This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Training, Documentation, & General Discussions
- FAQs
- Restrict DFE Inband Management Access by IP Subnet
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Restrict DFE Inband Management Access by IP Subnet
Restrict DFE Inband Management Access by IP Subnet
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-05-2014 01:50 PM
Article ID: 7112
Products
DFE
Protocols/Features
Webview
Policy
Telnet
SNMP
SSH
ACL
Goals
IP locking
Sample configuration
Cause
It may be desirable to allow a specific IP subnet range to gain access to inband management.
Your options are to apply an ACL (if routing to the management IP), or to apply a Policy constraint (if either switching or routing to the management IP).
Solution
With security concerns, it is wise to disable the less secure inband management methods:
The default SNMPv1 should be swapped to the more secure SNMPv3 (5086).
This leaves only SSH to be addressed.
Applying an Advanced ACL
If the host IP is in a different subnet from that of the attacker, an Access Control List against SSH port 22 should do the trick, affecting all traffic routed through the DFE system. Note that Use of Advanced ACLs requires purchase and installation of an Advanced Routing License key (5025).
Here is an example of such an ACL. Matrix(rw)->router 1
Matrix(rw)->Router1>enable
Matrix(rw)->Router1#config
Matrix(rw)->Router1(config)#access-list 101 deny udp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 deny tcp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 permit udp any any
Matrix(rw)->Router1(config)#access-list 101 permit tcp any any
Matrix(rw)->Router1(config)#interface vlan 1
Matrix(rw)->Router1(config-if(Vlan 1))#ip access-group 101 in
Matrix(rw)->Router1(config-if(Vlan 1))#exit
Matrix(rw)->Router1(config)#exit
Matrix(rw)->Router1#exit
Matrix(rw)->
In the above example it is applied as an input ACL to VLAN 1. Applied to each of your interfaces except the one from which you want to manage, it should kill all SSH activity on those interfaces but leave everything else unimpacted.
If the DFE is switching only, but the IP structure of the DFE-traversing traffic is simple enough and you have no 802.1Q Trunks on the DFE, you can make all of the network ports a part of one large IP subnet (from the DFE's perspective) and isolate the DFE host into its own 32-bit subnet. Then, all DFE management traffic would be routed, and again an ACL would do what you want.
Another option is to use Policy.
Applying Policy
Here is a Policy configuration that is assigned to any traffic, VLAN-tagged or not, which is addressed to any of the specified protected hosts or subnets (any number of '
The simplest method of implementation is to set up one policy which references all destination IP addresses or subnets on your network which should be protected against management-type intrusions, and references all source IP addresses or subnets which are allowed to manage them; and then apply that same policy to all DFEs within your network.
You may integrate lines 3-11 of this policy into NetSight Policy Manager (5461) and your existing policy structure, or more simply just append lines 1-11 onto each DFE configuration using the '
[Delete existing policy profile #1]
clear policy all-rules
[Delete any existing policy rules]
set policy profile 1 name protect_host
set policy rule 1 ipsourcesocket <Source_IP_host_to_permit> mask 32 forward syslog enable
set policy rule 1 tcpdestportip 22 mask 16 drop
[Deny SSH to unPermitted sources]
set policy rule 1 tcpdestportip 23 mask 16 drop
[Deny Telnet to unPermitted sources]
set policy rule 1 tcpdestportip 80 mask 16 drop
[Deny HTTP/WebView to unPermitted sources]
set policy rule 1 udpdestportip 161 mask 16 drop
[Deny SNMP to unPermitted sources]
set policy rule 1 udpdestportip 162 mask 16 drop
[Deny SNMP Traps to unPermitted sources]
set policy rule 1 tcpdestportip 443 mask 16 drop
[Deny HTTPS/SSL to unPermitted sources]
set policy rule admin-profile ipdestsocket <Destination_IP_host_to_protect> mask 32 admin-pid 1
The Configuration Guide contains further background on the commands used here.
Products
DFE
Protocols/Features
Webview
Policy
Telnet
SNMP
SSH
ACL
Goals
IP locking
Sample configuration
Cause
It may be desirable to allow a specific IP subnet range to gain access to inband management.
Your options are to apply an ACL (if routing to the management IP), or to apply a Policy constraint (if either switching or routing to the management IP).
