Appendix a Security Considerations | Lantronix SLC 8000 specs

Appendix A: Security Considerations

The SLC advanced console manager provides data path security by means of SSH or Web/SSL. Even with the use of SSH/SSL, however, do not assume you have complete security. Securing the data path is only one measure needed to ensure security. This appendix briefly discusses some important security considerations.

Security Practice

Develop and document a Security Practice. The Security Practice should state:

The dos and don'ts of maintaining security. For example, the power of SSH and SSL is compromised if users leave sessions open or advertise their password.

The assumptions that users can make about the facility and network infrastructure, for example, how vulnerable the CAT 5 wiring is to tapping.

Factors Affecting Security

External factors affect the security provided by the SLC unit, for example:

Telnet sends the login exchange as clear text across Ethernet. A person snooping on a subnet may read your password.

A terminal to the SLC may be secure, but the path from the SLC 8000 advanced console manager to the end device may not be secure.

With the right tools, a person with physical access to open the SLC unit may be able to read the encryption keys.

There is no true test for a denial-of-service attack. There is always a legitimate scenario for a request storm. A denial-of-service filter locks out some high-performance automated/scripted requests. The SLC 8000 advanced console manager will attempt to service all requests and will not filter out potential denial-of-service attacks.

SLC™ 8000 Advanced Console Manager User Guide

328

Image 328

Lantronix SLC 8000 manual Appendix a Security Considerations, Security Practice, Factors Affecting Security

