Security Overview

Access Security Features

Feature

Default

Security Guidelines

More Information and

 

Setting

 

Configuration Details

 

 

 

 

Telnet and

enabled

The default remote management protocols enabled on

“Quick Start: Using the

Web-browser

 

the switch are plain text protocols, which transfer

Management Interface

access

 

passwords in open or plain text that is easily captured.

Wizard” on page 1-10

 

 

To reduce the chances of unauthorized users capturing

For more on Telnet and web

 

 

your passwords, secure and encrypted protocols such

browser access, refer to the

 

 

as SSH and SSL (see below for details) should be used

chapter on “Interface

 

 

for remote access. This enables you to employ

Access and System

 

 

increased access security while still retaining remote

Information” in the

 

 

client access.

Management and

 

 

Also, access security on the switch is incomplete

Configuration Guide.

 

 

without disabling Telnet and the standard Web browser

For RADIUS accounting,

 

 

access. Among the methods for blocking unauthorized

refer to Chapter 6, “RADIUS

 

 

access attempts using Telnet or the Web browser are

Authentication and

 

 

the following two CLI commands:

Accounting”

 

 

no telnet-server: This command blocks inbound

 

 

 

Telnet access.

 

 

 

no web-management: This command prevents use of

 

 

 

the Web browser interface through http (port 80)

 

 

 

server access.

 

 

 

If you choose not to disable Telnet and Web browser

 

 

 

access, you may want to consider using RADIUS

 

 

 

accounting to maintain a record of password-protected

 

 

 

access to the switch.

 

 

 

 

 

SSH

disabled

SSH provides Telnet-like functions through encrypted,

“Quick Start: Using the

 

 

authenticated transactions of the following types:

Management Interface

 

 

• client public-key authentication: uses one or more

Wizard” on page 1-10

 

 

public keys (from clients) that must be stored on the

Chapter 8 “Configuring

 

 

switch. Only a client with a private key that matches

Secure Shell (SSH)”

 

 

a stored public key can gain access to the switch.

 

 

 

• switch SSH and user password authentication: this

 

 

 

option is a subset of the client public-key

 

 

 

authentication, and is used if the switch has SSH

 

 

 

enabled without a login access configured to

 

 

 

authenticate the client’s key. In this case, the switch

 

 

 

authenticates itself to clients, and users on SSH

 

 

 

clients then authenticate themselves to the switch by

 

 

 

providing passwords stored on a RADIUS or

 

 

 

TACACS+ server, or locally on the switch.

 

 

 

• secure copy (SC) and secure FTP (SFTP): By opening

 

 

 

a secure, encrypted SSH session, you can take

 

 

 

advantage of SC and SFTP to provide a secure

 

 

 

alternative to TFTP for transferring sensitive switch

 

 

 

information. For more on SC and SFTP, refer to the

 

 

 

section titled “Using Secure Copy and SFTP” in the

 

 

 

“File Transfers” appendix of the Management and

 

 

 

Configuration Guide for your switch.

 

 

 

 

 

1-4