Methods of remote access such as Telnet or FTP generate unencrypted traffic. Anyone that can see the network traffic can see all data, including passwords and user names. Secure Shell (SSH) is a client and server protocol that specifies the way to conduct secure communications over a network. Secure Shell can replace Telnet. Secure File Transfer Protocol (SFTP) can replace FTP with an encrypted alternative.
Note
If both SSH and SFTP are concurrently active, you have the ability to disable SFTP while allowing SSH to remain active. For more information, see Disabling SFTP without disabling SSH.
The switch software supports Secure CoPy protocol (SCP), which is a secure file transfer protocol. Use SCP to securely transfer files between a local host and a remote host. SCP is in off state by default, but you can turn it on when you enable SSH using the boot config flags command in the global config mode. The switch supports SCP only as an SCP server, which means that clients can send files to the switch or can request files from the switch. Secure CoPy (SCP) can replace FTP with an encrypted alternative.
Secure Shell supports a variety of the different public and private key encryption schemes available. Using the public key of the host server, the client and server negotiate to generate a session key known only to the client and the server. This one-time key encrypts all traffic between the client and the server. The switch supports Secure Shell version 2 (SSHv2).
By using a combination of host, server, and session keys, the SSHv2 protocol can provide strong authentication and secure communication over an insecure network, offering protection from the following security risks:
IP spoofing
IP source routing
Domain name server (DNS) spoofing
adversary-in-the-middle/TCP hijacking attacks
Eavesdropping and password sniffing
Even if network security is compromised, traffic cannot be played back or decrypted, and the connection cannot be hijacked.
The SSH secure channel of communication does not provide protection against break-in attempts or denial-of-service (DoS) attacks.
With the SSHv2 server in the switch, you can use an SSHv2 client to make a secure connection to the switch and work with commercially available SSHv2 clients. For more information about supported clients, see Third-Party SSH and SCP Client Software. The switch also supports outbound connections to remote SSHv2 servers to provide complete inbound and outbound secure access.