1 00:00:01,150 --> 00:00:08,170 Now, as demonstrated in a separate video, Telnet sends traffic in clear text and passwords and data 2 00:00:08,170 --> 00:00:10,170 can easily be captured on the wire 3 00:00:10,600 --> 00:00:12,740 so it's better to use SSH. 4 00:00:16,280 --> 00:00:19,820 So as an example, I'll capture the traffic between router 1 and router 2 5 00:00:23,090 --> 00:00:32,210 and for comparison, I'll do a telnet to router 2 from router 1 and log in with my username and 6 00:00:32,210 --> 00:00:35,090 password. In Wireshark 7 00:00:36,490 --> 00:00:38,260 I can simply filter for telnet 8 00:00:40,450 --> 00:00:47,570 and in the output, I'll be able to capture the password, which is C I S C O 9 00:00:47,590 --> 00:00:48,570 in other words, Cisco 10 00:00:49,000 --> 00:00:56,080 but more than that, if the user typed a command such as show run and looked at the running-config 11 00:00:57,660 --> 00:01:06,390 of the router or did any kind of configuration, all of that is sent in clear text so a hacker could 12 00:01:06,390 --> 00:01:09,030 simply search for the data. 13 00:01:10,540 --> 00:01:14,050 So there is an example is the prompt of the router after log in 14 00:01:16,360 --> 00:01:20,590 and searching through the data we can see show run 15 00:01:22,300 --> 00:01:30,280 and here's the current config of the router, so we are able to view the full configuration of the routers. 16 00:01:30,280 --> 00:01:33,010 As an example, there's an IP address on an interface, 17 00:01:35,640 --> 00:01:36,750 scrolling down, 18 00:01:37,980 --> 00:01:39,270 more configuration. 19 00:01:40,920 --> 00:01:47,030 If there were passwords on the console or other ports, we'd be able to see those passwords. 20 00:01:47,040 --> 00:01:55,320 So as an example, is the password on the VTI line. I could also simply look at the TCP session 21 00:01:56,800 --> 00:02:00,760 and the full configuration of the router is simply displayed 22 00:02:02,030 --> 00:02:09,919 through Wireshark, so not a great way to manage devices when someone sniffing the network can capture 23 00:02:09,919 --> 00:02:10,530 the traffic. 24 00:02:11,330 --> 00:02:16,460 This is more of a problem when you're using a public network such as the Internet, then your local 25 00:02:16,460 --> 00:02:17,030 network 26 00:02:17,300 --> 00:02:21,590 but it's important to be aware that Telnet sends traffic in clear text. 27 00:02:22,400 --> 00:02:29,600 So we want to enable secure shell or SSH and to do that we firstly have to specify a hostname. 28 00:02:30,170 --> 00:02:37,550 It cannot be the default off switch or router the name was or two, but I've reset it just for completeness 29 00:02:37,550 --> 00:02:38,560 to show you the command. 30 00:02:39,140 --> 00:02:44,300 So you have to set a hostname and then you have to specify a domain name. 31 00:02:46,360 --> 00:02:51,080 Which is required for the generation of keys, so specify some kind of domain name. 32 00:02:51,610 --> 00:02:54,880 I'll use Cisco.com, you have to have a username. 33 00:02:54,880 --> 00:02:57,100 Now I have already configured a username of David 34 00:02:59,770 --> 00:03:07,090 and a password, but I'll just do that again for completeness and then we have to generate keys. 35 00:03:07,090 --> 00:03:08,710 So crypto key, 36 00:03:09,840 --> 00:03:10,650 generate 37 00:03:11,620 --> 00:03:12,460 RSA, 38 00:03:14,450 --> 00:03:18,170 specify modulus and then specify size. 39 00:03:20,290 --> 00:03:27,580 That should have been 1024, so let me do that again, the larger the size of the key, the more secure 40 00:03:27,880 --> 00:03:29,070 the transmission of data. 41 00:03:29,830 --> 00:03:36,430 So the modular sizes from 360 to 2048 and once again, I specified 1024. 42 00:03:37,150 --> 00:03:40,860 The router will then generate what are called private and public keys. 43 00:03:41,350 --> 00:03:46,300 So as you can see here, the keys are going to be replaced because I'm regenerating them. 44 00:03:46,930 --> 00:03:50,470 A private key means a key that you don't share. 45 00:03:50,530 --> 00:03:55,690 It's private to yourself, a public key is derived from a private key 46 00:03:55,960 --> 00:03:59,590 and that's what you share with everyone else in secure communications. 47 00:03:59,920 --> 00:04:06,760 So if you want to send something to me that no one else can read, you would encrypt it with my public 48 00:04:06,760 --> 00:04:11,020 key, which means that only my private key can decrypt it. 49 00:04:11,680 --> 00:04:19,630 If I want to send something to you that only you can read, I would encrypt it with your public key and 50 00:04:19,630 --> 00:04:22,450 only your private key can decrypt it. 51 00:04:23,110 --> 00:04:26,020 A public key is derive from a private key. 52 00:04:26,440 --> 00:04:32,580 Something encrypted with a public key can only be decrypted by the relevant private key. 53 00:04:33,220 --> 00:04:42,460 So if you encrypt something with my public key, only my private key can decrypt it now on the VTY lines. 