Web/SNMP Management SmartSlot Card User’s Guide 68
Security
AuthenticationAuthentication
versus encryption The Management Card controls access by providing basic
authentication through user names, passwords, and IP addresses, but
provides no type of encryption. These basic security features are
sufficient for most environments, in which sensitive data is not being
transferred. To ensure that data and communication between the
Management Card and the client interfaces, such as Telnet and the
Web browser, cannot be captured, you can provide a greater level of
security by enabling MD5 authentication (described below) for the Web
interface.
MD5
authentication
(Web interface)
The Web interface option for MD5 authentication enables a higher level
of access security than the basic HTTP authentication scheme. The
MD5 scheme is similar to CHAP and PAP remote access protocols.
Enabling MD5 implements the following security features:
• The Web server requests a user name and a password phrase
(distinct from the password). The user name and password
phrase are not transmitted over the network, as they are in
basic authentication. Instead, a Java login applet combines the
user name, password phrase, and a unique session challenge
number to calculate an MD5 hash number. Only the hash num-
ber is returned to the server to verify that the user has the cor-
rect login information; MD5 authentication does not reveal the
login information.
• In addition to the login authentication, each form post for config-
uration or control operations is authenticated with a unique chal-
lenge and hash response.
• After the authentication login, subsequent page access is
restricted by IP addresses and a hidden session cookie. (You
must have cookies enabled in your browser.) Pages are trans-
mitted in their plain-text form, with no encryption.
If you use MD5 authentication, which is available only for the Web
interface, disable the less secure interfaces, including Telnet, FTP, and
SNMP. For SNMP, you can disable write-only access so that read
access and trap facilities are still available. For additional information on
MD5 authentication, see RFC document #1321 at the Web site of the
Internet Engineering Task Force. For CHAP, see RFC document #1994.
Firewalls Although MD5 authentication provides a much higher level of security
than the plain-text access methods, complete protection from security
breaches is almost impossible to achieve. Well-configured firewalls are
an essential element in an overall security scheme.
Continued on next page