Telnet is not encrypted but you can prevent the packets from being send in clear text if your equipment supports the following:
SNMPv3 Authenication is based on the Username, MD5, or SHA. Encryption has two options: none or DES This is the most secure of the possible models. It allows the security be defined in the following places: SNMP-Server Host, SNMP-Server Groups and SNMP-Server Users SNMP-Server Host It allows three levels of authentication: {noauth | auth | priv} . Noauth - Specifies no authentication of a packet . Auth - Specifies authentication of a packet without encrypting it . Priv - Specifies authentication of a packet with encryption by scrambling it Command - snmp-server host (ip address of snmp server) version 3 priv (community name) SNMP-Server Groups It allows three levels of authentication: {noauth | auth | priv} . Noauth - Specifies no authentication of a packet . Auth - Specifies authentication of a packet without encrypting it . Priv - Specifies authentication of a packet with encryption by scrambling it It allows two levels of view: {read | write} . Read - A string (up to 64 characters) that allows you to view the contents of the agent only . Write - A string (up to 64 characters) that allows you to write the contents of the agent It allows access control lists to permit or deny availability Command - snmp-server group (group name) v3 priv read (read name) access (access-list) And Command - snmp-server group (group name) v3 priv write (write name) access (access-list) SNMP-Server User It allows two levels of authentication: {auth | Priv} . Encrypted - Specifies whether a password appears in encrypted format . Auth - Initiates an authentication level setting session o MD5 - The HMAC-MD5-96 authentication level o SHA - The HMAC-SHA-96 authentication level . Priv - The option that initiates a privacy authentication level setting session o Des56 - The CBC-DES privacy authentication algorithm It allows access control lists to permit or deny availability Command - snmp-server user (user name) (group name) encrypted auth sha (password) priv des56 (password) access (access-list) -----Original Message----- From: Mark Maher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 2:35 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Telnet Security Question for a Router. Most of the Cisco routers suport SSH, especially if you are running an IOS image that supports IPSec.What we did until all of our routers supported SSH, was set up a secure SSH server in our internal network (trusted part of the network). Then, for access from the Internet, we SSH to the server and then telnet from there to the router. This way, the connection to our network was encrypted, and only the part between the SSH server and router was unencrypted. Of course, this doesn't protect us from the inside (internal network), but does prevent sniffing and hijacking from the Internet (outside). Hope it helps. Mark Maher Ochsner Clinic Foudation >>> "Tony Toni" <[EMAIL PROTECTED]> 12/10/02 08:45PM >>> We were currently wrote up by our external auditors because we use telnet to access all of our routers. In some cases we use a filtered Telnet service...but that is not the normal practice. We are a fairly good size company with about 1000+ routers. I am charged with coordinating a response to the auditors. I know all of the security issues involved with Telnet...ie login id and password sent across the network in clear text, etc. My question: Is it possible to use SSH or CISCO TACACS+ to encrypt the entire Telnet session? Is there a way to ensure no one can sniff the login id and password? The Network Services Group is adamant that neither SSH or CISCO TACACS+ will work on a router to correct the security issue. Tony CIA,CISA,CDP,MBA Security and Audit Services Nations Banking & Trust PS: I have been playing phone tag with the auditor that wrote us up...to see what they recommend...have not reached him yet. _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail