Managing the device securely
Whitelisting telnet hosts
For any remote management of a network device, Allied Telesis recommends you use SSH, Secure HTTP (SSL), or SNMPv3. Therefore, we recommend you block all telnet access to the switch by disabling the telnet server. However, if you persist with telnet, you should make a whitelist of the hosts that are permitted to telnet to the switch. This does not make telnet secure, but it does reduce the associated risks.
Building a whitelist through layer 3 filters
On Rapier, Rapier i,
Series switches, use layer 3 filters to build a whitelist.
Configuration 1. Create a filter match definition that specifies destination IP address, protocol and destination TCP port as the criteria that the filter will match. The switch automatically assigns this filter an ID of 1 (unless other layer 3 filters already exist).
2.Create a filter entry that specifies the switch’s IP address as the destination address, TCP as the protocol and 23 as the port. Give it an action of deny.
Products
Rapier i Series
Rapier Series
Software Versions
All
3.Create another filter match definition with source and destination IP addresses, both with
4.Create filter entries for the second filter. In each entry, specify a permitted host as the source and the switch’s IP address as the destination. Give the entries an action of nodrop.
The first filter blocks (action=deny) any incoming telnet packets with the switch’s destination IP address. The second filter reverses the first filter by undoing the previous denial of IP access to the
Example To permit only the host with IP address 172.30.1.144 to telnet to the switch 172.28.40.70:
add switch l3filter match=dipaddress,protocol,tcpdport dclass=32
add switch l3f=1 entry protocol=tcp dipaddress=172.28.40.70 tcpdport=23 action=deny
add switch l3filter match=dipaddress,sipaddress sclass=32 dclass=32
add switch l3filter=2 entry sipaddress=172.30.1.144 dipaddress=172.28.40.70 action=nodrop
Create A Secure Network With Allied Telesis Managed Layer 3 Switches | 12 |