Contents

SLC Advanced Console Manager User Guide Warranty Copyright & TrademarkOpen Source Software Contacts Disclaimer & Revisions Revision History Table of Contents Web and Command Line Interfaces Quick SetupBasic Parameters Services Device Ports 100 USB/SD Card Port 157 Connections 166 User Authentication 174 Maintenance 227 Command Reference 260 Application Examples 255 Appendix B Safety Information 329 Appendix a Security Considerations 328 SLC 8000 Advanced Console Manager User Guide List of Tables List of Figures SLC 8048 Unit Front Side Part Number SLC 804812N-01-S 13 SSL Certificate97 13User Authentication Custom Menus Purpose and Audience About this GuideSummary of Chapters Additional Documentation About this Guide Features PowerIntroduction Console Management System Features Models Access Control Protocols Supported Configuration Options Hardware FeaturesDevice Port Buffer Serial Port Interfaces Device Ports Back Side Network Connections Network Connection USB Interface Memory Card Port Internal Modem Internal Modem Location Installation Power CordsWhats in the Box Product Information Label Technical Specifications Physical Installation Connecting to a Device PortTo install the SLC 8000 advanced console manager in a rack To connect to a device port Console Port and Device Port DTE Reverse Pinout Disabled Connecting Terminals Connecting to Network PortsModular Expansion for I/O Module AC Input To connect a terminal Modem Installation Modem Servicing Instructions Installation Battery Replacement Battery Part Numbers Disposal of Used Batteries from battery data sheet Battery Replacement Instructions Short the Battery and Damage the Battery Housing Installation Recommendations Quick SetupIP Address Method #1 Using the Front Panel Display Front Panel LCD Display and KeypadsNavigating Before you begin, ensure that you have Right arrow Left arrowEnter center button Up and down arrows Entering the Settings Method #2 Quick Setup on the Web Restoring Factory DefaultsTo use the LCD display to restore factory default settings To complete the Quick Setup Quick Setup Network Settings Date & Time Settings Administrator Settings Method #3 Quick Setup on the Command Line InterfaceTo complete the command line interface Quick Setup script IP Address if Config Eth1Specifying Password SysadminDate/Time Next Step Web and Command Line Interfaces Web Manager  Port Number Bar Logging To log in to the SLC web manager Logging Out Command Line InterfaceWeb Page Help Command Syntax Command Line HelpTips To log in any other user General CLI Commands To configure the current command line sessionTo set the number of lines displayed by a command To show current CLI settings To clear the command history To view the last 100 commands entered in the sessionTo view the rights of the currently logged-in user Basic Parameters Requirements To enter settings for one or both network ports Network Network Settings 12340BCD1D67000000008375BADD0057 may be shortened to Ethernet Interfaces Eth1 and Eth21234BCD1D678375BADD57 Gateway Hostname & Name Servers Network Commands DNS ServersDHCP-Acquired DNS Servers TCP Keepalive Parameters To set the default and alternate network gateways To view all network settingsTo view Ethernet port settings and counters To view DNS settings IP Filter Viewing IP FiltersMapping Rulesets To view a list of IP filters Configuring IP Filters To enable IP filtersEnabling IP Filters To delete a mapping Rule Parameters Ruleset NameIP Addresses Protocol Allow service Port RangeAction Generate rule to Updating an IP Filter IP Filter CommandsDeleting an IP Filter To configure routing settings RoutingDynamic Routing Replace Rule Number delete Rule Number Equivalent Routing Commands To configure static or dynamic routingShow routing resolveip enabledisable email Email Address Static Routing Enable VPN Tunnel To complete the VPNName Ethernet Port Authentication IKE Authentication ESPRemote Id Remote Hop/Router Configuring an IPsec VPN Tunnel through the CLI Security To enable Fips To disable Fips Services System Logging and Other Services SSH/Telnet/Logging System Logging Audit Log Telnet Web SSH/Web Telnet SettingsPhone Home Enable Agent Top Level MIB Communities Version SNMP, SSH, Telnet, and Logging Commands Set services one or more services parametersV3 Read-Only User V3 Read-Write User Set services v3passwordv3phrasev3rwpasswordv3rwphrase To view current servicesShow services To configure NFS and SMB/CIFS SMB/CIFS Share Nfsserverhostname or ipaddr/exported/path NFS and SMB/CIFS Commands To view NFS share settingsTo mount a remote NFS share To unmount a remote NFS share Secure Lantronix Network To view SMB/CIFS settingsShow cifs Services Secure Lantronix Network To directly access the CLI interface for a device IP Address Login To directly access a specific port on a particular device SSH or Telnet CLI Session Secure Lantronix Network Commands Set s one or more parametersAdd IP Address delete IP Address Secure Lantronix Date and Time Search localsubnetipaddrlistbothShow slcnetwork ipaddrlist allAddress Mask To set the local date, time, and time zone 10 Services Date & Time Enable NTP Date and Time Commands To view the local date, time, and