Our inaugural Tester's Challenge called on vendors, particularly Cisco, to address why their products still support unsecure access and management protocols - such as earlier versions of Secure Shell, SNMP and HTTP - out of the box.Network World's\u00a0inaugural Tester's Challenge , which aired on Nov. 17, called on vendors to address why their products support unsecure access and management protocols - such as earlier versions of Secure Shell, SNMP and HTTP - out of the box.As we pointed out, with protocols such as SSH1 enabled by default, it is easy for an attacker to intercept a password and then change the device's configuration or even shut it down.While the problem is widespread, we called on\u00a0Cisco \u00a0as the 800-pound gorilla to set an example by changing this practice, and we offered the company this space to explain its position in its own words. Cisco declined.In an interview, the company said it has shipped products with SSH2 since the summer. But SSH1 is still the default setting. (Since 2001,\u00a0CERT has advised against using SSH1 .)Tom Russell, director of marketing for VPN and security services at Cisco, said shipping SSH2 as a default setting could disrupt some users who are not looking for that level of security. One example would be customers who use scripts to automate configuration and management on Cisco routers."Cisco usually does get it about security, but this SSH issue is a big exception," says David Newman, president of Network Test of Westlake Village, Calif., author of the Tester's Challenge and a member of the Network World\u00a0Global Test Alliance .A user participating in\u00a0our online forum \u00a0agrees. "I find it infuriating that I have to connect to my PIX firewall with an older version of SSH or telnet. For crying out loud this is my firewall you are talking about!" he says.VanDyke Software, which\u00a0sells SSH commercial products , offers only SSH2 in its server products. "There are so many issues with SSH1," says VanDyke spokesman Marc Orchant. It's easily hacked and has critical performance issues, he adds.Phil Kwan, director of enterprise applications at\u00a0Foundry , says upgrading to SSH2 is a major undertaking for a company with legacy gear. "You've got this big chunk of code that you're trying to jam on a router that is 6 to 7 years old. You're going to have serious memory constraints," Kwan says. He says it's understandable that an SSH2 upgrade might get put on the back burner.Because Tester's Challenge is intended to push the industry to address pressing issues, we checked with some of Cisco's competitors - Blue Coat Systems, Check Point, Dell, Extreme Networks, Force10 Networks, Foundry Networks, NetScreen Technologies and Nortel - to see how they treated this issue of unsecure default settings.The good news is that the industry is generally moving toward strongly encrypted access to network devices. For example:Foundry is upgrading to SSH2 across its product line and will ship that support sometime in the first quarter of next year.\u2022 When Blue Coat released its\u00a0ProxySG 3.0\u00a0secure proxy appliance in August, it secured all administrative access to the box by turning on SSH2 and Secure Sockets Layer (SSL)\/Transport Layer Security\u00a0by default and by turning off HTTP, telnet and SNMP by default.\u2022\u00a0Dell\u00a0ships all its\u00a0PowerConnect 3300\u00a0series and\u00a0Managed Switches\u00a0with five in-band management capabilities: HTTP, Secure-HTTP, telnet, SSH2, SNMP versions 1 and 2. Dell will offer SNMP 3.0 support in a firmware upgrade scheduled for next summer. However, all in-band management options are disabled by default and need to be turned on by the network administrator.\u2022 By default,\u00a0Check Point\u00a0products exclusively use SSH2 for command-line management. Check Point\u00a0Stateful Inspection\u00a0can distinguish between SSH versions and allow access only for SSH2 traffic.\u2022\u00a0Extreme\u00a0supports SSH2 on all its products. But Extreme officials say that because of federal export regulations, the company has to verify your identity before they'll let you download it. Extreme's\u00a0EPICenter\u00a0management tool can be configured to run batch commands on groups of switches using SSH2. Likewise, Extreme offers SNMP 3.0 across its products and limits browser-based access to its gear to limited jump-start capabilities.\u2022 NetScreen added SSH2 support to its underlying operating system with the release of\u00a0ScreenOS\u00a0last month.Neither versions of SSH is enabled by default. When a user enables it on a new device, it defaults to SSH2. If upgrading an old device that previously ran SSH1, a user must manually choose to run SSH2.\u2022\u00a0Nortel\u00a0has a mandate to provide SSH2, SNMP 3.0 and SSL encryption for Web access across its product lines. Nortel's products are in various stages of compliance with this policy.\u2022\u00a0Force10\u00a0says it provides a variety of security features out of the box in its switches and routers. For example, by default a limit is set on the amount of traffic that is sent to the CPUs, preventing a virus from flooding the switch \/router. The company also has enabled a real-time editor as default to allow network operators to update access control lists on the fly.In light of its competitors taking steps toward shipping products with secure default settings, we'd still like to hear from Cisco that it's planning to step up to the plate on this issue.Network World Senior Editor\u00a0Ellen Messmer\u00a0and Senior Writer\u00a0Phil Hochmuth\u00a0contributed to this story.