At8000 s gerenciamento de seguranca

395 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
395
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

At8000 s gerenciamento de seguranca

  1. 1. Management Security and Access Control AT - 8000S
  2. 2. Management Access Control • For security reasons, it is required to allow only a selected and predefined group of users to be allowed to perform system management. • Rules act as filters for determining device management access based on: – Type of management application – Interface type and selection – Source IP address and network mask • Users can be denied or permitted management access. • This way network managers can control who is allowed to manage the networking devices
  3. 3. Management Security EWS Telnet “Secure management port” “Secure management VLAN” “Secure management IP address”
  4. 4. Management Access Control System Spec AT - 8000S
  5. 5. Management Access Control List (MACL). • Management Access Control Lists (MACL) contain rules which determine device access via: – ( ASCII terminal ) – Telnet (CLI over Telnet) – SSH (CLI over Secure Shell) – EWS (http or https using SSL). – SNMP • MACL can limit access to users identified by: – Ingress interface (Ethernet, port channel or VLAN) – Source IP address – Source IP subent (using a mask)
  6. 6. MACL – User Control • The management access can be set separately to each type of management (set of allowed users for telnet may be different than those of EWS etc) • The max number of MACL rules is 256 (all criteria) • A specific management access method may be completely disabled by denying all user access to that Management type • By default all management access to the system is Enabled over all interfaces . • A specific command exists to enable only Console management • Management access via the system serial console is always enabled
  7. 7. MACL CLI Configuration AT - 8000S
  8. 8. CLI - Management Access Control List (MACL) • Use the following Global Configuration Mode command to defines an access-list for a management access control list (MACL), and enters the access-list context for configuration. Use the “no” form of command to remove an MACL: management access-list name no management access-list name
  9. 9. CLI – MACL rules (permit) • Use the following MACL Configuration mode command(s) to define an MACL rule – permitting a management service: permit [ethernet interface-number | vlan vlan-id | port-channel number] [service service] permit ip-source ip-address [mask mask | prefix-length] [ethernet interface- number | vlan vlan-id | port-channel number] [service service]
  10. 10. CLI – MACL rules (permit) Notes: 1) If no service is defined in the rule – it applies to all services 2) If no interface is defined – rule applies to all interfaces 3) Use “permit” without any parameters to permit all access 4) Default rule (if no match is found) – is to deny access
  11. 11. CLI – MACL rules (deny) • Use the following MACL Configuration mode command(s) to define an MACL rule – denying a management service: deny [ethernet interface-number | vlan vlan-id | port-channel number] [service service] deny ip-source ip-address [mask mask | prefix-length] [ethernet interface-number | vlan vlan-id | port-channel number] [service service]
  12. 12. CLI – Management Access Class • Use the following Global Configuration Mode command to define which access-list is used as the activate management connections . Use the “no” form of the command to disable the MACL: management access-class {console-only | name} no management access-class Note: Only 1 Access-class can be defined on a device. Definition of an additional class will cancel the first.
  13. 13. CLI Example – MACL • Defining and applying an MACL(Secure): – Denying telnet access from port 1/e10 – Denying http from vlan 2 and ip-source 10.1.1.1/32 – Permitting all other accesses – Applying the MACL to the device console(config)# management access-list Secure console(config-macl)# deny ethernet 1/e10 service telnet console(config-macl)# deny ip-source 10.1.1.1 mask /32 vlan 2 service http console(config-macl)# permit console(config-macl)# exit console(config)# management access-class Secure
  14. 14. CLI - Show Management Access • Use the following EXEC mode command to display Management access lists: show management access-list [name] • Use the following EXEC Mode command to display information about the active management access-class: show management access-class
  15. 15. CLI Example - Show MACL console # show management access-class Management access-class is enabled, using access-list Secure console # show management access-list Secure ----------- deny ethernet 1/e10 service telnet deny ip-source 10.1.1.1 vlan 2 service http permit ! (Note: all other access implicitly denied) console-only ------------ deny ! (Note: all other access implicitly denied)
  16. 16. Thank You!!!

×