time zone To view NTP settings To configure the Web ServerWeb Server Show ntp Admin Web Commands To configure the timeout for web sessionsAdmin web timeout disable5-120 minutes Admin web protocol sslv2nosslv2 Services Web Sessions Services SSL Certificate To view, reset, import, or change an SSL Certificate Reset to Default LoginCertificate Import SSL Certificate Web Server Commands To set up an SLC iGoogle gadgetPassword / Retype Password IGoogle Gadgets 14 iGoogle Gadget Example Connection Methods Device PortsPermissions Modules Device Ports Device Status Devices Device Status Device Ports Devices Device Ports Global Commands Telnet/SSH/TCP in Port Numbers Device Ports Settings To view global settings for device portsTo open the Device Ports Settings Sshport TCP Port tcpport TCP Port telnetport TCP Port SLC 8000 Advanced Console Manager User Guide 106 Device Port Settings IP Settings Data Settings Hardware Signal Triggers Modem Settings Device Ports Modem Settings PPP Mode Modem Settings Text ModeAT S7=45 SO=0 L1 V1 X4 &D2 &c1 E1 Q0 Same authentication for DOD AuthenticationEnable NAT Remote/Dial-out Login Device Ports SLP / ServerTech CDU Device Port Status and CountersTo open the Device Ports SLP To enter SLP commands Number of OutletsNumber of Expansion Outlets Device Port Sensorsoft Device Devices Device Ports Sensorsoft Device Port Commands To view the settings for one or more device ports To set the dialout passwordShow deviceport port Device Port List or Name Device Commands To view a list of all device port namesTo view the modes and states of one or more device ports To zero the port counters for one or more device ports Interacting with a Device Port To connect to a device port to monitor it Device Ports Logging Local LoggingNFS File Logging Connect direct endpoint USB and SD Card Logging Email/SNMP NotificationSylog Logging Device Port NumberDevice Port NameFile number.log Local Logging Email/TrapsEmail/Traps Email Delay SendTrigger on Byte Threshold USB / SD Card Logging Log Viewing AttributesSyslog Logging Logging Commands To configure logging settings for one or more device portsShow locallog Device Port # or Name bytes Bytes To Display To clear the local log for a device port Console Port To set console port parameters Internal Modem Settings Console Port CommandsTo configure console port settings To view console port settings Setting Up Internal Modem Storage SLC 8000 Advanced Console Manager User Guide 128 AT S7=45 SO=0 L1 V1 X4 &D2 &c1 E1 Q0 Password/ Retype Host ListsTo add a host list Chap Handshake To retry connecting to the host list Host Parameters Escape Sequence To view or update a host list Retry connecting to the host list To delete a host list Host List CommandsTo add a new host entry to a list or edit an existing entry Scripts To move a host entry to a new position in the host listTo display the members of a host list To add a script SLC 8000 Advanced Console Manager User Guide 136 Script Name ScriptsType To view or update a script SD Card Right to view and enter settings for SD cardUser Rights Group Batch Script Syntax To rename a scriptTo delete a script To change the permissions for a script Interface Script Syntax Senduser PasswordSet myvar expr 1 + Primary Commands Secondary Commands String compare str 1 str Compare two stringsString match str 1 str Determine if two strings are equal Control Flow Commands 19 Control Flow Commands Sample Scripts Interface Script-Monitor Port SLC 8000 Advanced Console Manager User Guide 146 Batch Script-SLC CLI SLC 8000 Advanced Console Manager User Guide 148 Sites To add a siteSite Id Site Name Login/CHAP Host Dial-out LoginDial-out Password Chap Secret To view or update a site To delete a siteTo create or edit a site Set site addedit Site Name parameters Dial Modem Dialing StatesSet site delete Site Name show site allnamesSite Name Dial-back Dial-on-demand Dial-in & Dial-on-demand Dial-back & Dial-on-demand Cbcp Server SLC 8000 Advanced Console Manager User Guide 156 Set Up of USB/SD Card Storage USB/SD Card Port Click Configure Unmount FormatFilesystem Filesystem Check To configure the USB Modem port, from the USB Ports table Devices USB Modem Modem Settings Text Mode PPP Mode Remote/Dial-out Pwd Manage Files USB Commands SD Card Commands Connections Typical Setup Scenarios for the SLC UnitTerminal Server Remote Access Server Reverse Terminal Server Multiport Device Server Console Server Connection Configuration To create a connectionOutgoing Connection To view, update, or disconnect a current connection SSH OutOptions Trigger To configure initial timeout for outgoing connections Connection CommandsTo monitor a device port To view connections and their IDs To terminate a bidirectional or unidirectional connectionTo display details for a single connection To display global connections Connect global show User Authentication Ldap User Authentication Authentication Methods Kerberos Authentication Commands To set ordering of authentication methodsSet auth one or more parameters Show auth User Rights User Types and Rights Local and Remote User Settings To enable local and/or remote users Adding, Editing or Deleting a User To add a user Data Ports Listen