Allied Telesis AT-S63 User Manual
AT-S63 Management Software Features Guide
Section IX: Management Security
389
Overview
Protecting your managed switches from unauthorized management
access is an important role for a network manager. Network operations
and security can be severely compromised if an intruder gains access to
critical switch information, such as a manager’s login username and
password, and uses that information to alter a switch’s configuration
settings.
access is an important role for a network manager. Network operations
and security can be severely compromised if an intruder gains access to
critical switch information, such as a manager’s login username and
password, and uses that information to alter a switch’s configuration
settings.
One way an intruder could obtain critical switch information is by
monitoring network traffic with a network analyzer, such as a sniffer, and
capturing management packets from remote Telnet or web browser
management sessions. The payload in the packets exchanged during
remote management sessions is transmitted in plaintext. The information
obtained from the management packets could enable an intruder to
access a switch.
monitoring network traffic with a network analyzer, such as a sniffer, and
capturing management packets from remote Telnet or web browser
management sessions. The payload in the packets exchanged during
remote management sessions is transmitted in plaintext. The information
obtained from the management packets could enable an intruder to
access a switch.
A way to prevent this type of assault is by encrypting the payload in the
packets exchanged during a remote management session between a
management station and a switch. Encryption makes the packets
unintelligible to an outside agent. Only the remote workstation and the
switch engaged in the management session are able to decode each
other’s packets.
packets exchanged during a remote management session between a
management station and a switch. Encryption makes the packets
unintelligible to an outside agent. Only the remote workstation and the
switch engaged in the management session are able to decode each
other’s packets.
A fundamental part of encryption is the encryption key. The key converts
plaintext into encrypted text, and back again. A key consists of two
separate keys: a private key and a public key. Together they create a key
pair.
plaintext into encrypted text, and back again. A key consists of two
separate keys: a private key and a public key. Together they create a key
pair.
The AT-S63 Management Software supports encryption for remote web
browser management sessions using the Secure Sockets Layer (SSL)
protocol. Adding encryption to your web browser management sessions
involves creating one key pair and adding the public key of the key pair to
a certificate, a digital document stored on the switch. You can have the
switch create the certificate itself or you can have a public or private
certificate authority (CA) create it for you. For an overview of the steps for
adding encryption to your web browser management sessions, refer to
“Configuring the Web Server for HTTPS” on page 385.
browser management sessions using the Secure Sockets Layer (SSL)
protocol. Adding encryption to your web browser management sessions
involves creating one key pair and adding the public key of the key pair to
a certificate, a digital document stored on the switch. You can have the
switch create the certificate itself or you can have a public or private
certificate authority (CA) create it for you. For an overview of the steps for
adding encryption to your web browser management sessions, refer to
“Configuring the Web Server for HTTPS” on page 385.
The Telnet protocol does not support encryption. To employ encryption
when remotely managing a switch using the menus interface, you must
first obtain a Secure Shell (SSH) protocol application. SSH offers the same
function as Telnet, but with encryption.
when remotely managing a switch using the menus interface, you must
first obtain a Secure Shell (SSH) protocol application. SSH offers the same
function as Telnet, but with encryption.
SSH encryption requires that you create two key pairs on the switch— a
server key pair and a host key pair and then configure the Secure Shell
protocol server software on the switch, as explained in Chapter 35,
“Secure Shell (SSH)” on page 413.
server key pair and a host key pair and then configure the Secure Shell
protocol server software on the switch, as explained in Chapter 35,
“Secure Shell (SSH)” on page 413.