Application Note: Configuring and
Enabling Management Security
Publication Version 1.0, February 2006
i
© 2006 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc..
Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation.
Other brand and product names are registered trademarks or trademarks of their respective holders. Portions of this
document are copyright Intoto, Inc.
Disclaimers
February 2006 Information in this document is subject to change at any time without notice and is provided "as is" with
no warranty. NETGEAR, Inc. makes no warranty of any kind with regard to this material including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. NETGEAR, Inc. shall not be liable for
errors contained herein or for any direct, indirect, special, incidental, or consequential damages in connection with the
use of this material. NETGEAR, Inc. assumes no responsibility for customer product design or the use or application of
customers' products or for any infringements of patents or rights of others which may result from NETGEAR, Inc.
assistance. The content of this application notes does not imply that NETGEAR, Inc. intends to make it availab le in any
NETGEAR managed switch product. NETGEAR, Inc. may have patents or pending patent applications covering
subject matter in this document. The furnishing of this document does not give any license to these patents.
Product and Publication Details
Model Number:
Publication Date: February 2006
Product Family: NETGEAR managed switch
Product Name: 7xxx Series Managed Switch
Home or Business Product: Business
Language: English
Publication Part Number: Beta Draft 1
Publication Version Number 1.0
ii
Publication Version 1.0, February 2006
Contents
Application Note: Configuring and Enabling Management Security
Chapter 1
Introduction
Chapter 2
Enabling Management Security
Certificate Generation .....................................................................................................2-1
Configuring Secure Shell ................................................................................................2-2
Disabling Insecure Access .......................................................................................2-3
Configuring Secure Socket Layer ...................................................................................2-3
Preventing Insecure Web Sessions .........................................................................2-4
Appendix A
Certificate Generation Scripts
SSH ............................................................................................................................... A-1
SSL ..................................... .......................................... .......................................... ....... A-1
SSL Helper Files ............................................................................................................ A-3
Publication Version 1.0, February 2006
iii
iv
Publication Version 1.0, February 2006
Application Note: Configuring and Enabling Management Security
Chapter 1
Introduction
In the past, network communications were simply a matter of packaging frames of
information and shipping them over the wire to their destination. Protocols gave
little thought to who might be viewing the frames as they crossed the wire, or
what illegitimate parties might do with the information so gleaned. More and
more, security has become an ever-present concern amongst the members of the
networking community. Networking infrastructure is far too important to risk
abuse by hackers, whether they are malevolent or simply mischievous. As a
whole, the community has turned to encryption as a means of ensuring the
security of network transactions.
Interactive login is a mainstay for providing a means to control and/or configure
an entity across the network. For decades the telnet protocol has provided this
capability for devices wishing to provide interactive login over a network.
However, these protocols are chief culprits with regard to the transmission of
sensitive information (e.g. passwords) over the network unprotected. The current
de facto standard for providing interactive login in a secure fashion is the Secure
Shell (SSH). SSH provides a number of services in a secure manner. These
include port forwarding, file transfer, X11 forwarding, and interactive login. Of
these, currently only interactive login is of interest for the NETGEAR managed
switch software.
Managing devices with a web browser has been standard practice for several
years. Unfortunately, standard HTTP transactions are no more secure than telnet.
This was one of the original barriers to the success of "e-commerce". The solution
(then and now) is the use of the Secure Sockets Layer (SSL) protocol. SSL
provides a means of abstracting an encrypted connection between two stations.
Once established, such a connection is virtually no different to use than an
unsecured connection. This allows an established protocol (e.g. HTTP) to operate
in a secure manner on an open network.
A third component of management on a modern networking appliance is SNMP.
The SNMP protocol has it own security mechanisms outside of SSH and SSL.
Consequently discussion of security for SNMP transactions is outside the scope of
this document.
Introduction 1-1
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
1-2 Introduction
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
Enabling management security is a two-step process. The first step involves
generating and loading appropriate authentication keys (SSH) and security
certificates (SSL). Optionally a reputable third party such as RSA Security, Inc. or
Entrust, Inc. can validate these certificates and keys but for evaluation purposes
validation is unnecessary.
The second step involves enabling either SSL or SSH and optionally disabling the
insecure versions of telnet and web management. Once enabled, subsequent
management connections may be made in a secure manner.
