SSH & SSL


 AT - 8000S
Secure Management


 •   Secure management is increasingly important in
     modern networks, as the ability to easily and...
NMS   Telnet



                      Unsecured zone




               Firewall
Secure Management - Solutions


•   Methods to ensure secure management:
    – Access Control and Security - Defining acce...
Security Building Blocks
  •   Encryption provides
      – confidentiality, can provide authentication and integrity
     ...
Secure Management Options


   •   The Secure Shell (SSH) protocol provides
       encrypted and strongly authenticated re...
Secure Management

NMS   Telnet   SSH station



                                Unsecured zone




                      ...
SSH protocol features

   •   Secure connection between one client and one
       server
   •   Client, server, user and m...
How does SSH Tunneling work?
                                                                                          Ins...
What is SSL?
•   Secure Sockets Layer (SSL) is a protocol designed to
    enable secure communications on an insecure netw...
Introduction to SSL

•     The Secure Sockets Layer – SSL, was originally developed by
      Netscape Communications and w...
SSL/TLS

•   SSL and TLS are standards for how to secure TCP/IP
    communications

•   As of the latest revision, TLS is ...
SSL/TLS


       Not     Secure
      secure
               HTTP

      HTTP      TLS

      TCP       TCP

          IP  ...
SSH
 System Spec

AT - 8000S
SSH-1 vs SSH-2

•   SSH-2 and SSH-1 are incompatible, but some servers
    have a compatibility mode
•   SSH-2 is more sec...
AT - 8000S SSH Implementation

•   Inbound Secure Shell connections (server mode).

•   RSA keys (proprietary, but commonl...
SSH Implementation

•   Four types of encryption are supported: 3DES, Arcfour
    (RC4), AES and Blowfish.

•   The type o...
SSH Procedure

 •   If needed, enable SSH on the device (the default is
     Disabled)
 •   If needed, define (protocol) p...
SSH CLI Configuration

  AT - 8000S
SSH CLI – Server and Port

•   Use the following Global Mode command to enable SSH
    on the device. The “no” form of thi...
CLI SSH – Generating Keys
 •  Use one or both of the following Global Mode command to
    generate encryption key pairs (o...
CLI SSH – Example

console# con
console(config)# ip ssh server
console(config)# ip ssh port 22
console(config)# crypto key...
CLI SSH – Show SSH
•    Use the following EXEC Mode command to view SSH
     configuration on the device:
show ip ssh

con...
CLI SSH – Show Public Keys
•  Use the following EXEC Mode command to view this
   device public key(s) – created by “crypt...
CLI SSH – Key Authentication
 •   Use the following Global Mode command to enable
     client’s public key authentication ...
CLI SSH – Key Authentication
•  Use the following Public Key-chain Mode command to
   specify which SSH public key you wil...
CLI SSH – Key Authentication
•  Use one of the following Public Key-string Mode command
   to specify the SSH public key o...
CLI SSH – Key Authentication
•   Example – entering RSA user-key key-string (row):

     console(config)# crypto key pubke...
CLI SSH – Key Authentication
•    Example – entering RSA user-key key-string (regular
     sequence):
console(config)# cry...
CLI – Show Key Authentication
•   Use the following EXEC Mode command to view SSH public keys (of
    clients) stored on t...
SSL   Implementation
  AT - 8000S
SSL Spec
•   SSL is used to provide communication privacy over the Internet.

•   It is used to support security in the AT...
SSL Spec

•   RSA generated public and private keys
•   SSL supported version are: TLS1, V3
•   Certificate currently not ...
SSL Process

•   At the onset of the secure session, there is a “SSL
    handshake” between the user and the EWS. The hand...
SSL User Controls

•   User can:
    –   Enable https server on the device (default is disabled)
    –   Define HTTPS port...
SSL CLI Configuration

   AT - 8000S
CLI – Enabling HTTPS Server
•  Use the following Global Configuration command to enable
   the device to be configured fro...
CLI – Creating SSL Certificate
                 and Keys
•   Use the following Global Configuration command to
    generat...
SSL Certificate and Keys (Cont.)

cn common- name—Specifies the fully qualified URL or IP
  address
                   of ...
SSL Certificate and Keys (Cont.)


