Netgear GSM7224, GSM7352S, GSM7324, GSM7312, GSM7328S Application Note

Application Note: Configuring and
Enabling Management Security

Publication Version 1.0, February 2006

i

© 2006 by NETGEAR, Inc. All rights reserved.

Trademarks

NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc..
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this

document are copyright Intoto, Inc.

Disclaimers

February 2006 Information in this document is subject to change at any time without notice and is provided "as is" with
no warranty. NETGEAR, Inc. makes no warranty of any kind with regard to this material including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. NETGEAR, Inc. shall not be liable for
errors contained herein or for any direct, indirect, special, incidental, or consequential damages in connection with the
use of this material. NETGEAR, Inc. assumes no responsibility for customer product design or the use or application of
customers' products or for any infringements of patents or rights of others which may result from NETGEAR, Inc.
assistance. The content of this application notes does not imply that NETGEAR, Inc. intends to make it availab le in any
NETGEAR managed switch product. NETGEAR, Inc. may have patents or pending patent applications covering
subject matter in this document. The furnishing of this document does not give any license to these patents.

Product and Publication Details

Model Number:
Publication Date: February 2006
Product Family: NETGEAR managed switch
Product Name: 7xxx Series Managed Switch
Home or Business Product: Business
Language: English
Publication Part Number: Beta Draft 1
Publication Version Number 1.0

ii

Publication Version 1.0, February 2006

Contents

Application Note: Configuring and Enabling Management Security

Chapter 1
Introduction

Chapter 2
Enabling Management Security

Certificate Generation .....................................................................................................2-1

Configuring Secure Shell ................................................................................................2-2

Disabling Insecure Access .......................................................................................2-3

Configuring Secure Socket Layer ...................................................................................2-3

Preventing Insecure Web Sessions .........................................................................2-4

Appendix A
Certificate Generation Scripts

SSH ............................................................................................................................... A-1

SSL ..................................... .......................................... .......................................... ....... A-1

SSL Helper Files ............................................................................................................ A-3

Publication Version 1.0, February 2006

iii

iv

Publication Version 1.0, February 2006

Application Note: Configuring and Enabling Management Security

Chapter 1

Introduction

In the past, network communications were simply a matter of packaging frames of
information and shipping them over the wire to their destination. Protocols gave
little thought to who might be viewing the frames as they crossed the wire, or
what illegitimate parties might do with the information so gleaned. More and
more, security has become an ever-present concern amongst the members of the
networking community. Networking infrastructure is far too important to risk
abuse by hackers, whether they are malevolent or simply mischievous. As a
whole, the community has turned to encryption as a means of ensuring the
security of network transactions.

Interactive login is a mainstay for providing a means to control and/or configure
an entity across the network. For decades the telnet protocol has provided this
capability for devices wishing to provide interactive login over a network.
However, these protocols are chief culprits with regard to the transmission of
sensitive information (e.g. passwords) over the network unprotected. The current
de facto standard for providing interactive login in a secure fashion is the Secure
Shell (SSH). SSH provides a number of services in a secure manner. These
include port forwarding, file transfer, X11 forwarding, and interactive login. Of
these, currently only interactive login is of interest for the NETGEAR managed
switch software.

Managing devices with a web browser has been standard practice for several
years. Unfortunately, standard HTTP transactions are no more secure than telnet.
This was one of the original barriers to the success of "e-commerce". The solution
(then and now) is the use of the Secure Sockets Layer (SSL) protocol. SSL
provides a means of abstracting an encrypted connection between two stations.
Once established, such a connection is virtually no different to use than an
unsecured connection. This allows an established protocol (e.g. HTTP) to operate
in a secure manner on an open network.

A third component of management on a modern networking appliance is SNMP.
The SNMP protocol has it own security mechanisms outside of SSH and SSL.
Consequently discussion of security for SNMP transactions is outside the scope of
this document.

Introduction 1-1

v1.0, February 2006