> So far as admin SSH, once you reach a certain size you generally stop letting admins ssh in from random places and require VPNs (often with crypto tokens), if only because it gives you a easy chokepoint to disable access when you fire people. From what I've seen those most likely to use direct SSH or telnet are small companies (including regional/emerging telcos) that have a handful of people actually running things.

And, as we know, the NSA is actively collecting IPSec handshakes and has (at least in some cases, I'd love to see more info on this) the capability to crack session keys: https://firstlook.org/theintercept/document/2014/03/12/vpn-v...