Certificate Generation
Chapter 2
Enabling Management Security
To generate self-signed credentials, the open source applications ssh-keygen and
openssl can be used to create the seven files used to form the security certificates
and authentication keys. Both of these applications are well documented by the
open source community. Detailed descriptions will not be repeated here as the
user can check the man pages for detailed help. Two scripts are included in the
appendix at the end of this application note along with some helper files. This set
of files can be freely modified and used to generate the appropriate self-signed
credentials. Generation of these credentials has been verified using both cygwin
and Linux.
Once the component files are created, the credentials must be loaded onto the
switch running the NETGEAR managed switch. This is accomplished using the
copy command from a tftp server.
1. From privileged EXEC mode, issue the following command:
Enabling Management Security 2-1
#copy tftp://192.168.77.122/rsa1.key nvram:sshkey-rsa1
where the IP address of the tftp server should be substituted as appropriate.
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
2. Repeat the copy command for all the other authentication components:
• rsa2.key nvram:sshkey-rsa2
• dsa.key nvram:sshkey-dsa
• dh512.pem nvram:sslpem-dhweak
• dh1024.pem nvram:sslpem-dhstrong
• server.pem nvram:sslpem-server
• rootcert.pem nvram:sslpem-root
The SSL and SSH credentials may be uploaded separately as needed. However, it
is likely that if security is required for one access method it will be required for all
access methods. Therefore, best practice is to create the certificates and
authentication key simultaneously.
Configuring Secure Shell
Once the authentication credentials are loaded and the certificates and
authentication keys are formed, management security may be configured on the
NETGEAR managed switch device.
1. From privileged EXEC mode, issue the command
# ip ssh
as described in the Command Line Interface Reference manual. This will allow
secure shell sessions to be instantiated on the NETGEAR managed switch.
2. Check the message log to determine the success or failure of the command.
Messages indicating successful start of the ssh service look like this:
0 days 00:17:07 Unit: 1 : File: sshd_main.c : Line: 349 :
SSHD: Done generating server key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 639 :
SSHD: successfully loaded RSA2 key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 627 :
SSHD: successfully opened file ssh_host_rsa_key
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 605 :
SSHD: successfully loaded DSA key
2-2 Enabling Management Security
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
0 days 00:17:06 Unit: 1 : File: sshd_main.c : Line: 592 :
SSHD: successfully opened file ssh_host_dsa_key
0 days 00:17:06 Unit: 1 : File: sshd_control.c : Line: 400 :
SSHD: sshdListenTask started
If a secure connection cannot be established, entries such as the following indicate
the nature of the problem.
0 days 02:30:30 File: ssh_sys_fastpath.c : Line: 584 : tid
40052584, context 0x0x157dba0, deleting 40052584, retval = 1
0 days 02:30:30 File: ssh_sys_fastpath.c : Line: 401 : SSHD:
exiting global context 0x0x157dba0
0 days 02:30:30 File: sshd_main.c : Line: 550 : SSHD: host key
is corrupt (did not decode).
In this case, the authentication credentials were invalid and should be regenerated.
Disabling Insecure Access
T o disable insecure access to the NETGEAR managed switch, issue the following
command:
# no telnet
Note: Caution should be exercised before issuing this command as once
the active telnet sessions are terminated, no new telnet sessions
will be allowed. Please consult the appropriate Command
Reference for more information on configuring remote sessions.
Configuring Secure Socket Layer
Optionally or in concert with SSH, SSL may be enabled. Once again the message
log is the best source of feedback for problem determination.
1. To enable SSL, issue the privileged EXEC mode command:
2. Attempt a secure web access using https. Consult the message log for to
Enabling Management Security 2-3
# ip http secure-server
determine the success or failure status.
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
Valid certificates are indicated by a message log entry that looks like the
following:
0 days 01:25:29 Unit: 1 : File: sslt_util.c : Line: 303 :
SSLT: Successfully loaded all required SSL PEM files
Certificate information may be accessed using browser-specific methods. With
Internet Explorer, the lock icon along the bottom message line can be checked for
certificate details. Additionally, when connecting to a NETGEAR managed
switch that uses self-generated credentials, Explorer will warn the user about the
authenticity of the certificate. When secure certificates are acquired from a third
party this warning will no longer occur.
Preventing Insecure Web Sessions
Insecure web sessions may be prevented by disabling the http server using the
privileged EXEC mode command:
# no ip http server
As with secure shell, the best guide for information on NETGEAR managed
switch commands that control HTTP and HTTPS access is the Command Line
Interface Reference manual.