PortsClear Port Buffers Enable for Dial-back Display Menu at LoginPassword Expires Allow Password Change SD Card Right to enter settings for SD card Select or clear the checkboxes for the following rights Local Users Commands Shortcut Local User Rights Commands Remote User Commands To view settings for all remote users To configure the SLC unit to use NIS to authenticate users User Authentication NIS Enable NIS NIS DomainBroadcast for NIS NIS Master Server SLC 8000 Advanced Console Manager User Guide 188 To view NIS settings NIS CommandsTo set group and permissions for NIS users To configure the SLC unit to use Ldap to authenticate users Ldap User Authentication Ldap Enable Ldap Uid=$login,ou=People,dc=lantronix,dc=com, and user roberts Uid=roberts,ou=People,dc=lantronix,dc=com and the password Key File is in PEM format, eg Certificate in base64 encodingPrivate key in base64 encoding Ldap Commands Adsupport enabledisableRight to enter modem settings for USB Set ldap one or more parameters To set the Ldap bind password To view Ldap settingsTo set user group and permissions for Ldap users To import or delete a certificate Radius Tcp, or udp Listen Port Radius Commands To set user group and permissions for Radius users To view Radius settings Show radius Kerberos END-VENDOR Lantronix Realm Enable KerberosKDC IP Address KDC Port Full AdministrativeUse Ldap Kerberos Commands Set kerberos group defaultpoweradminSet kerberos one or more parameters To set user group and permissions for Kerberos users To view Kerberos settings Set kerberos permissions Permission ListSet kerberos custommenu Menu Name Show kerberos TACACS+ Servers Enable TACACS+Secret SLC 8000 Advanced Console Manager User Guide 207 TACACS+ Commands Set tacacs+ group defaultpoweradminSet tacacs+ one or more parameters To set user group and permissions for TACACS+ users To view TACACS+ settings To configure Groups in the SLC unitGroups Set tacacs+ custommenu Menu Name 10 User Authentication Groups Group Name Deviceport, tcp, or udp Enable forDial-back SSH Keys Imported Keys Exported Keys SLC 8000 Advanced Console Manager User Guide 214 Host & Login for Import Imported Keys SSHExported Keys SSH Out Host & User Associated with Key Host and Login for Export To view, reset, or import SSH RSA1, RSA, And DSA host keysTo view or delete a key Key Name Key Reset to Default HostImport Host Key SSH Commands To import an SSH keySet sshkey import ftpscpcopypaste one or more parameters To export a key To reset defaults for all or selected host keys To delete a keyTo display SSH keys that have been imported To display SSH keys that have been exported Custom Menus To add a custom menu SLC 8000 Advanced Console Manager User Guide 221 Menu Name TitleNicknames Redisplay Menu Custom User Menu Commands To view or update a custom menuTo delete a custom menu To create a new custom menu from an existing custom menu To set the optional title for a menu SLC 8000 Advanced Console Manager User Guide 225 SLC 8000 Advanced Console Manager User Guide 226 Maintenance Firmware & Configurations To configure settings Maintenance Firmware & Configurations Site Information Internal TemperatureSLC Firmware Boot Banks Load Firmware Via Options Configuration Management Administrative Commands To reboot the SLC 8000 advanced console managerAdmin shutdown Manage Files To update SLC firmware to a new revision To view FTP settingsTo restore the SLC unit to factory default settings To list current hardware and firmware information To rename a saved configuration To delete a saved configurationTo list the configurations saved to a location Set temperature one or more parameters System Logs To view system logsLevel Starting at To clear system logs System Log CommandEnding at Audit Log To clear one or all of the system logs SLC 8000 Advanced Console Manager User Guide 238 Maintenance Email Log Email Log Diagnostics ARP TableNetstat Host Lookup Diagnostic Commands Diag arp email Email Address To display a report of network connections To resolve a host name into an IP addressTo verify that the host is up and running To generate and send Ethernet packets Default is To display all network traffic, applying optional filtersDiag nettrace one or more parameters Parameters ethport Maintenance Status/Reports Status/Reports Serial port settings View ReportAll Displays all reports Port Status Devices Host Lists Status Commands To display a snapshot of configurable parametersEmailing Logs and Reports To display the overall status of all SLC units To email a log to an individual 11 Emailed Log or Report SLC 8000 Advanced Console Manager User Guide 248 Event Trigger EventsEthernet Events Commands To update event definitions To configure the LCD and KeypadLCD/Keypad To delete an event To configure the Keypad To configure the LCDKeypad Locked LCD/Keypad Commands To configure banner settingsRestore Factory Defaults Password / Retype Password Banners Banner Commands Login BannerWelcome Banner Logout Banner Telnet/SSH to a Remote Device Application ExamplesSLC show deviceport port Reboot Shutdown messages from SUN SLC connect direct deviceport Dial-in Text Mode to a Remote Device Dial-in Text Mode to a Remote Device Local Serial