PowerConnect Application Note #14 January 2004

www.dell.com/networking 1

Switch Management Access Security This Application Note relates to the following Dell PowerConnect™ product(s):

• PowerConnect 33xx

Abstract A key part of network security is ensuring that only authorized personnel have access to network elements such as switches. Without such security, unauthorized users can intercept or redirect traffic or even shut down parts of the network. This document discusses the management access methods available for Dell PowerConnect switches and explains how to implement those methods.

Applicable Network Scenarios Controlling access to device management is a mandatory requirement for virtually any network. Without authentication, encryption, and access controls, unauthorized users can gain access to switches and intercept or redirect network traffic, reset the switch, and otherwise disrupt network operations. Consider an example in which a stack of PowerConnect 3348 switches provides Internet access for public machines at a trade show. As the diagram below shows, users of public machines at kiosks connect to the Internet via the PowerConnect switch stack and a router.

Without safeguards to control management access, virtually any user could reconfigure or shut down the switch from either side of the stack. Clearly, access controls are needed to ensure the integrity of the switch’s configuration.

PowerConnect Application Note #14: Switch Management Access Security

www.dell.com/networking 2

Technology Background In its simplest form, network management consists of a single network manager connecting to a single device via its serial interface. Obviously, as networks scale up in size and complexity, this solution does not scale with them. Various in-band management techniques are necessary. Dell PowerConnect switches support multiple management access methods, including the following: Telnet Defined in Internet Engineering Task Force Request for Comment 854 (IETF RFC 854), Telnet is a simple method of providing command-line communications with a device over an IP network. Telnet provides essentially the same interface as a serial console, including the ability to log in. However, Telnet provides no assurance of data privacy. Telnet does not encrypt traffic; instead it sends all communications, including usernames and passwords, in clear text. For this reason Telnet is not a secure method for device management. Telnet packets use TCP destination port 23. SSH Secure shell (SSH) looks similar to Telnet, but adds facilities for authentication and strong encryption of traffic. There are two versions of the SSH protocol. There are known vulnerabilities in version 1 of protocol, but as of this writing version 2 is generally considered to be safe. SSH is a popular method for secure access to command-line interfaces over an IP network. SSH uses TCP destination port 22 SSH was originally developed by SSH Communications Security of Finland. The IETF is currently developing an SSH standard. HTTP The same method used to browse the Internet also provides a convenient way to browse the configuration of a device. Managing a device using the hypertext transfer protocol (HTTP) requires the device to support the HTTP service, as defined in RFC 2116. A Web user interface can provide a more user-friendly means of device management. However, HTTP management is not secure. As with Telnet, all communications are all in clear text, including usernames and passwords. HTTP runs over an IP network using destination port 80. HTTPS Just as SSH provides a secure version of telnet, so too does secure HTTP (HTTPS) provide authentication and encryption for HTTP. HTTPS uses the same mechanisms as e-commerce sites to secure the transfer of personal information such as credit card numbers. HTTPS uses either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to authenticate users and protect traffic using a variety of encryption protocols. HTTPS runs over an IP network using destination port 443. Access Profiles Dell PowerConnect switches allow the user to define access profiles for the different methods of management. This allows the device to respond differently based on criteria such as the physical interface through which the user connects; the user’s IP address; the user’s source network address; or the management access method (telnet, SSH, and so on). For example, a network manager could create an access profile that allows management access only from the IP address of a management station running SSH. Authentication When users attempt to connect to a PowerConnect switch, they must prove who they say they are – they must be authenticated. The simplest and most common method of authentication on small networks is using local authentication. In this case, a database of users and passwords resides locally on the PowerConnect switch. As networks grow, keeping local databases synchronized becomes a challenge. A better option for larger networks is to use an external authentication server, such as a remote access dial-in user services (RADIUS) server. RADIUS authentication has the advantage of allowing all network devices to connect to

PowerConnect Application Note #14: Switch Management Access Security

www.dell.com/networking 3

a single reference for authentication. This also means that as access profiles change, they need only to be updated at one place.

Proposed Solution Overview Basic network security requires tight controls on access to device management. In this example, we will control management access to a Dell PowerConnect 3348 with the following steps:

1. Create a management username and password. 2. Create a management access list. 3. Permit SSH connections from IP address 10.1.0.78. 4. Deny all other connection types. 5. Apply the management access list. 6. Verify correct operation of access list.

Note: These safeguards will help prevent unauthorized remote access to the PowerConnect switch. Local access via serial console is still possible. Securing physical access to the switch, for example by placing the device in a locked wiring closet, is also essential. Step-By-Step Instructions 1. Create a management username and password. Dell-3348> en Dell-3348# configure Dell-3348 (config)# username admin password 3C2cpk2H level 15 2. Create a management access list. Dell-3348 (config)# management access-list SSH_only 3. Permit SSH connections from IP address 10.1.0.78 Dell-3348 (config-macl)# permit ip-source 10.1.0.78 service ssh 4. Deny all other connection types. Dell-3348 (config-macl)# deny service http Dell-3348 (config-macl)# deny service https Dell-3348 (config-macl)# deny service snmp Dell-3348 (config-macl)# deny service telnet Dell-3348 (config-macl)# exit 5. Apply the management access list. Dell-3348 (config)# management access-class SSH_only Dell-3348 (config)# exit 6. Verify correct operation of access list. Attempts to log in to the switch using telnet, SNMP, HTTP, and HTTPS should all fail. Attempts to use SSH from an IP address other than 10.1.0.78 also should fail. Conclusion We have now created a management access list on the PowerConnect 3348 switch that is designed to permit only SSH traffic from a single station using a single login and password. Any other attempt at remote switch management should fail.

PowerConnect Application Note #14: Switch Management Access Security

www.dell.com/networking 4

Information in this document is subject to change without notice. © 2003 Dell Inc. All rights reserved. This Application Note is for informational purposes only, and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. Dell, the DELL logo, and PowerConnect are trademarks of Dell Inc. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own.