Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: Secure Sensitive Data Management Configuring SSD Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 453 21 Password recovery is currently activated from the boot menu and allows the user to log on to the terminal without authentication. If SSD is supported, this option is only permitted if the local passphrase is identical to the default passphrase. If a device is configured with a user-defined passphrase, the user is unable to activate password recover y. Configuring SSD The SSD feature is configured in the following pages: •SSD properties are set in the Properties page. •SSD rules are defined in the SSD Rules page. SSD Properties Only users with SSD read permission of Plaintext-only or Both are allowed to set SSD properties. To configure global SSD properties: STEP 1Click Security > Secure Sensitive Data Management > Properties. The following field appears: •Current Local Passphrase Type—Displays whether the default passphrase or a user-defined passphrase is currently being used. STEP 2Enter the following Persistent Settings fields: •Configuration File Passphrase Control—Select an option as described in Configuration File Passphrase Control. •Configuration File Integrity Control—Select to enable this feature. See Configuration File Integrity Control. STEP 3Select a Read mode for the current session (see Elements of an SSD Rule). To change the local passphrase: STEP 1Click Change Local Passphrase, and enter a new Local Passphrase: •Default—Use the devices default passphrase.
Security: Secure Sensitive Data Management Configuring SSD 454 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 •User Defined (Plaintext)—Enter a new passphrase. •Confirm Passphrase—Confirm the new passphrase. SSD Rules Only users with SSD read permission of Plaintext-only or Both are allowed to set SSD rules. To configure SSD rules: STEP 1Click Security > Secure Sensitive Data Management > SSD Rules. The currently-defined rules are displayed. STEP 2To add a new rule, click Add. Enter the following fields: •User—This defines the user(s) to which the rule applies: Select one of the following options: -Specific User—Select and enter the specific user name to which this rule applies (this user does not necessarily have to be defined). -Default User (cisco)—Indicates that this rule applies to the default user. -Level 15 —Indicates that this rule applies to all users with privilege level 15. -All—Indicates that this rule applies to all users. •Channel—This defines the security level of the input channel to which the rule applies: Select one of the following options: -Secure—Indicates that this rule applies only to secure channels (console, SCP, SSH and HTTPS), not including the SNMP and XML channels. -Insecure—Indicates that this rule applies only to insecure channels (Telnet, TFTP and HTTP), not including the SNMP and XML channels. -Secure XML SNMP—Indicates that this rule applies only to XML over HTTPS and SNMPv3 with privacy. -Insecure XML SNMP—Indicates that this rule applies only to XML over HTTP or and SNMPv1/v2and SNMPv3 without privacy.
Security: Secure Sensitive Data Management Configuring SSD Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 455 21 •Read Permission—The read permissions associated with the rule. These can be the following: -Exclude—Lowest read permission. Users are not permitted to get sensitive data in any form. -Plaintex t Only—Higher read permission than above ones. Users are permitted to get sensitive data in plaintext only. -Encr ypted Only—Middle read permission. Users are permitted to get sensitive data as encrypted only. -Both (Plaintex t and Encrypted)—Highest read permission. Users have both encrypted and plaintext permissions and are permitted to get sensitive data as encrypted and in plaintext •Default Read Mode—All default read modes are subjected to the read permission of the rule. The following options exist, but some might be rejected, depending on the rule’s read permission. -Exclude—Do not allow reading the sensitive data. -Encr ypted—Sensitive data is presented encrypted. -Plaintex t—Sensitive data is presented as plaintext. STEP 3The following actions can be performed: •Restore to Default—Restore a user-modified default rule to the default rule. •Restore All Rules to Default—Restore all user-modified default rules to the default rule and remove all user-defined rules.
Security: Secure Sensitive Data Management Configuring SSD 456 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21
22 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 457 Security: SSH Client This section describes the device when it functions as an SSH client. It covers the following topics: •Secure Copy (SCP) and SSH •Protection Methods •SSH Server Authentication •SSH Client Authentication •Before You Begin •Common Tasks •SSH Client Configuration Through the GUI Secure Copy (SCP) and SSH Secure Shell or SSH is a network protocol that enables data to be exchanged on a secure channel between an SSH client (in this case, the device) and an SSH server. SSH client helps the user manage a network composed of one or more switches in which various system files are stored on a central SSH server. When configuration files are transferred over a network, Secure Copy (SCP), which is an application that utilizes the SSH protocol, ensures that sensitive data, such as username/password cannot be intercepted. Secure Copy (SCP) is used to securely transfer firmware, boot image, configuration files, language files, and log files from a central SCP server to a device. With respect to SSH, the SCP running on the device is an SSH client application and the SCP server is a SSH server application.
Security: SSH Client Protection Methods Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 458 22 When files are downloaded via TFTP or HTTP, the data transfer is unsecured. When files are downloaded via SCP, the information is downloaded from the SCP server to the device via a secure channel. The creation of this secure channel is preceded by authentication, which ensures that the user is permitted to perform the operation. Authentication information must be entered by the user, both on the device and on the SSH server, although this guide does not describe server operations. The following illustrates a typical network configuration in which the SCP feature might be used. Typical Network Configuration Protection Methods When data is transferred from an SSH server to a device (client), the SSH server uses various methods for client authentication. These are described below. Passwords To use the password method, first ensure that a username/password has been established on the SSH server. This is not done through the device’s management system, although, after a username has been established on the server, the server password can be changed through the device’s management system.
