefore,
adopters of SSH1 are encouraged to transition to using SSH2. SSH2 is a cryptographic network protocol
that includes strong encryption of all data transmitted, including authentication (such as passwords) and
configuration information. SSH2 also uses public key authentication to authenticate the identity of the
remote device, if necessary. Using SSH2 instead of Telnet greatly reduces the security risk of remote
device access and administration. In addition, explicitly disabling fallback to SSH1 eliminates unexpected
use of the older and less secure SSH1 protocol.
Considering making the transition to SSH2? Having discussed the concerns with Telnet, its ease of use
and ubiquitous nature does little to fully discourage its presence. Whether used intentionally or simply
not disabled (just in case it is needed), well known Telnet vulnerabilities may provide an attacker ingress
to the network. So, to get started with SSH2, you will need to:
Disable Telnet as part of your standard hardening activities.
Close Telnet’s communication port 23 if there are no appliances or applications, for example
older printers or legacy applications, that still use Telnet. Consider upgrading any appliances or
applications that require Telnet.
Acquire a Digital Certificate by contacting AOml_SSL_Cert_Ad[email protected]ov. The AO has a bulk purchasing agreement for Verisign certificates that reduces the cost and time for
acquisition.
Install OpenSSL and any packages and libraries required for your environment. Most installs will
require restarting the Operating System and hence need to be scheduled during a maintenance
window or otherwise planned.
FTP and SFTP
FTP was originally specified in 1971
and has been updated a number of times since. Similar to Telnet,
FTP was developed before the need for security that began in the 1990s and hence, was not designed to
be a secure protocol. Consequently, it has many critical security weaknesses
. FTP, by design, is an
unencrypted and insecure protocol for transferring files between networked computers. ITSO-SEB, along
with other security experts including the SANS Institute
, discourages the use of FTP because the
SANS FAQ regarding Telnet including a list of Telnet exploits
RFC 114 FTP Specification
Many of these security weaknesses are enumerated in RFC 2577 and include Spoofing, Username Insecurity, Port
Stealing, Packet Sniffing, Bounce Attacks and Brute Force Attacks.
SANS Institute InfoSec Reading Room – Securing FTP Authentication