Basic overview – Allied Telesis AT-S62 User Manual

Chapter 31: Encryption Keys

688

Section VII: Management Security

Basic Overview

Protecting your managed switches from unauthorized management
access is an important role for a network manager. Network operations
and security can be severely compromised should an intruder gain access
to critical switch information, such as a manager’s login username and
password, and use that information to alter a switch’s configuration
settings.

One means by which an intruder could obtain critical switch information is
by covertly monitoring network traffic with a network analyzer, such as a
sniffer, and capturing management packets from remote Telnet or web
browser management sessions. The payload in the packets exchanged
during remote management sessions is transmitted in plaintext. The
information garnered from the management packets could enable an
intruder to access the management software on a switch.

One means of foiling this type assault is by encrypting the payload in the
packets exchanged during a remote management session between a
management workstation and a switch. Encryption makes the packets
unintelligible to an outside agent. Only the remote workstation and the
switch engaged in the management session are able to decode each
other’s packets.

The heart of encryption is the encryption key. The key converts plaintext
into encrypted text, and vice versa. A key consists of two separate keys: a
private key and a public key. Together they create a key pair.

The AT-S62 management software supports encryption for remote web
browser management sessions using the Secure Sockets Layer (SSL)
protocol. Adding encryption to your web browser management sessions
involves creating one key pair and adding the public key of the key pair to
a certificate, a digital document stored on the switch. You can have the
switch create the certificate itself or you can have a public or private
certificate authority (CA) create it for you. For an overview of the steps to
adding encryption to your web browser management sessions, refer to
“General Steps to Configuring the Web Server for Encryption” on
page 685.

The Telnet application protocol does not support encryption. To add
encryption when you remotely manage a switch using the menu interface,
you must first obtain a Secure Shell (SSH) protocol application. SSH
offers the same functionality as Telnet, but with encryption.

SSH encryption requires two key pairs on the switch— a server key pair
and a host key pair. You then configure the Secure Shell protocol server
software on the switch, as explained in Chapter 33, “Secure Shell (SSH)
Protocol” on page 737, by specifying the keys as the host and server SSH
keys.