Allied Telesis Layer 3 Switches manual Whitelisting telnet hosts

Page 12

Managing the device securely

Whitelisting telnet hosts

For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet secure, but it does reduce the associated risks.

Building a whitelist through layer 3 filters

On Rapier, Rapier i, AT-8800, AT-8700XL and AT-8600

Series switches, use layer 3 filters to build a whitelist.

Configuration 1. Create a filter match definition that specifies destination IP address, protocol and destination TCP port as the criteria that the filter will match. The switch automatically assigns this filter an ID of 1 (unless other layer 3 filters already exist).

2.Create a filter entry that specifies the switch’s IP address as the destination address, TCP as the protocol and 23 as the port. Give it an action of deny.

Products

AT-8600 Series

AT-8700XL Series

Rapier i Series

Rapier Series

AT-8800 Series

Software Versions

All

3.Create another filter match definition with source and destination IP addresses, both with 32-bit masks.

4.Create filter entries for the second filter. In each entry, specify a permitted host as the source and the switch’s IP address as the destination. Give the entries an action of nodrop.

The first filter blocks (action=deny) any incoming telnet packets with the switch’s destination IP address. The second filter reverses the first filter by undoing the previous denial of IP access to the switch—but only for the permitted source IP addresses.

Example To permit only the host with IP address 172.30.1.144 to telnet to the switch 172.28.40.70:

add switch l3filter match=dipaddress,protocol,tcpdport dclass=32

add switch l3f=1 entry protocol=tcp dipaddress=172.28.40.70 tcpdport=23 action=deny

add switch l3filter match=dipaddress,sipaddress sclass=32 dclass=32

add switch l3filter=2 entry sipaddress=172.30.1.144 dipaddress=172.28.40.70 action=nodrop

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

12

Page 11 Page 13
Image 12
Page 11 Page 13
Contents Contents IntroductionEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a
Top Page Image Contents