Netgear GSM7224, GSM7352S, GSM7324, GSM7312, GSM7328S Application Note

...

Application Note: Configuring and

Enabling Management Security

i

Publication Version 1.0, February 2006

© 2006 by NETGEAR, Inc. All rights reserved.

Trademarks

NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation.

Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this document are copyright Intoto, Inc.

Disclaimers

February 2006 Information in this document is subject to change at any time without notice and is provided "as is" with no warranty. NETGEAR, Inc. makes no warranty of any kind with regard to this material including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. NETGEAR, Inc. shall not be liable for errors contained herein or for any direct, indirect, special, incidental, or consequential damages in connection with the use of this material. NETGEAR, Inc. assumes no responsibility for customer product design or the use or application of customers' products or for any infringements of patents or rights of others which may result from NETGEAR, Inc. assistance. The content of this application notes does not imply that NETGEAR, Inc. intends to make it available in any NETGEAR managed switch product. NETGEAR, Inc. may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give any license to these patents.

Product and Publication Details

Model Number:

 

Publication Date:

February 2006

Product Family:

NETGEAR managed switch

Product Name:

7xxx Series Managed Switch

Home or Business Product:

Business

Language:

English

Publication Part Number:

Beta Draft 1

Publication Version Number

1.0

ii

Publication Version 1.0, February 2006

Netgear GSM7224, GSM7352S, GSM7324, GSM7312, GSM7328S Application Note

Contents

Application Note: Configuring and Enabling Management Security

Chapter 1

Introduction

Chapter 2

Enabling Management Security

Certificate Generation .....................................................................................................

2-1

Configuring Secure Shell ................................................................................................

2-2

Disabling Insecure Access .......................................................................................

2-3

Configuring Secure Socket Layer ...................................................................................

2-3

Preventing Insecure Web Sessions .........................................................................

2-4

Appendix A

 

Certificate Generation Scripts

 

SSH ...............................................................................................................................

A-1

SSL ................................................................................................................................

A-1

SSL Helper Files ............................................................................................................

A-3

iii

Publication Version 1.0, February 2006

iv

Publication Version 1.0, February 2006

Application Note: Configuring and Enabling Management Security

Chapter 1

Introduction

In the past, network communications were simply a matter of packaging frames of information and shipping them over the wire to their destination. Protocols gave little thought to who might be viewing the frames as they crossed the wire, or what illegitimate parties might do with the information so gleaned. More and more, security has become an ever-present concern amongst the members of the networking community. Networking infrastructure is far too important to risk abuse by hackers, whether they are malevolent or simply mischievous. As a whole, the community has turned to encryption as a means of ensuring the security of network transactions.

Interactive login is a mainstay for providing a means to control and/or configure an entity across the network. For decades the telnet protocol has provided this capability for devices wishing to provide interactive login over a network. However, these protocols are chief culprits with regard to the transmission of sensitive information (e.g. passwords) over the network unprotected. The current de facto standard for providing interactive login in a secure fashion is the Secure Shell (SSH). SSH provides a number of services in a secure manner. These include port forwarding, file transfer, X11 forwarding, and interactive login. Of these, currently only interactive login is of interest for the NETGEAR managed switch software.

Managing devices with a web browser has been standard practice for several years. Unfortunately, standard HTTP transactions are no more secure than telnet. This was one of the original barriers to the success of "e-commerce". The solution (then and now) is the use of the Secure Sockets Layer (SSL) protocol. SSL provides a means of abstracting an encrypted connection between two stations. Once established, such a connection is virtually no different to use than an unsecured connection. This allows an established protocol (e.g. HTTP) to operate in a secure manner on an open network.

A third component of management on a modern networking appliance is SNMP. The SNMP protocol has it own security mechanisms outside of SSH and SSL. Consequently discussion of security for SNMP transactions is outside the scope of this document.

Introduction

1-1

v1.0, February 2006

Loading...
+ 11 hidden pages