Security Considerations, Security Practice | Lantronix 900-510

B: Security Considerations

The SLB branch office manager provides data path security by means of SSH or Web/SSL. Even with the use of SSH/SSL, however, do not assume you have complete security. Securing the data path is only one measure needed to ensure security. This appendix briefly discusses some important security considerations.

Security Practice

Develop and document a Security Practice. The Security Practice should state:

The dos and don’ts of maintaining security. For example, the power of SSH and SSL is compromised if users leave sessions open or advertise their password.

The assumptions that users can make about the facility and network infrastructure, for example, how vulnerable the CAT 5 wiring is to tapping.

Factors Affecting Security

External factors affect the security provided by the SLB device, for example:

Telnet sends the login exchange as clear text across Ethernet. A person snooping on a subnet may read your password.

A terminal to the SLB branch office manager may be secure, but the path from the SLB device to the end device may not be secure.

With the right tools, a person having physical access to open the SLB branch office manager may be able to read the encryption keys.

There is no true test for a denial-of-service attack—there is always a legitimate scenario for a request storm. A denial-of-service filter locks out some high- performance automated/scripted requests. The SLB device will attempt to service all requests and will not filter out potential denial–of-service attacks.

SLB™ Branch Office Manager User Guide

266

Image 266

Lantronix 900-510 manual Security Considerations, Security Practice, Factors Affecting Security

