Security Modes

The switch support three security modes:

  • Enhanced secure

  • Hsecure

  • SSH secure

Enable SSH secure mode to allow only SSH to be used and disable all other protocols which include Telnet, rlogin, FTP, SNMP, TFTP, HTTP, and HTTPS. Enabling this mode disables Telnet, rlogin, FTP, SNMP, TFTP, HTTP, and HTTPS by setting the boot flags for these protocols to off. You can over-ride the configuration and enable required protocols individually for run-time use. The administrator must enable required protocols individually for run-time use again following a reboot even if you save the configuration. This is because the SSH secure mode enable takes precedence at the time of reboot and the other protocols will be disabled even though the configuration file has them set to enabled.

Note

Note

Rlogin is only supported on VSP 8600 Series.

Note

Note

Disabling SSH secure mode will not automatically enable the OA&M protocols that were disabled. The boot flags for the required protocols will have to be individually set to enabled.

The following table lists the differences between enhanced secure mode and hsecure mode.

Table 1. Enhanced secure mode versus hsecure mode

Feature

Enhanced secure

Hsecure

Authentication

Role-based:  

  • admin

  • privilege

  • operator

  • security

  • auditor

Access-level based:

  • rwa

  • rw

  • ro

  • l3

  • l2

  • l1

Password length

Minimum of 8 characters with the exception of the Admin, which requires a minimum of 15 characters

10 characters, minimum

Password rules

1 or 2 upper case, lower case, numeric and special characters

Minimum of 2 upper case, 2 lower case, 2 numeric and 2 special characters

Password expiration

Per-user minimum change interval is enforced, which is programmed by the Administrator

Global expiration, configured by the Admin

Password-unique

Previous passwords  and common passwords between users are prevented

The same

Password renewal

Automatic password renewal is enforced

The same

Audit logs

Audit logs are encrypted, and authorized users are able to view, modify, and delete.

Standard operation

SNMPv3

Password rules apply to SNMPv3 Auth&Priv.  SNMPv3 is required (V1/V2 disabled)

SNMPv1 and SNMPv2 can be enabled.

EDM

Site Admin to enable or disable

Disabled

Telnet and FTP

Site Admin to enable or disable

The same

DOS attack Prevention

Prevents DOS attacks by filtering IP addresses and IP address ranges.

For information on Enhanced secure mode and SSH, see Enhanced Secure Mode.

9037588-00 Rev AA