Remote Access, Management Paths, and Secure Admin Habits
Key Takeaways
- Use encrypted management protocols — SSH on TCP 22 and HTTPS on TCP 443 — and retire Telnet (TCP 23) and HTTP for device administration.
- Out-of-band management provides a separate recovery path (console server, dedicated management interface, LTE gateway) that works when the production network is down.
- AAA separates authentication, authorization, and accounting; RADIUS uses UDP and encrypts only the password, while TACACS+ uses TCP 49 and encrypts the entire payload.
- A jump host or bastion plus a management VLAN limits who can reach device management planes and from where.
- Secure admin habits include named accounts, MFA, least privilege, source-IP restrictions, session logging, and change tickets.
Remote Access, Management Paths, and Secure Administration
Management access is the most privileged path into a network, and Network+ objective 3.5 expects you to choose secure methods over convenient insecure ones. A compromised management plane equals a compromised network, so the testable theme is: limit who can manage devices, from where, with what protocol, and with what evidence.
Management methods and their ports
| Method | Use | Secure choice (port) | Replaces |
|---|---|---|---|
| SSH | Encrypted CLI to devices/servers | SSH on TCP 22 | Telnet (TCP 23) |
| Web GUI | Browser management of firewalls/controllers | HTTPS on TCP 443 | HTTP (TCP 80) |
| VPN | Remote admin reaches internal mgmt network | IPsec or TLS VPN + MFA | Direct internet exposure |
| REST API | Automation and integration | HTTPS + scoped token | Unauthenticated API |
| Console | Direct serial/virtual console | Local cable or console server | — |
| Cloud controller | Vendor-hosted management plane | MFA + RBAC + audit logs | — |
The core exam reflex: always pick SSH over Telnet and HTTPS over HTTP. Telnet and HTTP send credentials and session data in cleartext that any sniffer on a SPAN port can read.
In-band versus out-of-band management
In-band management rides the production network — cheap and easy, but it fails exactly when you need it most, during a routing, switching, or firewall outage. Out-of-band (OOB) management uses a separate path: a console server (terminal server), a dedicated management switch and VLAN, a cellular LTE/5G gateway, or a device's dedicated management interface. OOB is the recovery path when the data plane is broken.
| Path | Advantage | Limitation |
|---|---|---|
| In-band | Lower cost, convenient | Unavailable during a network outage |
| Out-of-band | Recovery access when production fails | Added cost and controls to manage |
AAA: RADIUS versus TACACS+
AAA separates authentication (who you are), authorization (what you may do), and accounting (what you did). The exam often contrasts the two AAA protocols:
| Feature | RADIUS | TACACS+ |
|---|---|---|
| Transport | UDP 1812/1813 (auth/acct) | TCP 49 |
| Encryption | Encrypts password only | Encrypts the entire payload |
| AAA separation | Combines authn + authz | Separates all three (granular command authz) |
| Typical use | Network access (802.1X, VPN, Wi-Fi) | Device administration (per-command control) |
TACACS+ is favored for administering network devices because it can authorize individual commands and encrypts the whole session; RADIUS dominates user network access.
Segmentation and secure habits
Management interfaces should never be reachable from every user VLAN or from the public internet. Controls include a management VLAN, a jump host (bastion), ACLs and firewall rules, a VPN requirement, privileged access management (PAM), and centralized AAA. Layer on these habits:
- Named accounts, never a shared admin login, for accountability.
- Multifactor authentication (MFA) to blunt stolen passwords.
- Least privilege to limit blast radius.
- Source-IP / jump-host restrictions to shrink the attack surface.
- Session and command logging for investigation.
- Change tickets tying actions to approved work.
- API tokens that are scoped, owned, rotated, and stored in a secrets manager.
Practical scenario
An engineer must patch a branch router after hours. The secure flow: connect to the VPN with MFA, reach the router through a management subnet via a jump host, log in with a named account backed by TACACS+, perform the approved change recorded in the ticket, and validate service. If the WAN route fails mid-change, out-of-band console access via the console server provides recovery.
Why a jump host changes the attack surface
A jump host (also called a bastion or jump box) is a single hardened system that administrators must connect to first, and only from it can they reach the management plane of routers, switches, and firewalls. This collapses dozens of potential entry points into one heavily monitored chokepoint: the jump host enforces MFA, records full session logs, runs current patches, and is the only source IP permitted by device access control lists. If an administrator workstation is compromised, the attacker still cannot reach device management directly because the devices reject any source other than the jump host.
Pairing the jump host with a dedicated management VLAN means management traffic never mixes with user data, so a foothold on a user subnet does not expose the control plane.
Protecting API credentials and automation
As networks shift to controller and cloud management, REST APIs become a primary management path, and their tokens are as powerful as a CLI login. A leaked token in a script, a wiki page, or a public code repository can let an outsider reconfigure production. Sound practice gives every token a defined owner, a narrow scope limited to the actions automation truly needs, an expiration or rotation schedule, and storage in a secrets manager rather than plaintext.
Automation should run under a service account with least privilege and flow through the same change-control process as manual work, because an API call can take down production just as fast as a typed command — and faster, since it can hit many devices at once.
Common exam traps
- SSH and Telnet are not equivalent — Telnet is cleartext; SSH is encrypted.
- A long password does not make exposing a management GUI to the internet acceptable; restrict, MFA, patch, and log.
- RADIUS encrypts only the password, while TACACS+ encrypts the full payload and is preferred for device admin.
- APIs are management interfaces too and require change control and scoped credentials.
- A jump host plus a management VLAN shrinks the attack surface far more than a strong password alone.
A team must manage branch routers during a production routing outage that has cut the normal data path. Which option best provides access?
An organization wants per-command authorization and full-payload encryption for engineers administering network devices. Which AAA protocol best fits?
Which practices improve secure network administration? Choose two.
Select all that apply
Which protocol pair represents the correct secure replacement for legacy device management?