Restrict DFE Inband Management Access by IP Subnet

Userlevel 3
Article ID: 7112



IP locking
Sample configuration

It may be desirable to allow a specific IP subnet range to gain access to inband management.

Your options are to apply an ACL (if routing to the management IP), or to apply a Policy constraint (if either switching or routing to the management IP).

With security concerns, it is wise to disable the less secure inband management methods:
>[code]set webview disable[/code] (this is the default)
>[code]set telnet disable inbound[/code]

The default SNMPv1 should be swapped to the more secure SNMPv3 (5086).

This leaves only SSH to be addressed.

Applying an Advanced ACL

If the host IP is in a different subnet from that of the attacker, an Access Control List against SSH port 22 should do the trick, affecting all traffic routed through the DFE system. Note that Use of Advanced ACLs requires purchase and installation of an Advanced Routing License key (5025).

Here is an example of such an ACL. Matrix(rw)->router 1

Matrix(rw)->Router1(config)#access-list 101 deny udp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 deny tcp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 permit udp any any
Matrix(rw)->Router1(config)#access-list 101 permit tcp any any
Matrix(rw)->Router1(config)#interface vlan 1
Matrix(rw)->Router1(config-if(Vlan 1))#ip access-group 101 in
Matrix(rw)->Router1(config-if(Vlan 1))#exit

In the above example it is applied as an input ACL to VLAN 1. Applied to each of your interfaces except the one from which you want to manage, it should kill all SSH activity on those interfaces but leave everything else unimpacted.

If the DFE is switching only, but the IP structure of the DFE-traversing traffic is simple enough and you have no 802.1Q Trunks on the DFE, you can make all of the network ports a part of one large IP subnet (from the DFE's perspective) and isolate the DFE host into its own 32-bit subnet. Then, all DFE management traffic would be routed, and again an ACL would do what you want.

Another option is to use Policy.

Applying Policy

Here is a Policy configuration that is assigned to any traffic, VLAN-tagged or not, which is addressed to any of the specified protected hosts or subnets (any number of '
admin-profile ipdestsocket
' commands may be stacked). Within the assigned policy, traffic sourced from an allowable host or subnet (any number of '
' commands may be stacked) is summary-syslogged but passed along unchanged, while traffic sourced from anywhere else is further examined for its L4 port value: SSH (22), Telnet (23), HTTP/WebView (80), SNMP (161), SNMP Traps (162), and HTTPS/SSL (443) traffic is dropped, but everthing else is permitted regardless of source.

The simplest method of implementation is to set up one policy which references all destination IP addresses or subnets on your network which should be protected against management-type intrusions, and references all source IP addresses or subnets which are allowed to manage them; and then apply that same policy to all DFEs within your network.

You may integrate lines 3-11 of this policy into NetSight Policy Manager (5461) and your existing policy structure, or more simply just append lines 1-11 onto each DFE configuration using the '
' command (5690). The processs will delete all existing policy commands and replace them with the commands you are appending. Note that you will need to remove the annotations before the commands will be considered valid.clear policy profile 1
[Delete existing policy profile #1]
clear policy all-rules
[Delete any existing policy rules]
set policy profile 1 name protect_host
set policy rule 1 ipsourcesocket <Source_IP_host_to_permit> mask 32 forward syslog enable
set policy rule 1 tcpdestportip 22 mask 16 drop
[Deny SSH to unPermitted sources]
set policy rule 1 tcpdestportip 23 mask 16 drop
[Deny Telnet to unPermitted sources]
set policy rule 1 tcpdestportip 80 mask 16 drop
[Deny HTTP/WebView to unPermitted sources]
set policy rule 1 udpdestportip 161 mask 16 drop
[Deny SNMP to unPermitted sources]
set policy rule 1 udpdestportip 162 mask 16 drop
[Deny SNMP Traps to unPermitted sources]
set policy rule 1 tcpdestportip 443 mask 16 drop
[Deny HTTPS/SSL to unPermitted sources]
set policy rule admin-profile ipdestsocket <Destination_IP_host_to_protect> mask 32 admin-pid 1[/code]
The Configuration Guide contains further background on the commands used here.

0 replies

Be the first to reply!