Managing the device securely

Whitelisting telnet hosts

For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet secure, but it does reduce the associated risks.

Building a whitelist through layer 3 filters

On Rapier, Rapier i, AT-8800, AT-8700XL and AT-8600

Series switches, use layer 3 filters to build a whitelist.

Configuration 1. Create a filter match definition that specifies destination IP address, protocol and destination TCP port as the criteria that the filter will match. The switch automatically assigns this filter an ID of 1 (unless other layer 3 filters already exist).

2.Create a filter entry that specifies the switch’s IP address as the destination address, TCP as the protocol and 23 as the port. Give it an action of deny.

Products

AT-8600 Series

AT-8700XL Series

Rapier i Series

Rapier Series

AT-8800 Series

Software Versions

All

3.Create another filter match definition with source and destination IP addresses, both with 32-bit masks.

4.Create filter entries for the second filter. In each entry, specify a permitted host as the source and the switch’s IP address as the destination. Give the entries an action of nodrop.

The first filter blocks (action=deny) any incoming telnet packets with the switch’s destination IP address. The second filter reverses the first filter by undoing the previous denial of IP access to the switch—but only for the permitted source IP addresses.

Example To permit only the host with IP address 172.30.1.144 to telnet to the switch 172.28.40.70:

add switch l3filter match=dipaddress,protocol,tcpdport dclass=32

add switch l3f=1 entry protocol=tcp dipaddress=172.28.40.70 tcpdport=23 action=deny

add switch l3filter match=dipaddress,sipaddress sclass=32 dclass=32

add switch l3filter=2 entry sipaddress=172.30.1.144 dipaddress=172.28.40.70 action=nodrop

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

12

Page 12
Image 12
Allied Telesis Layer 3 Switches manual Whitelisting telnet hosts, Building a whitelist through layer 3 filters