Connection to Network Device via Telnet Local Serial Connection to Network Device via Telnet Trying Connected to Escape character is Sun OS 8.0 login Command Reference Introduction to Commands For general command line Help, type Administrative Commands Admin banner loginAdmin banner logout Admin banner show Admin banner ssh Admin banner welcomeAdmin config delete Admin config factorydefaults Admin config restore Admin config save Admin config show Admin firmware bootbankAdmin firmware show Admin firmware update Admin ftp password Admin ftp serverAdmin ftp show Admin keypad Admin keypad show Admin lcd resetAdmin memory show Admin memory swap add Size of Swap in MB usbport U1U1 Admin quicksetup Admin rebootAdmin shutdown Admin site Admin version Admin web certificateAdmin web certificate reset Admin web certificate show Admin web group Admin web timeoutAdmin web terminate Admin web show Audit Log Commands Authentication Commands Set authShow auth Show user Kerberos Commands Displays Kerberos settingsSet kerberos Show kerberos Set ldap bindpassword Ldap CommandsSet ldap Local Users Commands Set localusers addedit User Login one or more parametersSet ldap certificate importdelete Show ldap Set local users complexpasswords Set localusers allowreuseSet localusers state Set localusers delete Set localusers maxloginattempts Set localusers passwordSet localusers periodlockout Set localusers periodwarning Show localusers NIS CommandsSet nis Radius Commands Displays NIS settingsShow nis Set radius TACACS+ Commands Displays Radius settingsSet radius server Show radius User Permissions Commands Show tacacs+Set localusers group Set localusers lock Set remoteusers addedit Set localusers permissionsSet remoteusers listonlyauth Set remoteusers delete Show remoteusersSet nisldapradiuskerberostacacs+ group Set nisldapradiuskerberostacacs+ permissions Set cli CLI CommandsSet cli terminallines Connection Commands Show cliSet history Show history Connect global outgoingtimeout Connect direct Connect terminate Connect listen deviceportConnect unidirection Show connections connid Show connectionsSet consoleport Custom User Menu Commands Show consoleportSet localusers Set menu add Set menu delete Set nisldapradiuskerberostacacs+ custommenuShow menu Set nisldapradiuskerberostacacs custommenu Menu Name Date and Time Commands Set datetimeShow datetime Set ntp Set command Device CommandsShow ntp Device Port Commands Set deviceport port SLC 8000 Advanced Console Manager User Guide 294 Set deviceport global Show deviceport globalShow deviceport names Sshport TCP Port telnetport TCP Port tcpport TCP Port Show deviceport port Show portcountersShow portcounters zerocounters Show portstatus Diagnostic Commands Diag arpDiag internals Diag netstat Diag lookup Diag loopbackDiag perfstat Diag pingping6 Count=1, delay = 5 seconds Diag sendpacket hostDiag top Diag traceroute End Device Commands Slp auth loginSlp envmon Slp outletcontrol state Events Commands Admin events addSlp restart Slp system Group Commands Admin events deleteAdmin events edit Admin events show Host List Commands Set hostlist addedit Host List NameSet hostlist addedit Host List Name entry Set groups rename Group Name newname New Group Name Set hostlist delete Set hostlist edit Host List Name moveShow hostlist Set ipfilter state Internal Modem CommandsSet ipfilter mapping Logging Commands Set ip filter rules Set locallog clear Show locallogExample Set log modem pppdebug enabledisable Set log modem ppplog enabledisableSet log clear modem Network Commands Show log localSet network Set network dns Configures up to three DNS servers Set network gatewaySet network host Set network port Displays all network settings Show network gatewayShow network host Show network port NFS and SMB/CIFS Commands Set nfs mountSet nfs unmount Set cifs Routing Commands Set cifs passwordShow cifs Show nfs Show routing Security Commands Services Commands Show services SLC Network Commands SSH Key CommandsSet slcnetwork Show slcnetwork Set sshkey delete Set sshkey exportSet sshkey import Set sshkey import Set sshkey server reset Set sshkey server import typeShow sshkey export Show sshkey import Status Commands Show sshkey server System Log Commands Show sysconfigShow sysstatus Show syslog USB Access Commands USB Storage CommandsSet usb access Show syslog clear Set usb storage fsck Set usb storage formatSet usb storage mount Set usb storage unmount USB Modem Commands Set usb storage copySet usb storage delete Show usb storage VPN Commands Set usb modem U1U2 dialoutpasswordSet vpn Show usb modem Show vpn Set temperature Show temperatureSet temperature Show vpn rsakey Security Practice Appendix a Security ConsiderationsFactors Affecting Security Appendix B Safety Information Safety Precautions Rack Port Connections Appendix C Adapters and Pinouts Appendix C Adapters and Pinouts SLC 8000 Advanced Console Manager User Guide 333 Appendix D Protocol Glossary PAP Password Authentication Protocol Radius Remote Authentication Dial-In User ServiceTACACS+ Terminal Access Controller Access Control System NTP Network Time Protocol Appendix E Compliance Information Manufacturer’s Name & Address Appendix E Compliance Information RoHS Notice