Console(config)# crypto certificate 1 generate key-generate




 The command is not sav...
CLI - Certificate Request
•    Use the following privileged EXEC mode command to
     export a certificate request to a Ce...
Certificate Request (Cont.)

•   The certificate request is generated in Base64-encoded
    X.509 format.

•   Before issu...
Certificate Request (Cont.)

console# crypto certificate 2 request

-----BEGIN CERTIFICATE REQUEST-----
MIIBHjCByAIBADBiMQ...
CLI - Importing a Certificate

•   Use the following Global Configuration command to accept
    an external certificate (s...
Importing a Certificate
                       (Cont.)


•   This command is not saved in the router configuration;
    ho...
Activate Certificate for HTTPS

•    Use the following Global Configuration command to specify the
     HTTPS certificate ...
CLI – HTTPS Show Commands

•   Use the following Privileged EXEC command to view
    HTTPS server configuration:



show i...
Thank
You!!!
Upcoming SlideShare
Loading in …5
×

At8000 s configurando com ssh-ssl

1,287 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,287
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

At8000 s configurando com ssh-ssl

  1. 1. SSH & SSL AT - 8000S
  2. 2. Secure Management • Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are the two almost universal requirements. • Traditionally, switches are managed using either remote terminal sessions via the Telnet protocol or management via SNMP. • Both of these methods have serious security problems—they are only protected by clear text reusable passwords.
  3. 3. NMS Telnet Unsecured zone Firewall
  4. 4. Secure Management - Solutions • Methods to ensure secure management: – Access Control and Security - Defining access rules on the device. – AAA security services - using usernames and/or password to Authenticate user’s identity and access (authorization) level. – Using encryption methods, checksum and hash algorithms and/or digital signature. • Access Control & Security and AAA are explained in other presentations
  5. 5. Security Building Blocks • Encryption provides – confidentiality, can provide authentication and integrity protection • Checksums/hash algorithms provide – integrity protection, can provide authentication • Digital signatures provide – authentication, integrity protection, and non-repudiation • Demands for management security and control of the networking devices touch all areas of the enterprise.
  6. 6. Secure Management Options • The Secure Shell (SSH) protocol provides encrypted and strongly authenticated remote login sessions, similar to the Telnet protocol, between a device running a Secure Shell server and a host (PC) with a Secure Shell client. • The Secure Socket Layer (SSL) has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers applications. Therefore, SSL allows secure management of the networking devices via the standard WEB browser.
  7. 7. Secure Management NMS Telnet SSH station Unsecured zone Firewall
  8. 8. SSH protocol features • Secure connection between one client and one server • Client, server, user and message authentication • Uses “keys” (public and private) to authenticate user and to negotiate session (encrypt/decrypt) key – which is shared • Allows “tunneling” of insecure connections through the secure SSH channel • Secure Shell replaces Telnet for remote terminal sessions. Secure Shell is strongly authenticated and encrypted.
  9. 9. How does SSH Tunneling work? Insecure App 23 Telnet Telnetd Loopback I/F Loopback I/F Network I/F Network I/F Client Router This telnet connection is transmitted in the clear – data and passwords are insecure! 23 Loopback I/F Loopback I/F Network I/F Network I/F Client Router Secure SSHd 2023 SSH App 22 App Set up SSH port forwarding from the client to the server App Telnet Telnetd 23 Loopback I/F Loopback I/F Network I/F Network I/F Trnamitted! Trnamitted! Never Never Client Router Secure SSHd 2023 SSH App 22 App The result – a secure connection!
  10. 10. What is SSL? • Secure Sockets Layer (SSL) is a protocol designed to enable secure communications on an insecure network such as the Internet • SSL provides encryption and integrity of communications along with strong authentication using digital certificates.
  11. 11. Introduction to SSL • The Secure Sockets Layer – SSL, was originally developed by Netscape Communications and was based on encryption algorithms developed by RSA Security. • This is a security protocol that provides communications privacy over the Internet. • SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers applications. • The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL
