Infosec rants. Your 'Daily Source' for Infosec Tips and Tricks (tm). Warning: Bad humour and unintended puns may follow.

Tuesday, March 07, 2006

Why replace telnet with SSH?

I still get asked this one from time to time, so here it is in writing for future reference.

Essentially you might as well ask why you should replace any unencrypted protocol with an encrypted one. A detailed risk or cost benefit analysis is probably unnecessary when you consider this question:

Do you trust the people you allow onto your network?

If the answer is no, and it really should be, then you should consider replacing any unencrypted authentication (HTTP Digest, FTP, Telnet) to your companies assets with more secure methods (HTTPS, SSH, SFTP).

If you can’t be convinced to distrust your staff, then I hope you have implemented Port Based Network Access Control (802.1x) or have really clever guard dogs at a minimum, because with the following freely available tool, anyone who manages to connect to your network will basically own it.

At it's heart Cain is an extremely comprehensive, yet easy to use, set of password cracking tools combined with a network sniffer. The latest feature to be introduced is truly frightening. Automated ARP cache poisoning. For those of you who don't understand the significance of this you should read the following article:

Quite simply it gets around one of the supposed security benefits of switched networks. The inability to sniff traffic destined for ports other than the one you are connected to.

If you enjoyed this post Bookmark it at

No comments:

Socialise This