7 Secure Protocol Missteps That Could Be Putting Your Network at Risk

At this point, almost no one in network engineering questions the importance of TLS and SSH. These protocols are the foundation of modern secure infrastructure for many devices.

But just because a device claims to support secure protocols doesn't mean it's actually configured securely.

In fact, I regularly see well-meaning engineers make critical mistakes when deploying TLS and SSH. These are simple missteps that open the exact vulnerabilities these protocols are supposed to prevent.

Let's take a close look at the 7 most common mistakes I see and how to avoid them with confidence.

Gear That "Supports TLS/SSH" Isn't Always Enough

It's easy to be lulled into a false sense of security. The datasheet says "TLS 1.2" and "SSH Supported," so everything must be good, right?

Unfortunately, that's just the starting point. What really matters is how these protocols are configured and used.

You can have the right tools - but use them the wrong way - and still leave the front door wide open. Fortunately, every mistake on this list is fixable.

Mistake #1: Using Outdated or Unsupported TLS Versions

TLS 1.0 and 1.1 are no longer secure. They've been deprecated by most browsers, flagged by government agencies, and excluded from compliance frameworks like NIST.

So why do I still see so many RTUs and routers shipping with these versions?

Some devices default to the lowest supported version for compatibility reasons. This can be risky since it puts your login sessions and configuration data at risk of interception.

As a best practice, deploy devices that only support TLS 1.2 or higher, with older versions disabled out of the box. That will make sure you're protected against known vulnerabilities and ciphers that attackers already know how to exploit.

Mistake #2: Still Relying on Telnet Instead of SSH

Let's be blunt: Telnet is obsolete. It sends all data - including your password - in plain text.

This means that anyone with access to the network can sniff those credentials. It's the digital equivalent of leaving your keys in the ignition - on a busy street.

Even worse, I've seen networks where Telnet was left enabled "just in case," or as a fallback method when SSH wasn't set up properly.

You don't want to make the same mistake - ever.

In order to fix this, you should

• Disable Telnet entirely on all RTUs and network devices
• Use SSH exclusively for CLI access
• Set up key-based authentication for enhanced protection

Finding the right gear eliminates that risk for you before the device even ships.

Mistake #3: Reusing Shared User Credentials

Shared logins like "admin/admin" might save time, but they're a nightmare for accountability and security.

This credential reuse becomes an issue when:

• A breach happens - you have no idea who did what
• You can't enforce least-privilege access
• You can't require per-user password rotation

If you've ever had to "chase down" who made a config change, you know how frustrating that is.

The fix is simple: Use unique login credentials for every technician.

Be sure to also combine that with role-based access control so users only get access to what they need.

Certain devices - like NetGuardian RTUs - allow you to create and manage user accounts with different permission levels right in the web interface. This means no external servers or tools required.

Mistake #4: Leaving Default Passwords Active

This mistake happens more often than you'd think - especially in rushed deployments.

Your team installs a new device and everyone's focused on testing alarms and getting SNMP connectivity up. Meanwhile, the login is still set to:

• admin / admin
• root / password
• tech / 1234

This can be incredibly dangerous since default passwords are published online and commonly repeated across many devices. Bots are actively scanning the internet looking for devices using these default credentials.

To avoid, or correct, this mistake:

• Change every default password before deploying a device
• Enforce a complex password policy (length, symbols, rotation)
• Avoid any shared credentials

DPS G6 devices support password policies that meet common compliance requirements.

Mistake #5: Using Unencrypted SNMP (v1 or v2c)

SNMPv1 and v2c are functionally obsolete in terms of self-contained security. They send all data - including sensitive alarm info - unencrypted. They also rely solely on a shared "community string," which is basically just a weak password.

Yet, I still see critical infrastructure running on v2c because "we already have a significant investment in this equipment"

Here's the danger:

• Your traps can be intercepted and read, including when you have a "secure network" that is somehow breached.
• Community strings can be guessed or leaked
• There's no authentication or integrity checking

To solve this, use SNMPv3 for all alarm reporting and remote configuration. It supports full encryption, message integrity, and source authentication.

Even better, if you have legacy devices that only support SNMPv1/v2c, use an SNMPv3 Proxy device that wraps those traps in a secure SNMPv3 envelope. That way, you get modern security without ripping out old gear.

The SNMPv3 Proxy is taking unsecure SNMPv1/v2 and sending it northbound as encrypted SNMPv3

Mistake #6: Not Validating TLS Certificates

Generally, you wouldn't use an expired ID badge to get into a secure facility. However, I've seen teams use expired, mismatched, or self-signed certificates for years - simply because nobody checked.

Failing to validate TLS certificates leaves your system open to:

• Man-in-the-middle attacks
• Spoofing and impersonation
• Browser errors that confuse field techs

What you should do is:

• Use a valid CA-signed certificate for each secure device (DPS can compile your certificate into a firmware build for you)
• Rotate certificates before they expire
• Avoid self-signed certs unless you've configured your trust chain properly

Mistake #7: Assuming Compliance Equals Security

It's easy to think, "We're NIST-compliant, so we're covered." But the truth is compliance is just the starting point - not the ultimate goal.

Standards like NIST and FIPS define minimum acceptable practices. They're a good start, but they don't guarantee you're safe.

If you only aim for compliance, you might miss:

• Detecting misuse from inside your team
• Rotating credentials regularly
• Enforcing detailed audit logging
• Using real-time intrusion detection

Make sure your security plan includes:

• Routine access reviews
• Automatic logout after inactivity
• Config change logging
• Multi-factor authentication (MFA), if supported

Quality devices include logging, user activity tracking, and built-in security features that exceed basic compliance. If you're being audited, the right gear will even help with documentation.

Recognize Commonalities Among These Mistakes

When you step back, these seven mistakes have a single root cause: false confidence. That false confidence leads to several misconceptions, including the belief that:

• "SSH supported" means "SSH is secure"
• Compliance is equal to proper protection
• Someone else double-checked the config
• Automatic processes can do no harm

In secure protocol deployments, confidence without verification is quite dangerous. What sets apart secure teams from vulnerable ones is consistency.

Truly secure systems need a team that follows a playbook. This team also must choose tools that enforce good habits and never assume security is "done."

If you're reading this, you're probably the kind of engineer who wants that level of control - and doesn't want to leave anything to chance. The good news? You don't have to fix all this manually.

Let DPS Help You Get Security Right the First Time

At DPS Telecom, we've worked with thousands of engineers over the past 30 years. We've seen what works - and what goes wrong - when securing critical infrastructure.

Our G6 remote monitoring platform was designed with these 7 pitfalls in mind. From day one, our devices will help you:

• Use TLS and SSH securely
• Enforce password policies and access roles
• Secure your SNMP traps with v3 or our SNMPv3 Proxy
• Upload, manage, and rotate TLS certifications
• Track user activity and configuration changes
• Go beyond compliance to true, actionable security

Let's Talk About Securing Your Network & Remote Monitoring

Want help reviewing your current security posture? Looking to upgrade your RTUs to something built for today's threats?

Give me a call at 559-454-1600 or email sales@dpstele.com.

I'll walk you through best practices, help you avoid the mistakes in this article, and get you a proposal tailored to your network (including mediation devices that avoid expensive "forklift swap-outs")

It's time to secure your network the right way.

Andrew Erickson

Andrew Erickson is an Application Engineer at DPS Telecom, a manufacturer of semi-custom remote alarm monitoring systems based in Fresno, California. Andrew brings more than 18 years of experience building site monitoring solutions, developing intuitive user interfaces and documentation, and opt...