2. Secure Management
• Secure management is increasingly important in
modern networks, as the ability to easily and
effectively manage switches and the requirement for
security are the two almost universal requirements.
• Traditionally, switches are managed using either
remote terminal sessions via the Telnet protocol or
management via SNMP.
• Both of these methods have serious security
problems—they are only protected by clear text
reusable passwords.
4. Secure Management - Solutions
• Methods to ensure secure management:
– Access Control and Security - Defining access rules on the
device.
– AAA security services - using usernames and/or password
to Authenticate user’s identity and access (authorization)
level.
– Using encryption methods, checksum and hash
algorithms and/or digital signature.
• Access Control & Security and AAA are explained in
other presentations
5. Security Building Blocks
• Encryption provides
– confidentiality, can provide authentication and integrity
protection
• Checksums/hash algorithms provide
– integrity protection, can provide authentication
• Digital signatures provide
– authentication, integrity protection, and non-repudiation
• Demands for management security and control of the
networking devices touch all areas of the enterprise.
6. Secure Management Options
• The Secure Shell (SSH) protocol provides
encrypted and strongly authenticated remote login
sessions, similar to the Telnet protocol, between a
device running a Secure Shell server and a host
(PC) with a Secure Shell client.
• The Secure Socket Layer (SSL) has been
universally accepted on the World Wide Web for
authenticated and encrypted communication
between clients and servers applications.
Therefore, SSL allows secure management of the
networking devices via the standard WEB browser.
8. SSH protocol features
• Secure connection between one client and one
server
• Client, server, user and message authentication
• Uses “keys” (public and private) to authenticate
user and to negotiate session (encrypt/decrypt)
key – which is shared
• Allows “tunneling” of insecure connections
through the secure SSH channel
• Secure Shell replaces Telnet for remote terminal
sessions. Secure Shell is strongly authenticated
and encrypted.
9. How does SSH Tunneling work?
Insecure
App 23
Telnet Telnetd
Loopback I/F
Loopback I/F
Network I/F
Network I/F
Client Router
This telnet connection is transmitted in the clear – data and passwords
are insecure! 23
Loopback I/F
Loopback I/F
Network I/F
Network I/F
Client Router
Secure SSHd
2023 SSH App 22 App
Set up SSH port forwarding from the client to the server
App Telnet Telnetd 23
Loopback I/F
Loopback I/F
Network I/F
Network I/F
Trnamitted!
Trnamitted!
Never
Never
Client Router
Secure SSHd
2023 SSH App 22 App
The result – a secure connection!
10. What is SSL?
• Secure Sockets Layer (SSL) is a protocol designed to
enable secure communications on an insecure network
such as the Internet
• SSL provides encryption and integrity of communications
along with strong authentication using digital certificates.
11. Introduction to SSL
• The Secure Sockets Layer – SSL, was originally developed by
Netscape Communications and was based on encryption
algorithms developed by RSA Security.
• This is a security protocol that provides communications
privacy over the Internet.
• SSL has been universally accepted on the World Wide Web
for authenticated and encrypted communication between
clients and servers applications.
• The new Internet Engineering Task Force (IETF) standard
called Transport Layer Security (TLS) is based on SSL
12. SSL/TLS
• SSL and TLS are standards for how to secure TCP/IP
communications
• As of the latest revision, TLS is the official name for what
used to be called SSL. However, SSL is still the word most
frequently used.
• TLS is a layer on top of the TCP layer
13. SSL/TLS
Not Secure
secure
HTTP
HTTP TLS
TCP TCP
IP IP
15. SSH-1 vs SSH-2
• SSH-2 and SSH-1 are incompatible, but some servers
have a compatibility mode
• SSH-2 is more secure (stronger encryption and
authentication) and allows more detailed configuration
• SSH-1 has a wider license, and transfers files 4 times as
fast
• AT - 8000S implements SSH-2 only
16. AT - 8000S SSH Implementation
• Inbound Secure Shell connections (server mode).
• RSA keys (proprietary, but commonly used) and
DSA keys (US government standard) are both
supported.
• The keys are not saved as part of the configuration
file, but are saved in the flash.
• When the configuration file is copied, the keys are
not copied along with it
• The public part of the key is up to 2048 bits.
17. SSH Implementation
• Four types of encryption are supported: 3DES, Arcfour
(RC4), AES and Blowfish.
• The type of encryption is agreed upon between the client
and server; it is not configured within the device
• Implements direct SSH session without telnet tunneling
• Up to 4 concurrent SSH (or telnet) sessions are supported
• Ability to authenticate Client public key
18. SSH Procedure
• If needed, enable SSH on the device (the default is
Disabled)
• If needed, define (protocol) port (default is port 22)
• Create either a DSA or RSA pair of keys. Generating
the key may take a short while
• If desired – authenticate Client’s public key.
Alternate user authentication is via the AAA
• If user requests new key, every new session will get
the new key. All running session will keep the old
key.
• PC Side:
– Define keys (if needed)
– Define authentication method (if needed)
– Connect to the device via IP defined on device.
