Does it Matter whether I use Telnet or SSH?

When we begin a career in industrial automation, we basically just dive in right where we have the opportunity. That can mean we start with the latest and greatest or legacy equipment as well as the practices that we follow.

The first Ethernet switches that I configured were in the age that you could buy a laptop with a serial port built in and the normal operating system was Windows XP, so I learned to configure with HyperTerminal software.

Image by Brandon Cooper

At some point, I started to learn to manage switches remotely with Windows PowerShell and Putty Software using Telnet.

Telnet worked great for me and I didn’t know much about it, except that it worked and I could manage all of my network switches without leaving my desk.

However, as I’ve learned more about security, I learned that while it works great, it probably isn’t best practice.

Unfortunately, not everyone in the world is looking out for our best interests and the way we do things must be centered around the safest and most secure methods.

TELNET

Telnet is a client-server protocol that works with a virtual terminal connection emulator and allows you to communicate and configure a remote device the same as you are connected to it.

The problem is, that Telnet is not secure and the data is unencrypted. Anyone that gets access to monitor a user’s connection will gain access to the username, password and any other information because it will be collected in plain text.

SSH

Secure Shell (SSH) is also a client-server protocol, but it provides a secure channel over even an unsecure network.

SSH uses public-key cryptography to authenticate to the remote device or computer and allow it to authenticate the user.

Besides management of your network devices, it supports tunneling, forwarding TCP ports and X11 connection as well as file transfer and secure copy protocols.

Setting up SSH on your Cisco or Allen Bradley Stratix Switch

Setup password encryption, a username and password, set the remote line connection to SSH only as shown below.

Image by Brandon Cooper

Set the Domain Name and generate the crypto keys as shown below. You are now set up for SSH Login.

Image by Brandon Cooper 

Login with SSH Using PUTTY

In a PUTTY session, put the IP address of the device you are connecting to and select SSH as the connection type.

Image by Brandon Cooper

Login with the username (here we used: user) and password (here we used pwtest) and then you can begin your session with encrypted data.

You can see examples of the differences in data in Wireshark, but maybe that will be a topic for another time.

Image by Brandon Cooper

Conclusion

While an IT or OT environment should be behind a firewall and secure, every practice that we can implement to be more secure makes us better than we were before.

Making changes to a network device always comes with a risk and using SSH is one way to minimize risk and that is what makes it a best practice when performing device configuration.

Written by Brandon Cooper
Senior Controls Engineer and Freelance Writer

Have a question or comment on this article? Join our community to take part in the discussion! You'll also find all of our courses at TheAutomationSchool.com. (73 views)

Brandon Cooper