2-4 Enabling Management Security
v1.0, February 2006
SSH
Application Note: Configuring and Enabling Management Security
Appendix A
Certificate Generation Scripts
The following two scripts and two helper files can be used to generate self-signed
certificates and authentication keys.
sshKeygen.sh
#!/bin/sh
##################################################################
#
# Generate key files for rsa and dsa
#
##################################################################
# RSA V1
/usr/bin/ssh-keygen -q -t rsa1 -f rsa1.key -C '' -N ''
# RSA V2
/usr/bin/ssh-keygen -q -t rsa -f rsa2.key -C '' -N ''
# DSA for V2
/usr/bin/ssh-keygen -q -t dsa -f dsa.key -C '' -N ''
SSL
Exercise care when using cut and paste to generate this file as formatting can wrap
some command lines. For example:
/usr/bin/openssl req -newkey rsa:1024 -sha1 -keyout
rootkey.pem -out rootreq.pem -config root.cnf -passout
pass:NETGEAR
should appear on a single line in the shell script.
Certificate Generation Scripts A-1
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
pemCreate.sh
#!/bin/sh
# Ensure that OpenSSL is installed and set the location correctly
OPENSSL=/usr/bin/openssl
# Set the password to something unique
PASSWORD=NETGEAR
# Set the number of days the certs will be valid for
VALID_NUM_DAYS=3650
##################################################################
#
# Generate the Self Signed Trusted Root Certification Authority
# (CA) and Private Key
#
##################################################################
${OPENSSL} req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out
rootreq.pem -config root.cnf -passout pass:${PASSWORD}
${OPENSSL} x509 -req -days ${VALID_NUM_DAYS} -in rootreq.pem -sha1
-extfile root.cnf -extensions certificate_extensions -signkey
rootkey.pem -out rootcert.pem -passin pass:${PASSWORD}
cat rootcert.pem rootkey.pem > root.pem
rm rootkey.pem rootreq.pem
##################################################################
#
# Generate the Trusted Server Certificate
#
##################################################################
${OPENSSL} req -newkey rsa:1024 -sha1 -keyout serverkey.pem -nodes
-out serverreq.pem -config server.cnf -reqexts req_extensions passout pass:${PASSWORD}
${OPENSSL} x509 -req -days ${VALID_NUM_DAYS} -in serverreq.pem sha1 -extfile server.cnf -extensions certificate_extensions -CA
root.pem -CAkey root.pem -CAcreateserial -out servercert.pem passin pass:${PASSWORD}
cat servercert.pem serverkey.pem rootcert.pem > server.pem
rm root.pem root.srl serverkey.pem servercert.pem serverreq.pem
##################################################################
#
# Generate the Diffie-Hellman weak and strong parameters
#
##################################################################
${OPENSSL} dhparam -check -text -5
${OPENSSL} dhparam -check -text -5 1024 -out dh1024.pem
signed by the Root CA
512 -out dh512.pem
A-2 Certificate Generation Scripts
v1.0, February 2006
SSL Helper Files
root.cnf
# default settings for example.
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = /opt/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = exampleca_policy
x509_extensions = certificate_extensions
[ exampleca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha1
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = req_extensions
# the following sections are specific to the request being built
[ certificate_extensions ]
basicConstraints = CA:true
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Santa Clara
organizationName = NETGEAR, Inc.
Application Note: Configuring and Enabling Management Security
Certificate Generation Scripts A-3
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
organizationalUnitName = Support
commonName = NETGEAR Root CA
emailAddress = support@netgear.com
[ req_extensions ]
basicConstraints = CA:true
server.cnf
# default settings for example.
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = /opt/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = exampleca_policy
x509_extensions = certificate_extensions
[ exampleca_policy ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha1
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = req_extensions
# the following sections are specific to the request being built
[ certificate_extensions ]
basicConstraints = CA:false
subjectAltName = DNS:localhost
A-4 Certificate Generation Scripts
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Santa Clara
organizationName = NETGEAR, Inc.
organizationalUnitName = Support
commonName = localhost
emailAddress = support@netgear.com
[ req_extensions ]
basicConstraints = CA:true
subjectAltName = DNS:localhost
Certificate Generation Scripts A-5
v1.0, February 2006
Application Note: Configuring and Enabling Management Security
A-6 Certificate Generation Scripts
v1.0, February 2006
Loading...