20. SSH CLI – Server and Port
• Use the following Global Mode command to enable SSH
on the device. The “no” form of this command disables
this function.
ip ssh server
no ip ssh server
Note: If encryption keys were not generated the SSH server
will be in standby, until the keys are generated.
• Use the following Global Mode command to specify the
TCP port to be used by the SSH server. The “no” form of
the command returns setting to default port (port 22):
ip ssh port port-number
no ip ssh port
21. CLI SSH – Generating Keys
• Use one or both of the following Global Mode command to
generate encryption key pairs (one public, one private):
crypto key generate rsa
crypto key generate dsa.
• Generation of Keys may take some time
Note: The keys are not saved in the router configuration
(never displayed to the user or backed up to another
device); However, the generated keys are saved in the
flash, and saved across reboots
22. CLI SSH – Example
console# con
console(config)# ip ssh server
console(config)# ip ssh port 22
console(config)# crypto key generate rsa
Replace Existing RSA Key [y/n]? y
01-Jan-2000 01:25:45 %SSHD-I-KEYGENRSA: The SSH
service is generating a private
RSA key.
This may take a few seconds, depending on the key size
console(config)#
23. CLI SSH – Show SSH
• Use the following EXEC Mode command to view SSH
configuration on the device:
show ip ssh
console# sh ip ssh
SSH Server enabled. Port: 22
RSA key was generated.
DSA(DSS) key was generated.
SSH Public Key Authentication is disabled.
Active incoming sessions:
IP address SSH username Version Cipher Auth Code
----------------- -------------- ----------- ----------- --------------
24. CLI SSH – Show Public Keys
• Use the following EXEC Mode command to view this
device public key(s) – created by “crypto key generate”
command
show crypto key mypubkey [rsa|dsa]
console# show crypto key mypubkey rsa
rsa key data:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr/f0fColXgSESRC/4h5zn6t3
CohlzF3w0YCSewm1wYjenCWWyyknfQj9zyeOdgy9j1s5fK9YZncmAGbN+
……
…..
jxOAZHLIQhqka1nfsQ==
Fingerprint(hex): 39:d1:66:41:2b:41:3f:aa:cb:c7:e7:37:a4:89:aa:12
Fingerprint(bubbleBabble): xefam-cybem-bozyr-culiz-kesug-kucud-vivab-
folun-tuhih-nakoh-zyxyx
25. CLI SSH – Key Authentication
• Use the following Global Mode command to enable
client’s public key authentication for incoming SSH
sessions. The no form of the command disables
authentication:
ip ssh pubkey-auth
no ip ssh pubkey-auth
• Use the following command to enter public key
configuration mode (so you can manually specify other
devices’ public keys):
crypto key pubkey-chain ssh
26. CLI SSH – Key Authentication
• Use the following Public Key-chain Mode command to
specify which SSH public key you will configure manually
on the device. The “no” form removes the key:
user-key username {rsa| dsa}
no user-key username
• Follow this command with the key-string command to
specify the key
27. CLI SSH – Key Authentication
• Use one of the following Public Key-string Mode command
to specify the SSH public key of another device:
key-string row word
key-string <sequence>
• Row option – command can be used repeatedly to enter
the full key string (see example). Exiting command mode
indicates end of key.
• <sequence> - user can enter key segment by segment –
until <enter> key is pressed twice (see example)
28. CLI SSH – Key Authentication
• Example – entering RSA user-key key-string (row):
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key David rsa
console(config-pubkey-key)# key-string row AAAAB3NzaC1yc2EAAAAD
<enter>
console(config-pubkey-key)# key-string row
AQABAAAAgQCJB1P0qq0nk/<enter>
…..
console(config-pubkey-key)# exit
console(config-pubkey-chain)#
Note – device will inform if process was not successful
29. CLI SSH – Key Authentication
• Example – entering RSA user-key key-string (regular
sequence):
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key george rsa
console(config-pubkey-key)# key-string
AAAAB3NzaC1yc2EAAAAD <enter>
AQABAAAAgQCJB1P0qq0nk/<enter>
….
<enter> <enter>
Fingerprint: 52:92:fc:94:da:1e:ba:2d:4c:00:87:b0:cb:86:12:36
console(config-pubkey-key)#
Note – device will inform if process was not successful
30. CLI – Show Key Authentication
• Use the following EXEC Mode command to view SSH public keys (of
clients) stored on the device:
show crypto key pubkey-chain ssh [username username] [fingerprint bubble-
babble | hex]
Parameters
Username – of the remote SSH client
Fingerprint – bubble-babble or hex, specifies the “signature shortcut”
method of the key
console# show crypto key pubkey-chain ssh
Username Fingerprint
-------------- ---------------------------------------------------------------
George 4e:de:4d:1c:33:43:57:14:6b:aa:29:0d:d0:41:3f:a7
32. SSL Spec
• SSL is used to provide communication privacy over the Internet.
• It is used to support security in the AT - 8000S Embedded Web
Server (EWS).
• SSL provides encryption and integrity of communications along
with strong authentication using digital certificates.