Security: SSH Client Protection Methods 459 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 22 The username/password must then be created on the device. When data is transferred from the server to the device, the username/password supplied by the device must match the username/password on the server. Data can be encrypted using a one-time symmetric key negotiated during the session. Each device being managed must have its own username/password, although the same username/password can be used for multiple switches. The password method is the default method on the device. Public/Private Keys To use the public/private key method, create a username and public key on the SSH server. The public key is generated on the device, as described below, and then copied to the server. The actions of creating a username on the server and copying the public key to the server are not described in this guide. RSA and DSA default key pairs are generated for the device when it is booted. One of these keys is used to encrypt the data being downloaded from the SSH server. The RSA key is used by default. If the user deletes one or both of these keys, they are regenerated. The public/private keys are encrypted and stored in the device memory. The keys are part of the device configuration file, and the private key can be displayed to the user, in encrypted or plaintext form. Since the private key cannot be copied directly to the private key of another device, an import method exists that enables copying private keys from device to device (described in Import Keys). Import Keys In the key method, individual public/private keys must be created for each individual device, and these private keys cannot be copied directly from one device to another because of security considerations. If there are multiple switches in the network, the process of creating public/private keys for all the switches might be time-consuming, because each public/private key must be created and then loaded onto the SSH server. To facilitate this process, an additional feature enables secure transfer of the encrypted private key to all switches in the system.
Security: SSH Client SSH Server Authentication Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 460 22 When a private key is created on a device, it is also possible to create an associated passphrase. This passphrase is used to encrypt the private key and to import it into the remaining switches. In this way, all the switches can use the same public/private key. SSH Server Authentication A device, as an SSH client, only communicates with a trusted SSH server. When SSH server authentication is disabled (the default setting), any SSH server is considered trusted. When SSH server authentication is enabled, the user must add an entry for the trusted servers to the Trusted SSH Servers Table. This table stores the following information per each SSH Trusted server for a maximum of 16 servers, and contains the following information: •Server IP address/host name •Server public key fingerprint When SSH server authentication is enabled, the SSH client running on the device authenticates the SSH server using the following authentication process: •The device calculates the fingerprint of the received SSH server ’s public key. •The device searches the SSH Trusted Servers table for the SSH server ’s IP address/host name. One of the following can occur: -If a match is found, both for the server ’s IP address/host name and its fingerprint, the server is authenticated. -If a matching IP address/host name is found, but there is no matching fingerprint, the search continues. If no matching fingerprint is found, the search is completed and authentication fails. -If no matching IP address/host name is found, the search is completed and authentication fails. •If the entry for the SSH server is not found in the list of trusted servers, the process fails.
Security: SSH Client SSH Client Authentication 461 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 22 SSH Client Authentication SSH client authentication by password is enabled by default, with the username/ password being “anonymous”. The user must configure the following information for authentication: •The authentication method to be used. •The username/password or public/private key pair. In order to support auto configuration of an out-of-box device (device with factory default configuration), SSH server authentication is disabled by default. Supported Algorithms When the connection between a device (as an SSH client) and an SSH server is established, the client and SSH server exchange data in order to determine the algorithms to use in the SSH transport layer. The following algorithms are supported on the client side: •Key Exchange Algorithm-diffie-hellman •Encryption Algorithms -aes128-cbc -3des-cbc -arcfour -aes192-cbc -aes256-cbc •Message Authentication Code Algorithms -hmac-sha1 -hmac-md5 NOTECompression algorithms are not supported.
Security: SSH Client Before You Begin Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 462 22 Before You Begin The following actions must be performed before using the SCP feature: •When using the password authentication method, a username/password must be set up on the SSH server. •When using public/private keys authentication method, the public key must be stored on the SSH server. Common Tasks This section describes some common tasks performed using the SSH client. All pages referenced are pages found under the SSH Client branch of the menu tree. Workflow1: To configure S SH client and transfer data to/from an S SH server, perform the following steps: STEP 1Decide which method is to be used: password or public/private key. Use the SSH User Authentication page. STEP 2If the password method was selected, perform the following steps: a. Create a global password in the SSH User Authentication page, or create a temporary one in the Upgrade/Backup Firmware/Language or Backup Configuration/Log pages, when you actually activate the secure data transfer. b. Upgrade the firmware, boot image or language file, using SCP, by selecting the via SCP (over SSH) option in the Upgrade/Backup Firmware/Language page. The password can be entered in this page directly, or the password entered in the SSH User Authentication page can be used. c. Download/backup the configuration file, using SCP, by selecting the via SCP (over SSH) option in the Download/Backup Configuration/Log page. The password can be entered in this page directly, or the password entered in the SSH User Authentication page can be used. STEP 3Set up a username/password on the SSH server or modify the password on the SSH server. This activity depends on the server and is not described here.