54 00:04:44,210 --> 00:04:53,060 We can specify transport input and specify protocol, and I'll specify telnet and SSH. 55 00:04:54,230 --> 00:05:02,450 For security reasons, you may only want to allow SSH rather than Telnet and SSH, specify log in local 56 00:05:02,930 --> 00:05:11,630 so that the local username and password database is used and then specify a version of SSH. Version 57 00:05:11,630 --> 00:05:18,980 2 is more secure than version 1 show IP SSH, which we can see that SSH is now enabled. 58 00:05:20,390 --> 00:05:24,060 Show SSH there are no connections at the moment. 59 00:05:25,040 --> 00:05:32,030 Now I can still telnet to the router because we allowed telnet sessions 60 00:05:35,870 --> 00:05:44,430 but if we did the following on VTY 04 transport input SSH 61 00:05:46,850 --> 00:05:53,180 Telnet sessions would no longer be allowed, so show run, pipe, begin, vty, 62 00:05:54,730 --> 00:05:58,130 we're using log in local, so this is not required. 63 00:05:58,870 --> 00:06:05,470 We are only allowing SSH sessions and inactive sessions will time out after five minutes. 64 00:06:06,370 --> 00:06:09,340 So SSH, we have a few options 65 00:06:10,240 --> 00:06:15,730 I'm gonna specify 10.1.1.2 notice no user is specified. 66 00:06:16,850 --> 00:06:22,880 We have to specify a user, so I'm going to say, David, and then the IP address of the router. 67 00:06:24,740 --> 00:06:31,310 Now I can log in, in Wireshark, we're still capturing so if we search for SSH now 68 00:06:32,360 --> 00:06:34,130 we can see SSH traffic. 69 00:06:35,910 --> 00:06:41,400 We can see the encryption used in this case, it's aes hmac sha1. 70 00:06:43,580 --> 00:06:49,090 Don't worry too much about that at the moment, that's discussed in more detail in the VPN section. 71 00:06:49,850 --> 00:06:51,650 There's some key exchanges taking place. 72 00:06:52,820 --> 00:06:58,730 Deffie hellman keys are used here, so we can see all the negotiation between the two devices 73 00:07:00,460 --> 00:07:04,850 but once that's taken place, we won't be able to see the data. 74 00:07:05,290 --> 00:07:06,820 Notice the data is encrypted. 75 00:07:07,780 --> 00:07:10,090 So as an example, I'll type show run. 76 00:07:12,720 --> 00:07:14,140 There is the full 77 00:07:15,530 --> 00:07:16,490 running-config, 78 00:07:19,920 --> 00:07:20,970 in Wireshark 79 00:07:21,930 --> 00:07:28,690 we can't see the data, we just see encrypted output here. 80 00:07:29,190 --> 00:07:33,350 So a hacker would not be able to view the data. 81 00:07:33,810 --> 00:07:39,720 The hacker would only know that there's an SSA session from one device to the other. 82 00:07:40,380 --> 00:07:45,570 So in other words, in this example, 10.1.1.2 is SSH to 10. 83 00:07:45,570 --> 00:07:46,260 One, one, two. 84 00:07:47,950 --> 00:07:51,730 The source port number is this the destination port number is 22. 85 00:07:51,880 --> 00:07:57,030 In other words, SSH, notice how that is different to a telnet session. 86 00:08:04,640 --> 00:08:13,760 In a telnet session, we can see all the data in clear text, so it's much better to use SSH and it's 87 00:08:13,760 --> 00:08:18,500 better to restrict access to your devices to the use of SSH. 88 00:08:19,520 --> 00:08:25,990 PuTTy is free software that you can download from the Internet and it supports both Telnet and SSH 89 00:08:26,360 --> 00:08:28,280 but uses SSH by default. 90 00:08:30,290 --> 00:08:36,409 So if you're on a Windows machine, download PuTTy, if you're using a Mac or a Linux machine, SSH 91 00:08:36,460 --> 00:08:37,880 is built into the operating system. 92 00:08:38,450 --> 00:08:46,070 If you're on a router or switch, you can simply use the SSH client on the Cisco device. 93 00:08:47,770 --> 00:08:57,030 So let's SSH back from router 1 to router 2 put in the password I've logged in show IP SSH, 94 00:08:57,850 --> 00:09:06,700 we can see that the version of SSH is version 2.1, once again show SSH, which we can see that a session 95 00:09:06,700 --> 00:09:11,830 has been started by username David in connection, out connection. 96 00:09:11,830 --> 00:09:17,550 aes 128 bit encryption and authentication is Sha1, 97 00:09:17,560 --> 00:09:22,030 Sha is a hashing algorithm similar to MD5, 98 00:09:22,510 --> 00:09:29,890 eas is an encryption algorithm similar to DES or triple DES, but it's a lot better than those protocols. 99 00:09:30,640 --> 00:09:37,840 No SSH version 1 server is running only version 2 is running and we have these connections to the 100 00:09:37,840 --> 00:09:40,060 the router when I log out. 101 00:09:42,040 --> 00:09:46,930 Show SSH, we can see that no SSH connections are running. 102 00:09:48,180 --> 00:09:50,550 Once again in Wireshark, 103 00:09:53,500 --> 00:09:54,670 everything is encrypted. 104 00:09:56,100 --> 00:10:02,610 So we can see the encrypted packet, but we can't see any data that makes up that encrypted packet.