  12. 12. SSL/TLS • SSL and TLS are standards for how to secure TCP/IP communications • As of the latest revision, TLS is the official name for what used to be called SSL. However, SSL is still the word most frequently used. • TLS is a layer on top of the TCP layer
  13. 13. SSL/TLS Not Secure secure HTTP HTTP TLS TCP TCP IP IP
  14. 14. SSH System Spec AT - 8000S
  15. 15. SSH-1 vs SSH-2 • SSH-2 and SSH-1 are incompatible, but some servers have a compatibility mode • SSH-2 is more secure (stronger encryption and authentication) and allows more detailed configuration • SSH-1 has a wider license, and transfers files 4 times as fast • AT - 8000S implements SSH-2 only
  16. 16. AT - 8000S SSH Implementation • Inbound Secure Shell connections (server mode). • RSA keys (proprietary, but commonly used) and DSA keys (US government standard) are both supported. • The keys are not saved as part of the configuration file, but are saved in the flash. • When the configuration file is copied, the keys are not copied along with it • The public part of the key is up to 2048 bits.
  17. 17. SSH Implementation • Four types of encryption are supported: 3DES, Arcfour (RC4), AES and Blowfish. • The type of encryption is agreed upon between the client and server; it is not configured within the device • Implements direct SSH session without telnet tunneling • Up to 4 concurrent SSH (or telnet) sessions are supported • Ability to authenticate Client public key
  18. 18. SSH Procedure • If needed, enable SSH on the device (the default is Disabled) • If needed, define (protocol) port (default is port 22) • Create either a DSA or RSA pair of keys. Generating the key may take a short while • If desired – authenticate Client’s public key. Alternate user authentication is via the AAA • If user requests new key, every new session will get the new key. All running session will keep the old key. • PC Side: – Define keys (if needed) – Define authentication method (if needed) – Connect to the device via IP defined on device.
  19. 19. SSH CLI Configuration AT - 8000S
  20. 20. SSH CLI – Server and Port • Use the following Global Mode command to enable SSH on the device. The “no” form of this command disables this function. ip ssh server no ip ssh server Note: If encryption keys were not generated the SSH server will be in standby, until the keys are generated. • Use the following Global Mode command to specify the TCP port to be used by the SSH server. The “no” form of the command returns setting to default port (port 22): ip ssh port port-number no ip ssh port
  21. 21. CLI SSH – Generating Keys • Use one or both of the following Global Mode command to generate encryption key pairs (one public, one private): crypto key generate rsa crypto key generate dsa. • Generation of Keys may take some time Note: The keys are not saved in the router configuration (never displayed to the user or backed up to another device); However, the generated keys are saved in the flash, and saved across reboots
  22. 22. CLI SSH – Example console# con console(config)# ip ssh server console(config)# ip ssh port 22 console(config)# crypto key generate rsa Replace Existing RSA Key [y/n]? y 01-Jan-2000 01:25:45 %SSHD-I-KEYGENRSA: The SSH service is generating a private RSA key. This may take a few seconds, depending on the key size console(config)#
  23. 23. CLI SSH – Show SSH • Use the following EXEC Mode command to view SSH configuration on the device: show ip ssh console# sh ip ssh SSH Server enabled. Port: 22 RSA key was generated. DSA(DSS) key was generated. SSH Public Key Authentication is disabled. Active incoming sessions: IP address SSH username Version Cipher Auth Code ----------------- -------------- ----------- ----------- --------------
  24. 24. CLI SSH – Show Public Keys • Use the following EXEC Mode command to view this device public key(s) – created by “crypto key generate” command show crypto key mypubkey [rsa|dsa] console# show crypto key mypubkey rsa rsa key data: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr/f0fColXgSESRC/4h5zn6t3 CohlzF3w0YCSewm1wYjenCWWyyknfQj9zyeOdgy9j1s5fK9YZncmAGbN+ …… ….. jxOAZHLIQhqka1nfsQ== Fingerprint(hex): 39:d1:66:41:2b:41:3f:aa:cb:c7:e7:37:a4:89:aa:12 Fingerprint(bubbleBabble): xefam-cybem-bozyr-culiz-kesug-kucud-vivab- folun-tuhih-nakoh-zyxyx
  25. 25. CLI SSH – Key Authentication • Use the following Global Mode command to enable client’s public key authentication for incoming SSH sessions. The no form of the command disables authentication: ip ssh pubkey-auth no ip ssh pubkey-auth • Use the following command to enter public key configuration mode (so you can manually specify other devices’ public keys): crypto key pubkey-chain ssh
