Allied Telesis Layer 3 Switches manual Managing the device securely, Using Secure Shell SSH

Page 9

Managing the device securely

Managing the device securely

In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted recipients. A hacker may even be able to force a switch to flood unicast traffic.

Because you cannot guarantee traffic privacy, you cannot be certain that management sessions are private. Therefore, you should always use encrypted sessions when remotely administering network equipment, even in networks that you know well. The simplest way to achieve this is with Secure Shell (SSH).

This section describes secure management:

z“Using Secure Shell (SSH)” on page 9

z“Using SSL for secure web access” on page 10

z“Using SNMPv3” on page 10

Then the section ends by describing how to limit telnet access if you need to use telnet instead of one of the recommended secure options (“Whitelisting telnet hosts” on page 12).

When you are using a secure management scheme, we recommend that you block all telnet access to the switch, by disabling the telnet server:

disable telnet server

Using Secure Shell (SSH)

The Secure Shell (SSH) protocol is most simply described as

Products

All switches listed on page 2

an encrypted form of Telnet.

Configuration 1.

Add a security officer to your switch’s list of users.

Software Versions

2.

Create encryption keys for SSH to use.

All

3.Enable the SSH server.

4.Add the security officer to the list of SSH users and specify a password for it. Only users in this list can use SSH to access the switch.

5.Enable system security.

Enabling system security makes telnet unavailable as an administrative interface—once you have configured SSH, you have to use it.

Example To configure SSH access for the security officer called “secoff”:

add user=secoff password=securepass privilege=security telnet=yes login=yes

create enco key=0 type=rsa length=1024 description="Host Key" form=ssh

create enco key=1 type=rsa length=768 description="Server Key" form=ssh

enable ssh server serverkey=1 hostkey=0 expirytime=1 logintimeout=60

add ssh user=secoff password=sameordifferentpassword

enable system security

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

9

Page 8 Page 10
Image 9
Page 8 Page 10
Contents Introduction ContentsEdge switch Access Router Securing the device Protecting the networkProtecting against packet flooding Bandwidth limiting Configuration To use storm protection Using QoS policy-based storm protectionRest of the QoS configuration is as normal, so Reboot after turning on enhanced modeConfiguration on one or more ports Protecting against rapid MAC movementIgmp snooping Controlling multicast trafficConfiguration For each port Igmp filteringIgmp throttling Using Secure Shell SSH ConfigurationManaging the device securely Using SSL for secure web access Using SNMPv3Configuration 1. Enable Snmp Managing the device securely Building a whitelist through layer 3 filters Whitelisting telnet hostsBuilding a whitelist through QoS Identifying the user IP spoofing and trackingTrouble with ARP Dhcp snooping Rejecting Gratuitous ARP GarpUsing static binding for rigid control Setting up Dhcp snoopingUsing 802.1x port authentication Using Dhcp snooping to track clientsUsing ARP security Protecting the user Using private VLANsTo remove ports from the Vlan Using local proxy ARP and MAC-forced forwardingLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Switches Using IPsec to make VPNsAccess EdgeBlocking worms through classifier-based filters Protecting against wormsBlocking worms through QoS actions Edge switch 1 is directly connected to the access router Edge switchEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a
Top Page Image Contents