Solution
With security concerns, it is wise to disable the less secure inband management methods:
code:
>Matrix(rw)-
set webview disable(this is the default)
code:
>Matrix(rw)-
set telnet disable inbound
The default SNMPv1 should be swapped to the more secure SNMPv3 (5086).
This leaves only SSH to be addressed.
Applying an Advanced ACL
If the host IP is in a different subnet from that of the attacker, an Access Control List against SSH port 22 should do the trick, affecting all traffic routed through the DFE system. Note that Use of Advanced ACLs requires purchase and installation of an Advanced Routing License key (5025).
Here is an example of such an ACL. Matrix(rw)->router 1
Matrix(rw)->Router1>enable
Matrix(rw)->Router1#config
Matrix(rw)->Router1(config)#access-list 101 deny udp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 deny tcp any any eq 22
Matrix(rw)->Router1(config)#access-list 101 permit udp any any
Matrix(rw)->Router1(config)#access-list 101 permit tcp any any
Matrix(rw)->Router1(config)#interface vlan 1
Matrix(rw)->Router1(config-if(Vlan 1))#ip access-group 101 in
Matrix(rw)->Router1(config-if(Vlan 1))#exit
Matrix(rw)->Router1(config)#exit
Matrix(rw)->Router1#exit
Matrix(rw)->
In the above example it is applied as an input ACL to VLAN 1. Applied to each of your interfaces except the one from which you want to manage, it should kill all SSH activity on those interfaces but leave everything else unimpacted.
If the DFE is switching only, but the IP structure of the DFE-traversing traffic is simple enough and you have no 802.1Q Trunks on the DFE, you can make all of the network ports a part of one large IP subnet (from the DFE's perspective) and isolate the DFE host into its own 32-bit subnet. Then, all DFE management traffic would be routed, and again an ACL would do what you want.
Another option is to use Policy.
Applying Policy
Here is a Policy configuration that is assigned to any traffic, VLAN-tagged or not, which is addressed to any of the specified protected hosts or subnets (any number of '
code:
' commands may be stacked). Within the assigned policy, traffic sourced from an allowable host or subnet (any number of 'admin-profile ipdestsocket
code:
' commands may be stacked) is summary-syslogged but passed along unchanged, while traffic sourced from anywhere else is further examined for its L4 port value: SSH (22), Telnet (23), HTTP/WebView (80), SNMP (161), SNMP Traps (162), and HTTPS/SSL (443) traffic is dropped, but everthing else is permitted regardless of source.ipsourcesocket
The simplest method of implementation is to set up one policy which references all destination IP addresses or subnets on your network which should be protected against management-type intrusions, and references all source IP addresses or subnets which are allowed to manage them; and then apply that same policy to all DFEs within your network.
You may integrate lines 3-11 of this policy into NetSight Policy Manager (5461) and your existing policy structure, or more simply just append lines 1-11 onto each DFE configuration using the '
code:
' command (5690). The processs will delete all existing policy commands and replace them with the commands you are appending. Note that you will need to remove the annotations before the commands will be considered valid.clear policy profile 1configure...append
[Delete existing policy profile #1]
clear policy all-rules
[Delete any existing policy rules]
set policy profile 1 name protect_host
set policy rule 1 ipsourcesocket <Source_IP_host_to_permit> mask 32 forward syslog enable
set policy rule 1 tcpdestportip 22 mask 16 drop
[Deny SSH to unPermitted sources]
set policy rule 1 tcpdestportip 23 mask 16 drop
[Deny Telnet to unPermitted sources]
set policy rule 1 tcpdestportip 80 mask 16 drop
[Deny HTTP/WebView to unPermitted sources]
set policy rule 1 udpdestportip 161 mask 16 drop
[Deny SNMP to unPermitted sources]
set policy rule 1 udpdestportip 162 mask 16 drop
[Deny SNMP Traps to unPermitted sources]
set policy rule 1 tcpdestportip 443 mask 16 drop
[Deny HTTPS/SSL to unPermitted sources]
set policy rule admin-profile ipdestsocket <Destination_IP_host_to_protect> mask 32 admin-pid 1
The Configuration Guide contains further background on the commands used here.
0 REPLIES 0