Contents

SLB Branch Office Manager User Guide Part Number 900-510 Revision C October Technical Support Lantronix, Inc Corporate HeadquartersTechnology Drive Irvine, CA 92618, USA Toll Free Phone Fax October SeptemberMay Table of Contents Command Line Interface Typical InstallationsIP Address Method #1 Using the Front Panel Display IP Filter Commands Routing Typical Setup Scenarios for the SLB Device Device Ports SettingsPower Outlets NFS and SMB/CIFS Audit Log Diagnostics Connection ConfigurationLocal and Remote Users Local/Remote User Settings NIS Introduction to Commands Application Examples 206 206 Accessing the Bootloader Bootload CommandsSecurity Practice Factors Affecting Security 213 Chapter Summaries About This GuidePurpose and Audience Remaining chapters in this guide include Additional Documentation Operation Features Overview Meets Needs of Branch Offices Types of Business BenefitsTypical Equipment SLB088412-01 ModelsSLB088411-01 System Features SLB 8 Front Configuration Options Access ControlPower Outlet Control Protocols Supported Application Example Hardware Features SLB hardware includes the following Serial Connections Device Port Connections Network Connections PC Card Interface Installation What’s in the Box Technical Specifications Product Information Label Physical Installation To install the SLB branch office manager in a rack Connecting a Terminal Connecting to a Device PortConnecting to a Network Port To connect to a device port To connect a terminal Connecting to a Power SourceConnecting Devices to Power Outlets To avoid the possibility of noise due to arcing To connect devices to the unmanaged Ethernet switch Typical InstallationsConnecting Devices to the 8-Port Ethernet Switch SLB Installation Using the Integrated Ethernet Switch Methods of Assigning an IP Address Quick SetupIP Address Detector Front Panel LCD Display and Pushbuttons Method #1 Using the Front Panel DisplayBefore You Begin Navigating Entering the SettingsTo enter setup information Quick Setup To use the LCD display to restore factory default settings Method #2 Quick Setup on the WebRestoring Factory Defaults To complete the Quick Setup Network Settings Date & Time Settings To save your entries, click the Apply button Administrator SettingsSysadmin Password/ Retype Configure Eth1 Method #3 Quick Setup on the Command Line InterfaceTo complete the command line interface Quick Setup script Enter the following information at the prompts Specifying SysadminPassword Date/Time Next Step To logout, type logout at the prompt and press Enter Web and Command Line Interfaces Web Interface Apply Button Port, Switch, and Power Outlet BarLogout Button Tabs Options Port Number Bar Icons Help Button Web Page Help LoggingLogging off To log out of the SLB command line interface Command Line InterfaceTo log in to the SLB command line interface Logging out Actions and Category Options Command SyntaxCommands have the following format Tips Command Line HelpFor general command line Help, type General CLI Commands Basic Parameters Requirements Eth1 and Eth2 Settings To enter settings for one or both network ports Eth 1 and/or Eth2 SettingsEth 1 and/or Eth IPv6 Address Gateway Ethernet Counters Hostname & Name Servers Network Commands IP Filter Viewing IP Filters Administrator can add, edit, delete, and map IP filters Configuring IP FiltersTo enable IP filters Enabling IP Filters Ruleset Name Rule ParametersTo add an IP filter Example FILTER-2 Mapping a Rule Set Updating an IP FilterDeleting an IP Filter To delete a mapping IP Filter CommandsTo map a rule set to a network interface To set IP filter mapping Dynamic Routing To configure routing settingsRouting Static Routing Equivalent Routing Commands To configure static or dynamic routing To configure SSH, Telnet, and Logging settings ServicesSystem Logging and Other Services SSH/Telnet/Logging Enter the following settings System Logging Telnet To save, click the Apply button Audit LogPhone Home Enable Agent Enable Traps Communities Version V3 Read-Write User SNMP, SSH, Telnet, and Logging CommandsV3 Read-Only User Range is 1-500 Kbytes Services To view current services To configure NFS and SMB/CIFS NFS and SMB/CIFS Enter the following for up to three directories NFS MountsSMB/CIFS Share To mount a remote NFS share NFS and SMB/CIFS CommandsTo view NFS share settings To unmount a remote NFS share To view SMB/CIFS settings Secure Lantronix Network Services Services Manually Entered IP Address List provides a list of IP Secure LantronixNetwork Search To set the local date, time, and time zone Secure Lantronix Network CommandsDate and Time Enable NTP Change Synchronize via Date and Time CommandsTo view the local date, time, and time zone To view NTP settings Device Ports Connection Methods Device Status Global Port SettingsPermissions Starting Telnet Port To set up Telnet, SSH, and TCP port numberingTelnet/SSH/TCP in Port Numbers To configure a specific port Global CommandsClick the Apply button to save the settings To set limits on direct connections To view global settings for device ports Device Ports SettingsTo configure settings for all or a group of device ports To open the Device Ports Settings Device Ports IP Settings To enter device port settings Data Settings Hardware Signal Triggers Modem Settings Modem Settings Text Mode Modem Settings PPP Mode Restart Delay Port Status and Counters Password for logging into the SLP power manager To enter SLP commandsSLP Login User ID for logging into the SLP power manager SLP Status/Info SLP Commands Device Port Sensorsoft Device Device Port Commands To configure a single port or a group of ports Device Ports To view a list of all device port names Device CommandsTo view the settings for one or more device ports To view the modes and states of one or more device ports To connect to a device port to monitor it Interacting with a Device PortSlp infeedstatus Local Logging  To