Refer to the Access Control screen to allow/deny management access to the network using strategically selected protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Consider disabling unused interfaces to close unnecessary security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces.
Administrators can secure access to a controller or service platform by disabling less secure interfaces. By default, the CLI, SNMP and FTP disable interfaces that do not support encryption or authentication. However, Web management using HTTP is enabled. Insecure management interfaces such as Telnet, HTTP and SNMP should be disabled, and only secure management interfaces, like SSH and HTTPS should be used to access the controller or service platform managed network.
The following table demonstrates how some interfaces provide better security than others:
Access Type | Encrypted | Authenticated | Default State |
---|---|---|---|
Telnet | No | Yes | Disabled |
SNMPv2 | No | No | Enabled |
SNMPv3 | Yes | Yes | Enabled |
HTTP | No | Yes | Disabled |
HTTPS | Yes | Yes | Disabled |
FTP | No | Yes | Disabled |
SSHv2 | Yes | Yes | Disabled |
To set an access control configuration for the Management Access policy:
Enable Telnet | Select the checkbox to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default. |
Telnet Port | Set the port on which Telnet connections are made (1 - 65,535). The default port is 23. Change this value using the spinner control next to this field or by entering the port number in the field. |
Enable SSHv2 | Select the checkbox to enable SSH device access. SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is disabled by default. |
SSHv2 Port | Set the port on which SSH connections are made. The default port is 22. Change this value using the spinner control next to this field or by entering the port number in the field. |
Enable HTTP | Select the check box to enable HTTP device access. HTTP provides limited authentication and no encryption. |
Enable HTTPS | Select the check box to enable HTTPS device access. HTTPS (Hypertext Transfer Protocol Secure) is more secure than plain HTTP. HTTPS provides both authentication and data encryption as opposed to just authentication. |
Note
If the a RADIUS server is not reachable, HTTPS or SSH management access to the controller or service platform may be denied.Enable FTP | Select the check box to enable FTP device access. FTP (File Transfer Protocol) is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally on the controller. FTP access is disabled by default. |
FTP Username | Specify a username required when logging in to the FTP server. The username cannot exceed 32 characters. |
FTP Password | Specify a password required when logging in to the FTP server. Reconfirm the password in the field provided to ensure it has been entered correctly. The password cannot exceed 63 characters. |
FTP Root Directory | Provide the complete path to the root directory in the space provided. The default setting has the root directory set to flash:/ |
Idle Session Timeout | Specify an inactivity timeout for management connects (in seconds) between 1 - 4,320. The default setting is 12.0 |
Message of the Day | Enter message of the day text (no longer than 255 characters) displayed at login for clients connecting via Telnet or SSH. |
Filter Type | Select a filter type for access restriction. Options include IP Access List, Source Address or None. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field. |
IP Access List | If the selected filter type is IP Access List, select an access list from the drop-down menu or select the Create button to define a new one. IP based firewalls function like Access Control Lists (ACLs) to filter/mark packets based on the IP from which they arrive, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you do not have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security. |
Source Hosts | If the selected filter type is Source Address, enter an IP Address or IP Addresses for the source hosts. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field. |
Source Subnets | If the selected filter type is Source Address, enter a source subnet or subnets for the source hosts. To restrict management access to specific subnets, select Source Address as the filter type and provide the allowed addresses within the Source Subnets field. |
Logging Policy | If the selected filter is Source Address, enter a logging policy for administrative access. Options includes None, Denied Requests or All. |