Support User Manuals

Allied Telesis Layer 3 Switches Switch User Manual

Open as PDF

of 31

Create A Secure Network With Allied Telesis Managed Layer 3 Switches 9

Managing the device securely

Managing the device securely

In Ethernet and broadcast networks the privacy of traffic is not guaranteed. Hubs and

networks outside the administrator's control may leak sensitive data to unwanted recipients.

A hacker may even be able to force a switch to flood unicast traffic.

Because you cannot guarantee traffic privacy, you cannot be certain that management

sessions are private. Therefore, you should always use encrypted sessions when remotely

administering network equipment, even in networks that you know well. The simplest way to

achieve this is with Secure Shell (SSH).

This section describes secure management:

z “Using Secure Shell (SSH)” on page 9

z “Using SSL for secure web access” on page 10

z “Using SNMPv3” on page 10

Then the section ends by describing how to limit telnet access if you need to use telnet

instead of one of the recommended secure options (“Whitelisting telnet hosts” on page 12).

When you are using a secure management scheme, we recommend that you block all telnet

access to the switch, by disabling the telnet server:

disable telnet server

Using Secure Shell (SSH)

The Secure Shell (SSH) protocol is most simply described as

an encrypted form of Telnet.

1. Add a security officer to your switch’s list of users.

2. Create encryption keys for SSH to use.

3. Enable the SSH server.

4. Add the security officer to the list of SSH users and specify a password for it. Only users

in this list can use SSH to access the switch.

5. Enable system security.

Enabling system security makes telnet unavailable as an administrative interface—once you

have configured SSH, you have to use it.

Example

To configure SSH access for the security officer called “secoff”:

add user=secoff password=securepass privilege=security telnet=yes

login=yes

create enco key=0 type=rsa length=1024 description="Host Key"

form=ssh

create enco key=1 type=rsa length=768 description="Server Key"

form=ssh

enable ssh server serverkey=1 hostkey=0 expirytime=1

logintimeout=60

add ssh user=secoff password=sameordifferentpassword

enable system security

Products

All switches listed on page 2

Software Versions

All

Configuration

previous next