• Initially, client and device will exchange messages to synchronize
on the security policy and public key/certificates, and will
authenticate each other. After that, they agree on a session key,
which will be used to encrypt /decrypt the data
33. SSL Spec
• RSA generated public and private keys
• SSL supported version are: TLS1, V3
• Certificate currently not registered with 3rd party certificate
authority.
• The same libraries used for SSH encryption are used for
SSL encryption
• Up to 12 SSL sessions are available (but only 4 WEB)
• HTTP and HTTPS can be used concurrently
34. SSL Process
• At the onset of the secure session, there is a “SSL
handshake” between the user and the EWS. The handshake
involves:
– Negotiation of the cipher suite
– Establishment of a shared session
– Authentication of the server (Certificate – if 3rd party exists)
– Authentication of the client (optional via AAA)
– Authentication of data
35. SSL User Controls
• User can:
– Enable https server on the device (default is disabled)
– Define HTTPS port (Default is 443)
– Generate certificate to use
– Create public and private key
37. CLI – Enabling HTTPS Server
• Use the following Global Configuration command to enable
the device to be configured from a secured browser. Use
the “no” form of this command to disable this function
(default is disabled):
ip https server
no ip https server
• Use the following Global Configuration command to define
the TCP port to use by a secure web browser to configure
the device. Use the “no” form of this command to return to
the default port (443):
ip https port port-number
no ip https port
38. CLI – Creating SSL Certificate
and Keys
• Use the following Global Configuration command to
generate an HTTPS certificate for your device. This
command also can (optionally) generate a pair of keys
(public & Private):
crypto certificate [ number] generate [key-generate [ length]]
[passphrase string] [cn common- name] [ou organization-unit] [o
organization] [l location] [st state] [c country] [duration days]
number —Specifies the certificate number. (Range: 1 - 2)
If number is unspecified, it defaults to 1.
key-generate—Regenerate SSL RSA key.
length—Specifies the SSL RSA key length. (Range: 512 - 2048)
If length is unspecified, it defaults to 1024.
passphrase string—Passphrase that is used for exporting the
certificate in PKCS12 file format. If unspecified the
certificate is not exportable.
39. SSL Certificate and Keys (Cont.)
cn common- name—Specifies the fully qualified URL or IP
address
of the device. If unspecified, defaults to the
lowest IP address of the device (when the
certificate is generated).
ou organization-unit—Specifies the organization-unit or
department
name.
o organization —Specifies the organization name.
l location — Specifies the location or city name.
st state— Specifies the state or province name.
c country — Specifies the country name.
duration days— Specifies number of days a certification would
be
valid. If unspecified defaults to 365 days.
40. SSL Certificate and Keys (Cont.)
Console(config)# crypto certificate 1 generate key-generate
The command is not saved in the router configuration; however,
the certificate and keys generated by this command are saved in
the private configuration, which is never displayed to the user or
backed up to another device.
41. CLI - Certificate Request
• Use the following privileged EXEC mode command to
export a certificate request to a Certification Authority.
crypto certificate number request common- name [ou
organization-unit] [o organization] [l location] [st state] [c
country]
number—Specifies the certificate number. (Range: 1 - 2)
common- name—Specifies the fully qualified URL or IP address
of
the device.
ou organization-unit—Specifies the organization-unit or
department name.
o organization—Specifies the organization name.
l location—Specifies the location or city name.
st state—Specifies the state or province name.
c country— Specifies the country name.
42. Certificate Request (Cont.)
• The certificate request is generated in Base64-encoded
X.509 format.
• Before issuing a certificate request you must first generate
a self-signed certificate using the “crypto certificate
generate” global configuration command.
• After receiving the certificate from the Certification
Authority, use the “crypto certificate import” global
configuration command to import the certificate into the
device. This certificate would replace the self-signed
certificate.
44. CLI - Importing a Certificate
• Use the following Global Configuration command to accept
an external certificate (signed by Certification Authority) to
the device:
crypto certificate number import
number—Specifies the certificate number. (Range: 1 - 2)
• The imported certificate must be based on a certificate
request created by the “crypto certificate request”
privileged EXEC command.
• If the public key found in the certificate does not match the
device's SSL RSA key, the command will fail.
45. Importing a Certificate
(Cont.)
• This command is not saved in the router configuration;
however, the certificate imported by this command is saved
in the private configuration (which is never displayed to the
user or backed up to another device).
Console(config)# crypto certificate 1 import
46. Activate Certificate for HTTPS
• Use the following Global Configuration command to specify the
HTTPS certificate to use on the device:
ip https certificate number
number—Specifies the certificate number. (Range: 1 - 2)
• To remove a certificate:
no ip https certificate
Console (config)# ip https certificate 1
• Before using this command, use the crypto certificate generate
command in order to generate an HTTPS certificate.
47. CLI – HTTPS Show Commands
• Use the following Privileged EXEC command to view
HTTPS server configuration:
show ip https
• Use the following Privileged EXEC command to view the
SSL certificate of your device:
show crypto certificate mycertificate [number]