  26. 26. CLI SSH – Key Authentication • Use the following Public Key-chain Mode command to specify which SSH public key you will configure manually on the device. The “no” form removes the key: user-key username {rsa| dsa} no user-key username • Follow this command with the key-string command to specify the key
  27. 27. CLI SSH – Key Authentication • Use one of the following Public Key-string Mode command to specify the SSH public key of another device: key-string row word key-string <sequence> • Row option – command can be used repeatedly to enter the full key string (see example). Exiting command mode indicates end of key. • <sequence> - user can enter key segment by segment – until <enter> key is pressed twice (see example)
  28. 28. CLI SSH – Key Authentication • Example – entering RSA user-key key-string (row): console(config)# crypto key pubkey-chain ssh console(config-pubkey-chain)# user-key David rsa console(config-pubkey-key)# key-string row AAAAB3NzaC1yc2EAAAAD <enter> console(config-pubkey-key)# key-string row AQABAAAAgQCJB1P0qq0nk/<enter> ….. console(config-pubkey-key)# exit console(config-pubkey-chain)# Note – device will inform if process was not successful
  29. 29. CLI SSH – Key Authentication • Example – entering RSA user-key key-string (regular sequence): console(config)# crypto key pubkey-chain ssh console(config-pubkey-chain)# user-key george rsa console(config-pubkey-key)# key-string AAAAB3NzaC1yc2EAAAAD <enter> AQABAAAAgQCJB1P0qq0nk/<enter> …. <enter> <enter> Fingerprint: 52:92:fc:94:da:1e:ba:2d:4c:00:87:b0:cb:86:12:36 console(config-pubkey-key)# Note – device will inform if process was not successful
  30. 30. CLI – Show Key Authentication • Use the following EXEC Mode command to view SSH public keys (of clients) stored on the device: show crypto key pubkey-chain ssh [username username] [fingerprint bubble- babble | hex] Parameters Username – of the remote SSH client Fingerprint – bubble-babble or hex, specifies the “signature shortcut” method of the key console# show crypto key pubkey-chain ssh Username Fingerprint -------------- --------------------------------------------------------------- George 4e:de:4d:1c:33:43:57:14:6b:aa:29:0d:d0:41:3f:a7
  31. 31. SSL Implementation AT - 8000S
  32. 32. SSL Spec • SSL is used to provide communication privacy over the Internet. • It is used to support security in the AT - 8000S Embedded Web Server (EWS). • SSL provides encryption and integrity of communications along with strong authentication using digital certificates. • Initially, client and device will exchange messages to synchronize on the security policy and public key/certificates, and will authenticate each other. After that, they agree on a session key, which will be used to encrypt /decrypt the data
  33. 33. SSL Spec • RSA generated public and private keys • SSL supported version are: TLS1, V3 • Certificate currently not registered with 3rd party certificate authority. • The same libraries used for SSH encryption are used for SSL encryption • Up to 12 SSL sessions are available (but only 4 WEB) • HTTP and HTTPS can be used concurrently
  34. 34. SSL Process • At the onset of the secure session, there is a “SSL handshake” between the user and the EWS. The handshake involves: – Negotiation of the cipher suite – Establishment of a shared session – Authentication of the server (Certificate – if 3rd party exists) – Authentication of the client (optional via AAA) – Authentication of data
  35. 35. SSL User Controls • User can: – Enable https server on the device (default is disabled) – Define HTTPS port (Default is 443) – Generate certificate to use – Create public and private key
  36. 36. SSL CLI Configuration AT - 8000S
  37. 37. CLI – Enabling HTTPS Server • Use the following Global Configuration command to enable the device to be configured from a secured browser. Use the “no” form of this command to disable this function (default is disabled): ip https server no ip https server • Use the following Global Configuration command to define the TCP port to use by a secure web browser to configure the device. Use the “no” form of this command to return to the default port (443): ip https port port-number no ip https port