escape from the connect listen command, press any keyDevice Ports Logging Endpoint is one Email/SNMP Notification NFS File LoggingPC Card Logging To set logging parameters Sylog LoggingLocal Logging Email/SNMP Traps NFS File Logging PC Card Logging Logging CommandsTo configure logging settings for one or more device ports Syslog Logging To set console port parameters Console PortTo clear the local log for a device port Change the following as desired Console Port CommandsConnecting Click the Apply button to save the changes To view console port settings Power OutletsTo configure console port settings To configure a power outlet View or enter the following information for each outlet To view power outlet settings Power Outlet CommandsTo configure and control power outlets Host Lists Host List Name Host ParametersHost List Id view Retry Count Escape Sequence To view or update a host list Host List Commands To delete a host list To display the members of a host list To add a new host entry to a list or edit an existing entryTo move a host entry to a new position in the host list To set up PC Card storage in the SLB device PC Cards Unmount Storage SettingsEnter the following settings for the selected PC Card Format To enter modem settings for a PC Card Filesystem Enter or view the following State Data Settings D2 &c1 E1 Q0 GSM Global System for Mobile communication Isdn SettingsGSM/GPRS Settings Text Mode PPP Mode Telnet Port IP SettingsService Range To format a Compact Flash card To view a directory listing of a Compact Flash cardTo unmount a Compact Flash card To rename a file on a Compact Flash card Removes a file on a Compact Flash card PC Card Modem CommandsTo configure a currently loaded PC Card modem SLB Branch Office Manager User Guide 124 Connections Terminal Server Typical Setup Scenarios for the SLB DeviceRemote Access Server Console Server Reverse Terminal ServerMultiport Device Server SLB Branch Office Manager User Guide 128 Data Flow Connection ConfigurationTo create a connection SSH Out Options Trigger Where SSH flags is one or more of user Login Name Connection CommandsTo view, update, or disconnect a current connection To configure initial timeout for outgoing connections To monitor a device port To display details for a single connection To terminate a bidirectional or unidirectional connectionTo view connections and their IDs To display global connections User Authentication Example NIS Network Ldap LightweightDirectory Access Information Authentication Commands To set ordering of authentication methods Local and Remote Users To enable local and/or remote usersTo set password requirements for local users To add, edit, or delete a user Local/Remote User SettingsLocal User Passwords To add a user Data Ports Enter the following information for the userListen Ports Clear Port At Login AccessOutlets Enable for Password Change Web Access Users plus Networking , Date/Time , Reboot & ShutdownFull Administrative Configuration To edit a local user To change the sysadmin passwordShortcut To add a user based on an existing user To delete a local user To enable or disable authentication of local users Local Users CommandsTo set whether a complex login password is required To set a login password for the local user To view settings for all users or a local user Local User Rights CommandsRemote User Commands To block lock out a users ability to log To remove a remote user To view settings for all remote usersClick the User Authentication tab and select the NIS option Broadcast for NIS Enable NISNIS Domain NIS Master Server Clear Port Buffers Access OutletsSelect or clear the checkboxes for the following rights NIS Commands Shutdown To set group and permissions for NIS users To set a default custom menu for NIS usersTo view NIS settings Enable Ldap Base Bind PasswordRetype Password Bind Name Selects Reboot & Shutdown Reports Web Access To view Ldap settings Ldap CommandsTo set a default custom menu for Ldap users To set user group and permissions for Ldap users Radius Server #1 Port Enable RadiusRadius Server #1 1812 Server #1 Secret SLB Branch Office Manager User Guide 156 Radius Commands Kerberos To set a default custom menu for Radius usersTo view Radius settings To set user group and permissions for Radius users Enable Kerberos Realm Use Ldap KDC IP AddressKDC Port SLB Branch Office Manager User Guide 161 To set user group and permissions for Kerberos users Kerberos CommandsTo set a default custom menu for Kerberos users To view Kerberos settings TACACS+ Secret Enable TACACS+TACACS+ Servers SLB Branch Office Manager User Guide 165 To view TACACS+ settings TACACS+ CommandsTo set a default custom menu for TACACS+ users SSH Keys Imported Keys Exported Keys Imported Keys SSH Host & User Associated with Key Host & Login for Import Exported Keys SSH Out To view or delete a key Host and Login for ExportTo view, reset, or import SSH RSA1, RSA, And DSA host keys Export via Host Key Reset to DefaultView or enter the following Import Host Key SSH Commands To import an SSH key To delete a key To reset defaults for all or selected host keysTo export a key To display SSH keys that have been imported Custom User Menu CommandsCustom User Menus To display SSH keys that have been exported To assign a custom user menu to a local or remote user To set the optional title for a menu Example SLB Branch Office Manager User Guide 177 SLB Branch Office Manager User Guide 178 To configure settings Maintenance and OperationSLB Maintenance General Welcome Banner SLB Firmware Boot Banks Configuration Management To manage configuration files To view, reset, import, or change an SSL Certificate Firmware & Configurations Web SessionsFirmware & Configurations SSL Certificate To view or terminate current web sessions Import SSL If desired, enter the followingCertificate Certificate Filename To set up an SLB iGoogle gadget IGoogle Gadgets To add welcome, login, and