Allied Telesis Layer 3 Switches manual Managing the device securely, Using Secure Shell SSH

Managing the device securely

Managing the device securely

In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and networks outside the administrator's control may leak sensitive data to unwanted recipients. A hacker may even be able to force a switch to flood unicast traffic.

Because you cannot guarantee traffic privacy, you cannot be certain that management sessions are private. Therefore, you should always use encrypted sessions when remotely administering network equipment, even in networks that you know well. The simplest way to achieve this is with Secure Shell (SSH).

This section describes secure management:

z“Using Secure Shell (SSH)” on page 9

z“Using SSL for secure web access” on page 10

z“Using SNMPv3” on page 10

Then the section ends by describing how to limit telnet access if you need to use telnet instead of one of the recommended secure options (“Whitelisting telnet hosts” on page 12).

When you are using a secure management scheme, we recommend that you block all telnet access to the switch, by disabling the telnet server:

disable telnet server

Using Secure Shell (SSH)

3.Enable the SSH server.

4.Add the security officer to the list of SSH users and specify a password for it. Only users in this list can use SSH to access the switch.

5.Enable system security.

Enabling system security makes telnet unavailable as an administrative interface—once you have configured SSH, you have to use it.

Example To configure SSH access for the security officer called “secoff”:

add user=secoff password=securepass privilege=security telnet=yes login=yes

create enco key=0 type=rsa length=1024 description="Host Key" form=ssh

create enco key=1 type=rsa length=768 description="Server Key" form=ssh

enable ssh server serverkey=1 hostkey=0 expirytime=1 logintimeout=60

add ssh user=secoff password=sameordifferentpassword

enable system security