1-4
Security Overview
Access Security Features
Telnet and
Web-browser
access
(WebAgent)
enabled The default remote management protocols enabled on
the switch are plain text protocols, which transfer
passwords in open or plain text that is easily captured.
To reduce the chances of unauthorized users capturing
your passwords, secure and encrypted protocols such
as SSH and SSL (see below for details) should be used
for remote access. This enables you to employ
increased access security while still retaining remote
client access.
Also, access security on the switch is incomplete
without disabling Telnet and the standard Web browser
access (WebAgent). Among the methods for blocking
unauthorized access attempts using Telnet or the
WebAgent are the following two CLI commands:
• no telnet-server: This command blocks inbound
Telnet access.
• no web-management: This command prevents use of
the WebAgent through http (port 80) server access.
If you choose not to disable Telnet and the WebAgent,
you may want to consider using RADIUS accounting to
maintain a record of password-protected access to the
switch.
“Quick Start: Using the
Management Interface
Wizard” on page 1-11
For more on Telnet and the
WebAgent, refer to the
chapter on “Interface
Access and System
Information” in the
Management and
Configuration Guide.
For RADIUS accounting,
refer to Chapter 6, “RADIUS
Authentication and
Accounting”
SSH disabled SSH provides Telnet-like functions through encrypted,
authenticated transactions of the following types:
• client public-key authentication: uses one or more
public keys (from clients) that must be stored on the
switch. Only a client with a private key that matches
a stored public key can gain access to the switch.
• switch SSH and user password authentication: this
option is a subset of the client public-key
authentication, and is used if the switch has SSH
enabled without a login access configured to
authenticate the client’s key. In this case, the switch
authenticates itself to clients, and users on SSH
clients then authenticate themselves to the switch by
providing passwords stored on a RADIUS or
TACACS+ server, or locally on the switch.
• secure copy (SC) and secure FTP (SFTP): By opening
a secure, encrypted SSH session, you can take
advantage of SC and SFTP to provide a secure
alternative to TFTP for transferring sensitive switch
information. For more on SC and SFTP, refer to the
section titled “Using Secure Copy and SFTP” in the
“File Transfers” appendix of the Management and
Configuration Guide for your switch.
“Quick Start: Using the
Management Interface
Wizard” on page 1-11
Chapter 8 “Configuring
Secure Shell (SSH)”
Feature Default
Setting
Security Guidelines More Information and
Configuration Details
To Next Page
Loading...
Need help?
General