PowerConnect Application Note #14 January 2004

Switch Management Access Security

This Application Note relates to the following Dell PowerConnect™ product(s):
• PowerConnect 33xx

Abstract
A key part of network security is ensuring that only authorized personnel have access to network
elements such as switches. Without such security, unauthorized users can intercept or redirect traffic or
even shut down parts of the network. This document discusses the management access methods
available for Dell PowerConnect switches and explains how to implement those methods.

Applicable Network Scenarios

Controlling access to device management is a mandatory requirement for virtually any network. Without
authentication, encryption, and access controls, unauthorized users can gain access to switches and
intercept or redirect network traffic, reset the switch, and otherwise disrupt network operations.

Consider an example in which a stack of PowerConnect 3348 switches provides Internet access for
public machines at a trade show. As the diagram below shows, users of public machines at kiosks
connect to the Internet via the PowerConnect switch stack and a router.

Without safeguards to control management access, virtually any user could reconfigure or shut down the
switch from either side of the stack. Clearly, access controls are needed to ensure the integrity of the
switch’s configuration.

www.dell.com/networking 1
PowerConnect Application Note #14: Switch Management Access Security

Technology Background
In its simplest form, network management consists of a single network manager connecting to a single
device via its serial interface. Obviously, as networks scale up in size and complexity, this solution does
not scale with them. Various in-band management techniques are necessary.

Dell PowerConnect switches support multiple management access methods, including the following:

Telnet
Defined in Internet Engineering Task Force Request for Comment 854 (IETF RFC 854), Telnet is a simple
method of providing command-line communications with a device over an IP network. Telnet provides
essentially the same interface as a serial console, including the ability to log in. However, Telnet provides
no assurance of data privacy. Telnet does not encrypt traffic; instead it sends all communications,
including usernames and passwords, in clear text. For this reason Telnet is not a secure method for
device management. Telnet packets use TCP destination port 23.

SSH
Secure shell (SSH) looks similar to Telnet, but adds facilities for authentication and strong encryption of
traffic. There are two versions of the SSH protocol. There are known vulnerabilities in version 1 of
protocol, but as of this writing version 2 is generally considered to be safe. SSH is a popular method for
secure access to command-line interfaces over an IP network. SSH uses TCP destination port 22

SSH was originally developed by SSH Communications Security of Finland. The IETF is currently
developing an SSH standard.

HTTP
The same method used to browse the Internet also provides a convenient way to browse the
configuration of a device. Managing a device using the hypertext transfer protocol (HTTP) requires the
device to support the HTTP service, as defined in RFC 2116. A Web user interface can provide a more
user-friendly means of device management. However, HTTP management is not secure. As with Telnet,
all communications are all in clear text, including usernames and passwords. HTTP runs over an IP
network using destination port 80.

HTTPS
Just as SSH provides a secure version of telnet, so too does secure HTTP (HTTPS) provide
authentication and encryption for HTTP. HTTPS uses the same mechanisms as e-commerce sites to
secure the transfer of personal information such as credit card numbers. HTTPS uses either Secure
Sockets Layer (SSL) or Transport Layer Security (TLS) to authenticate users and protect traffic using a
variety of encryption protocols. HTTPS runs over an IP network using destination port 443.

Access Profiles
Dell PowerConnect switches allow the user to define access profiles for the different methods of
management. This allows the device to respond differently based on criteria such as the physical
interface through which the user connects; the user’s IP address; the user’s source network address; or
the management access method (telnet, SSH, and so on). For example, a network manager could create
an access profile that allows management access only from the IP address of a management station
running SSH.

Authentication
When users attempt to connect to a PowerConnect switch, they must prove who they say they are – they
must be authenticated. The simplest and most common method of authentication on small networks is
using local authentication. In this case, a database of users and passwords resides locally on the
PowerConnect switch.

As networks grow, keeping local databases synchronized becomes a challenge. A better option for larger
networks is to use an external authentication server, such as a remote access dial-in user services
(RADIUS) server. RADIUS authentication has the advantage of allowing all network devices to connect to

www.dell.com/networking 2
PowerConnect Application Note #14: Switch Management Access Security

a single reference for authentication. This also means that as access profiles change, they need only to
be updated at one place.

Proposed Solution
Overview
Basic network security requires tight controls on access to device management. In this example, we will
control management access to a Dell PowerConnect 3348 with the following steps:

1. Create a management username and password.

2. Create a management access list.
3. Permit SSH connections from IP address 10.1.0.78.
4. Deny all other connection types.
5. Apply the management access list.
6. Verify correct operation of access list.

Note: These safeguards will help prevent unauthorized remote access to the PowerConnect switch. Local
access via serial console is still possible. Securing physical access to the switch, for example by placing
the device in a locked wiring closet, is also essential.

Step-By-Step Instructions

1. Create a management username and password.

Dell-3348> en
Dell-3348# configure
Dell-3348 (config)# username admin password 3C2cpk2H level 15

2. Create a management access list.

Dell-3348 (config)# management access-list SSH_only

3. Permit SSH connections from IP address 10.1.0.78

Dell-3348 (config-macl)# permit ip-source 10.1.0.78 service ssh

4. Deny all other connection types.

Dell-3348 (config-macl)# deny service http

Dell-3348 (config-macl)# deny service https
Dell-3348 (config-macl)# deny service snmp
Dell-3348 (config-macl)# deny service telnet
Dell-3348 (config-macl)# exit

5. Apply the management access list.

Dell-3348 (config)# management access-class SSH_only

Dell-3348 (config)# exit

6. Verify correct operation of access list.

Attempts to log in to the switch using telnet, SNMP, HTTP, and HTTPS should all fail. Attempts to use
SSH from an IP address other than 10.1.0.78 also should fail.

Conclusion
We have now created a management access list on the PowerConnect 3348 switch that is designed to
permit only SSH traffic from a single station using a single login and password. Any other attempt at
remote switch management should fail.
www.dell.com/networking 3
PowerConnect Application Note #14: Switch Management Access Security

Information in this document is subject to change without notice.

© 2003 Dell Inc. All rights reserved.
This Application Note is for informational purposes only, and may contain typographical errors and technical inaccuracies. The
content is provided as is, without express or implied warranties of any kind.

Dell, the DELL logo, and PowerConnect are trademarks of Dell Inc. Other trademarks and trade names may be used in this
document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in
trademarks and trade names other than its own.

www.dell.com/networking 4