At8000 s configurando com ssh-ssl
48
SSH & SSL AT - 8000S
-
Upload
netplus -
Category
Technology
-
view
879 -
download
0
Transcript of At8000 s configurando com ssh-ssl
SSH & SSL
AT - 8000S
Secure Management
• Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requirement for security are the two almost universal requirements.
• Traditionally, switches are managed using either remote terminal sessions via the Telnet protocol or management via SNMP.
• Both of these methods have serious security problems—they are only protected by clear text reusable passwords.
NMS Telnet
Unsecured zone
Firewall
Secure Management - Solutions
• Methods to ensure secure management:– Access Control and Security - Defining access rules on the
device.– AAA security services - using usernames and/or password
to Authenticate user’s identity and access (authorization) level.
– Using encryption methods, checksum and hash algorithms and/or digital signature.
• Access Control & Security and AAA are explained in other presentations
Security Building Blocks• Encryption provides
– confidentiality, can provide authentication and integrity protection
• Checksums/hash algorithms provide
– integrity protection, can provide authentication
• Digital signatures provide
– authentication, integrity protection, and non-repudiation
• Demands for management security and control of the networking devices touch all areas of the enterprise.
Secure Management Options
• The Secure Shell (SSH) protocol provides encrypted and strongly authenticated remote login sessions, similar to the Telnet protocol, between a device running a Secure Shell server and a host (PC) with a Secure Shell client.
• The Secure Socket Layer (SSL) has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers applications. Therefore, SSL allows secure management of the networking devices via the standard WEB browser.
Secure Management
NMS Telnet
Unsecured zone
Firewall
SSH station
SSH protocol features
• Secure connection between one client and one server
• Client, server, user and message authentication• Uses “keys” (public and private) to authenticate
user and to negotiate session (encrypt/decrypt) key – which is shared
• Allows “tunneling” of insecure connections through the secure SSH channel
• Secure Shell replaces Telnet for remote terminal sessions. Secure Shell is strongly authenticated and encrypted.
How does SSH Tunneling work?
This telnet connection is transmitted in the clear – data and passwords are insecure!
Set up SSH port forwarding from the client to the server
The result – a secure connection!
Network I/F
Router
Loopback I/F
Loopback I/F
Client
Network I/F
23AppTelnetdTelnet
Insecure
Network I/F
Router
Loopback I/F
Loopback I/F
Client
Network I/F
22App SSHdSSHSecure App
23
2023
Network I/F
Router
Loopback I/F
Loopback I/F
Client
Network I/F22App SSHdSSH
Secure
TelnetdTelnet
App
23
2023
App
NeverTrnam
itted!
Neve
rTr
nam
itted!
What is SSL?• Secure Sockets Layer (SSL) is a protocol designed to
enable secure communications on an insecure network such as the Internet
• SSL provides encryption and integrity of communications along with strong authentication using digital certificates.
Introduction to SSL
• The Secure Sockets Layer – SSL, was originally developed by Netscape Communications and was based on encryption algorithms developed by RSA Security.
• This is a security protocol that provides communications privacy over the Internet.
• SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers applications.
• The new Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL
SSL/TLS
• SSL and TLS are standards for how to secure TCP/IP communications
• As of the latest revision, TLS is the official name for what used to be called SSL. However, SSL is still the word most frequently used.
• TLS is a layer on top of the TCP layer
SSL/TLS
IP
TCP
HTTP TLS
IP
TCP
HTTP
Not secure
Secure
SSHSystem Spec
AT - 8000S
SSH-1 vs SSH-2
• SSH-2 and SSH-1 are incompatible, but some servers have a compatibility mode
• SSH-2 is more secure (stronger encryption and authentication) and allows more detailed configuration
• SSH-1 has a wider license, and transfers files 4 times as fast
• AT - 8000S implements SSH-2 only
AT - 8000S SSH Implementation
• Inbound Secure Shell connections (server mode).
• RSA keys (proprietary, but commonly used) and DSA keys (US government standard) are both supported.
• The keys are not saved as part of the configuration file, but are saved in the flash.
• When the configuration file is copied, the keys are not copied along with it
• The public part of the key is up to 2048 bits.
SSH Implementation
• Four types of encryption are supported: 3DES, Arcfour (RC4), AES and Blowfish.
• The type of encryption is agreed upon between the client and server; it is not configured within the device
• Implements direct SSH session without telnet tunneling
• Up to 4 concurrent SSH (or telnet) sessions are supported
• Ability to authenticate Client public key
SSH Procedure
• If needed, enable SSH on the device (the default is Disabled)
• If needed, define (protocol) port (default is port 22)• Create either a DSA or RSA pair of keys. Generating
the key may take a short while• If desired – authenticate Client’s public key.
