Security
Authentication
Authentication | The MasterSwitch unit controls access by providing basic authentication |
versus encryption | through user names, passwords, and IP addresses, but provides no |
| type of encryption. These basic security features are sufficient for most |
| environments, in which sensitive data is not being transferred. To |
| ensure that data and communication between the MasterSwitch unit |
| and the client interfaces, such as Telnet and the Web browser, cannot |
| be captured, you can provide a greater level of security by enabling |
| MD5 authentication (described below) for the Web interface. |
MD5 | The Web interface option for MD5 authentication enables a higher level |
authentication | of access security than the basic HTTP authentication scheme. The |
(Web interface) | MD5 scheme is similar to CHAP and PAP remote access protocols. |
| Enabling MD5 implements the following security features: |
| • The Web server requests a user name and a password phrase |
| (distinct from the password). The user name and password |
| phrase are not transmitted over the network, as they are in |
| basic authentication. Instead, a Java login applet combines the |
| user name, password phrase, and a unique session challenge |
| number to calculate an MD5 hash number. Only the hash num- |
| ber is returned to the server to verify that the user has the cor- |
| rect login information; MD5 authentication does not reveal the |
| login information. |
| • In addition to the login authentication, each form post for config- |
| uration or control operations is authenticated with a unique chal- |
| lenge and hash response. |
| • After the authentication login, subsequent page access is |
| restricted by IP addresses and a hidden session cookie. (You |
| must have cookies enabled in your browser.) Pages are trans- |
| mitted in their |
| If you use MD5 authentication, which is available only for the Web |
| interface, disable the less secure interfaces, including Telnet, FTP, and |
| SNMP. For SNMP, you can disable |
| access and trap facilities are still available. |
| Although MD5 authentication provides a much higher level of security |
| than the |
| breaches is almost impossible to achieve. |
| an essential element in an overall security scheme. For additional |
| information on MD5 authentication, see RFC document #1321 at the |
| Web site of the Internet Engineering Task Force. For CHAP, see RFC |
| document #1994. |
| Continued on next page |
MasterSwitch VM User’s Guide | 29 |