logout banners Administrative CommandsTo reboot the SLB device To prepare the SLB branch office manager to be powered off To view current timeout and all active web sessions To enable or disable iGoogle Gadget web contentTo configure the timeout for web sessions To update SLB firmware to a new revision To restore the SLB device to factory default settings To view keypad settingsTo view FTP settings System Logs SLB Branch Office Manager User Guide 191 Select to Lantronix Tech Support To clear one or all of the system logs System Log CommandAudit Log Diagnostics Netstat Select DiagnosticsARP Table Host Lookup Send Packet SLB Branch Office Manager User Guide 197 To resolve a host name into an IP address Diagnostic CommandsTo display a report of network connections To verify that the host is up and running To display all network traffic, applying optional filters Status/ReportsTo generate and send Ethernet packets View Report View Report SLB Branch Office Manager User Guide 201 Status Commands Events There is no default Response is one Events CommandsTrigger is one Snmp Trap OID To view events To update event definitionsTo delete an event SLB Branch Office Manager Configuration Application Examples Change the baud to 57600 and disable flow control Telnet/SSH to a Remote Device Connect to the device port Dial-in Text Mode to a Remote DeviceReboot the SUN server View messages from the SUN server console Connect to the SUN Unix server using the direct command Connect Local Serial Connection to Network Device via Telnet SLB Branch Office Manager User Guide 211 Command Reference Introduction to Commands Command Reference Admin banner logout Administrative CommandsAdmin banner login Admin banner show Admin config restore Admin config deleteAdmin config factorydefaults Admin config save Admin firmware copybank Admin config showAdmin firmware bootbank Admin firmware show Admin ftp show Admin ftp passwordAdmin ftp server Admin keypad Admin reboot Admin lcd resetAdmin quicksetup Admin shutdown Admin web certificate show Admin web certificateAdmin web certificate reset Admin web gadget Audit Log Commands Authentication Commands Show user Kerberos CommandsShow auth Set kerberos Default is Ldap CommandsDisplays Kerberos settings Show kerberos Show ldap Local Users CommandsDisplays Ldap settings Set localusers addedit Set localusers allowreuse Set local users complexpasswordsSet localusers maxloginattempts Set localusers state Set localusers periodwarning Set localusers passwordSet localusers periodlockout Set localusers reusehistory Set nis NIS CommandsDisplays NIS settings Show nis Set radius Radius CommandsDisplays Radius settings Set radius server Set tacacs+ TACACS+ CommandsUser Permissions Commands Show tacacs+ Set localusers permissions Set localusers lockSet localusers unlock Set remoteusers addedit Show remoteusers Set remoteusers listonlyauthSet remoteusers delete Set nisldapradiuskerberostacacs+ group Set cli terminallines CLI CommandsSet cli Displays the rights of the currently logged-in user Set history Connection CommandsShow cli Show history Connect direct Connect terminate Connect global outgoingtimeoutConnect listen deviceport Connect unidirection Show connections connid Console Port CommandsShow connections Set consoleport Set localusers Custom User Menu CommandsShow consoleport Set menu add Set nisldapradiuskerberostacacs+ custommenu Date and Time CommandsSet menu delete Show menu Show datetime Device CommandsSet command Set ntp Device Port Commands Set deviceport port Script that initializes a modem Show deviceport names Set deviceport globalShow deviceport global Diagnostic Commands Diag nettrace Diag internalsDiag netstat Diag lookup Displays system information for the SLP power manager End Device CommandsXferdatasize Size In Kbytes to Transfer Default is 1 Kbyte Diag traceroute Admin events delete Events CommandsAdmin events add Admin events edit Set hostlist addedit Host List Name Host List CommandsAdmin events show Set hostlist addedit Host List Name entry Set ipfilter state Set hostlist deleteShow hostlist Set ipfilter mapping Logging Commands Sets IP filter rules Set locallog clear Network CommandsShow locallog Set network Set network host Set network dnsSet network gateway Set network port NFS and SMB/CIFS Commands Set cifs Set cifs passwordSet nfs unmount Show cifs PC Card Storage Commands PC Card Modem Commands Pccard modem Set power outlet Power CommandsSet power alarmthreshold Example Show power Routing CommandsSet power switchingdelay Set routing Services Commands Set services Displays current services SLB Network CommandsShow services Set slcnetwork Set sshkey all export SSH Key CommandsShow slcnetwork Set sshkey delete Show sshkey export Set sshkey server resetSet sshkey server import Show sshkey server Status CommandsShow sshkey import Displays host keys public key only Show sysstatus System Log CommandsShow sysconfig Show syslog Show syslog clear Clears one or all of the system logs Bootload Commands BootloaderAccessing the Bootloader User Commands Displays information about the current user Administrator CommandsPrints bootloader variables Sends a ping request to the network host Factors Affecting Security Security ConsiderationsSecurity Practice Safety Information Safety Precautions Port Connections FusesRack Adapters and Pinouts RJ45 RJ45 DB25 Female DB9 Male RJ45 DB9 Female Use PN 200.2070A adapter with a PCs serial port Gnd DSR CTS Protocol Glossary NMS Network Management System PAP Password Authentication ProtocolRadius Remote Authentication Dial-In User Service NTP Network Time Protocol TACACS+ Terminal Access Controller Access Control System Telnet Product Names SLB Branch Office Manager SLB Series Compliance InformationManufacturer’s Name & Address FCC Notice U.S. Only Industry Canada Notice Canada Only RoHS Compliance Additional Agency Approvals and Certifications Manufacturer’s Contact RoHS Notice