Enterasys csx5500 用户指南
Central Site Remote Access Switch 37
T
HE
C
YBER
SWITCH
Security Overview
Link layer encryption is independent of any network layer protocols. Since PPP provides transport
of IP, IPX, AppleTalk, and other protocols, link layer encryption based on ECP provides multi-
protocol encryption by default. Devices implementing it can act as routers or bridges, as long as the
underlying WAN protocol is PPP.
of IP, IPX, AppleTalk, and other protocols, link layer encryption based on ECP provides multi-
protocol encryption by default. Devices implementing it can act as routers or bridges, as long as the
underlying WAN protocol is PPP.
To use link layer encryption, the connection between encrypting and decrypting devices must truly
be point-to-point. This includes ISDN dial-up connections, or point-to-point dedicated lines.
be point-to-point. This includes ISDN dial-up connections, or point-to-point dedicated lines.
S
ECURITY
O
VERVIEW
The system provides several options for validating remote devices and for managing network
security. The security options available are dependent on the remote device type, type of access,
and the level of security required.
security. The security options available are dependent on the remote device type, type of access,
and the level of security required.
Levels of security include no security, device level security, user level security, and multi-level
security. Device level security is an authentication process between devices, based on protocol and
preconfigured information. Security information is configured either in the system’s On-node
Device Database, or in a central database such CSM. Here the network administrator specifies all
of the security information for each individual user. A portion of this information is used to identify
the remote device. The remaining data is used to perform user validation after user identification
has been completed.
security. Device level security is an authentication process between devices, based on protocol and
preconfigured information. Security information is configured either in the system’s On-node
Device Database, or in a central database such CSM. Here the network administrator specifies all
of the security information for each individual user. A portion of this information is used to identify
the remote device. The remaining data is used to perform user validation after user identification
has been completed.
User level security is an interactive process. It is currently supported on the system through the
TACACS or ACE server programmed for use with security token cards. With user level security,
the potential network user explicitly connects to the server and must properly “converse” with it
in order to connect with other devices beyond the server.
TACACS or ACE server programmed for use with security token cards. With user level security,
the potential network user explicitly connects to the server and must properly “converse” with it
in order to connect with other devices beyond the server.
Important to user level authentication is the security token card. This card, programmed in
conjunction with the authentication server, generates random passwords. These passwords must
be supplied correctly at system login time, or access to the network will be denied. The security
token cards should be issued to each user on the network to properly maintain system integrity.
conjunction with the authentication server, generates random passwords. These passwords must
be supplied correctly at system login time, or access to the network will be denied. The security
token cards should be issued to each user on the network to properly maintain system integrity.
Multi-level security provides device level security for all remote devices. Individual devices may
be configured for user level authentication as well. In this case, device level authentication takes
place between the system and the remote device. Then a specific user must initiate user level
authentication by starting a Telnet session. Both levels of authentication must be satisfied before
traffic can pass.
be configured for user level authentication as well. In this case, device level authentication takes
place between the system and the remote device. Then a specific user must initiate user level
authentication by starting a Telnet session. Both levels of authentication must be satisfied before
traffic can pass.
N
ETWORK
I
NTERFACE
O
VERVIEW
The network interface is the physical connection of the CyberSWITCH to a data network. For
example, the Ethernet resource in the system provides a network interface to an Ethernet LAN. The
ISDN lines in the system provide network interfaces to multiple remote networks. Because of their
switched nature, the ISDN lines provide virtual network interfaces. That is, the same physical ISDN
line can actually connect to different remote networks by dialing a different phone number.
example, the Ethernet resource in the system provides a network interface to an Ethernet LAN. The
ISDN lines in the system provide network interfaces to multiple remote networks. Because of their
switched nature, the ISDN lines provide virtual network interfaces. That is, the same physical ISDN
line can actually connect to different remote networks by dialing a different phone number.
The CyberSWITCH provides a set of network interfaces that give you a wide range of flexibility.
The network interfaces provided by the system are:
•
The network interfaces provided by the system are:
•
LAN IP Network Interface
•
LAN IPX Network Interface