  38. 38. CLI – Creating SSL Certificate and Keys • Use the following Global Configuration command to generate an HTTPS certificate for your device. This command also can (optionally) generate a pair of keys (public & Private): crypto certificate [ number] generate [key-generate [ length]] [passphrase string] [cn common- name] [ou organization-unit] [o organization] [l location] [st state] [c country] [duration days] number —Specifies the certificate number. (Range: 1 - 2) If number is unspecified, it defaults to 1. key-generate—Regenerate SSL RSA key. length—Specifies the SSL RSA key length. (Range: 512 - 2048) If length is unspecified, it defaults to 1024. passphrase string—Passphrase that is used for exporting the certificate in PKCS12 file format. If unspecified the certificate is not exportable.
  39. 39. SSL Certificate and Keys (Cont.) cn common- name—Specifies the fully qualified URL or IP address of the device. If unspecified, defaults to the lowest IP address of the device (when the certificate is generated). ou organization-unit—Specifies the organization-unit or department name. o organization —Specifies the organization name. l location — Specifies the location or city name. st state— Specifies the state or province name. c country — Specifies the country name. duration days— Specifies number of days a certification would be valid. If unspecified defaults to 365 days.
  40. 40. SSL Certificate and Keys (Cont.) Console(config)# crypto certificate 1 generate key-generate The command is not saved in the router configuration; however, the certificate and keys generated by this command are saved in the private configuration, which is never displayed to the user or backed up to another device.
  41. 41. CLI - Certificate Request • Use the following privileged EXEC mode command to export a certificate request to a Certification Authority. crypto certificate number request common- name [ou organization-unit] [o organization] [l location] [st state] [c country] number—Specifies the certificate number. (Range: 1 - 2) common- name—Specifies the fully qualified URL or IP address of the device. ou organization-unit—Specifies the organization-unit or department name. o organization—Specifies the organization name. l location—Specifies the location or city name. st state—Specifies the state or province name. c country— Specifies the country name.
  42. 42. Certificate Request (Cont.) • The certificate request is generated in Base64-encoded X.509 format. • Before issuing a certificate request you must first generate a self-signed certificate using the “crypto certificate generate” global configuration command. • After receiving the certificate from the Certification Authority, use the “crypto certificate import” global configuration command to import the certificate into the device. This certificate would replace the self-signed certificate.
  43. 43. Certificate Request (Cont.) console# crypto certificate 2 request -----BEGIN CERTIFICATE REQUEST----- MIIBHjCByAIBADBiMQswCQYDVQQGEwJpbDEPMA0GA1UECBMGbWVya2F6MRAwDgYD VQQHEwd0ZWxhdml2MQ4wDAYDVQQDEwUxMjM0NTEPMA0GA1UEChMGcmFkbGFuMQ8 w DQYDVQQLEwZyYWRsYW4wXTANBgkqhkiG9w0BAQEFAANMADBJAkIAz3VGpFd5cGUs ujfbeRZucwldBk7M4yVyeaFXXY0Z3LDGHecocuA4fAJOvLtmiFZr4lD3QjKLrwhP 0cnj/dCMlJECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0IAROVXG1phUu4bZR+bJHav nQWhy3s/nqOKuPAYdqjarFX+lv/19N6/VmR3IiM2O0a03XEGevnvnhnZY/Q/MEHE WgI= -----END CERTIFICATE REQUEST-----
  44. 44. CLI - Importing a Certificate • Use the following Global Configuration command to accept an external certificate (signed by Certification Authority) to the device: crypto certificate number import number—Specifies the certificate number. (Range: 1 - 2) • The imported certificate must be based on a certificate request created by the “crypto certificate request” privileged EXEC command. • If the public key found in the certificate does not match the device's SSL RSA key, the command will fail.
  45. 45. Importing a Certificate (Cont.) • This command is not saved in the router configuration; however, the certificate imported by this command is saved in the private configuration (which is never displayed to the user or backed up to another device). Console(config)# crypto certificate 1 import
  46. 46. Activate Certificate for HTTPS • Use the following Global Configuration command to specify the HTTPS certificate to use on the device: ip https certificate number number—Specifies the certificate number. (Range: 1 - 2) • To remove a certificate: no ip https certificate Console (config)# ip https certificate 1 • Before using this command, use the crypto certificate generate command in order to generate an HTTPS certificate.
  47. 47. CLI – HTTPS Show Commands • Use the following Privileged EXEC command to view HTTPS server configuration: show ip https • Use the following Privileged EXEC command to view the SSL certificate of your device: show crypto certificate mycertificate [number]
  48. 48. Thank You!!!

×