Allied Telesis Layer 3 Switches manual Using SSL for secure web access, Using SNMPv3

Page 10

 

 

Managing the device securely

Using SSL for secure web access

 

Products

If you prefer to configure the switch using the convenient

All switches listed on page 2,

web-based GUI, then this is unencrypted by default. SSL lets

you use the GUI securely, by using HTTPS instead of HTTP.

except AT-8948 and x900-48

Configuration 1.

Add a security officer to your switch’s list of users.

Series which have no

graphical user interface

 

 

2.

Create an encryption key for SSL to use.

Software Versions

3.

Create a self-signed PKI certificate, or load a certificate

All

 

generated by a Certificate Authority (CA) if you have

 

 

 

one.

 

4.

Add the certificate to the certificate database.

 

5.

Turn security on for the HTTP server.

 

6.

Enable system security.

 

Once you have configured SSL, HTTPS connections to the device are available only on port 443.

Example To allow the security officer called “secoff” to browse securely to the GUI, using a self-signed certificate:

add user=secoff password=secoff privilege=securityofficer login=yes

create enco key=0 type=rsa length=1024

set system distinguishedname="cn=switch1,o=my_company,c=us"

create pki certificate=cer_name keypair=0 serialnumber=12345 subject="cn=172.30.1.105,o=my_company,c=us"

add pki certificate=cer_name location=cer_name.cer trust=yes

set http server security=on sslkey=0 port=443

enable system security

Using SNMPv3

Traditionally, SNMP has been a popular but insecure way to monitor networks.

Allied Telesis devices are SNMPv3 compliant. By using SNMPv3, you can authenticate SNMP users and restrict their network access to parts of the network. SNMPv3 is very flexible, as the examples in this section show.

Products

All switches listed on page 2

Software Versions

2.6.4 and later

Configuration 1. Enable SNMP.

2.Set up one or more SNMP views. Views list the objects in the MIB that users can see.

3.Set up one or more groups and add the groups to the views. Each group is a collection of users who have the same access rights.

4.Set up one or more users and add them to the groups. Authentication parameters are set here.

5.Set up a traphost profile, for trap messages to be remotely sent to. This is not compulsory but we recommend it.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

10

Page 9 Page 11
Image 10
Page 9 Page 11
Contents
Contents IntroductionEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionConfiguration on one or more ports Reboot after turning on enhanced modeRest of the QoS configuration is as normal, so Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Access Using IPsec to make VPNsSwitches EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a