Alternate user authentication is via the AAA• If user requests new key, every new session will get
the new key. All running session will keep the old key.
• PC Side:– Define keys (if needed)– Define authentication method (if needed)– Connect to the device via IP defined on device.
SSH CLI Configuration
AT - 8000S
SSH CLI – Server and Port
• Use the following Global Mode command to enable SSH on the device. The “no” form of this command disables this function.
ip ssh serverno ip ssh serverNote: If encryption keys were not generated the SSH server
will be in standby, until the keys are generated.
• Use the following Global Mode command to specify the TCP port to be used by the SSH server. The “no” form of the command returns setting to default port (port 22):
ip ssh port port-numberno ip ssh port
CLI SSH – Generating Keys• Use one or both of the following Global Mode command to
generate encryption key pairs (one public, one private):crypto key generate rsacrypto key generate dsa.• Generation of Keys may take some time
Note: The keys are not saved in the router configuration (never displayed to the user or backed up to another device); However, the generated keys are saved in the flash, and saved across reboots
CLI SSH – Example
console# con
console(config)# ip ssh server
console(config)# ip ssh port 22
console(config)# crypto key generate rsa
Replace Existing RSA Key [y/n]? y
01-Jan-2000 01:25:45 %SSHD-I-KEYGENRSA: The SSH service is generating a private
RSA key.
This may take a few seconds, depending on the key size
console(config)#
CLI SSH – Show SSH• Use the following EXEC Mode command to view SSH
configuration on the device:show ip ssh
console# sh ip ssh
SSH Server enabled. Port: 22
RSA key was generated.
DSA(DSS) key was generated.
SSH Public Key Authentication is disabled.
Active incoming sessions:
IP address SSH username Version Cipher Auth Code
----------------- -------------- ----------- ----------- --------------
CLI SSH – Show Public Keys• Use the following EXEC Mode command to view this
device public key(s) – created by “crypto key generate” command
show crypto key mypubkey [rsa|dsa]
console# show crypto key mypubkey rsa
rsa key data:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr/f0fColXgSESRC/4h5zn6t3
CohlzF3w0YCSewm1wYjenCWWyyknfQj9zyeOdgy9j1s5fK9YZncmAGbN+
……
…..
jxOAZHLIQhqka1nfsQ==
Fingerprint(hex): 39:d1:66:41:2b:41:3f:aa:cb:c7:e7:37:a4:89:aa:12
Fingerprint(bubbleBabble): xefam-cybem-bozyr-culiz-kesug-kucud-vivab-folun-tuhih-nakoh-zyxyx
CLI SSH – Key Authentication
• Use the following Global Mode command to enable client’s public key authentication for incoming SSH sessions. The no form of the command disables authentication:
ip ssh pubkey-authno ip ssh pubkey-auth
• Use the following command to enter public key configuration mode (so you can manually specify other devices’ public keys):
crypto key pubkey-chain ssh
CLI SSH – Key Authentication• Use the following Public Key-chain Mode command to
specify which SSH public key you will configure manually on the device. The “no” form removes the key:
user-key username {rsa| dsa}no user-key username
• Follow this command with the key-string command to specify the key
CLI SSH – Key Authentication• Use one of the following Public Key-string Mode command
to specify the SSH public key of another device:key-string row wordkey-string <sequence>
• Row option – command can be used repeatedly to enter the full key string (see example). Exiting command mode indicates end of key.
• <sequence> - user can enter key segment by segment –until <enter> key is pressed twice (see example)
CLI SSH – Key Authentication• Example – entering RSA user-key key-string (row):
Note – device will inform if process was not successful
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key David rsa
console(config-pubkey-key)# key-string row AAAAB3NzaC1yc2EAAAAD<enter>
console(config-pubkey-key)# key-string row AQABAAAAgQCJB1P0qq0nk/<enter>
…..
console(config-pubkey-key)# exit
console(config-pubkey-chain)#
CLI SSH – Key Authentication• Example – entering RSA user-key key-string (regular
sequence):
Note – device will inform if process was not successful
console(config)# crypto key pubkey-chain ssh
console(config-pubkey-chain)# user-key george rsa
console(config-pubkey-key)# key-string
AAAAB3NzaC1yc2EAAAAD <enter>
AQABAAAAgQCJB1P0qq0nk/<enter>
….
<enter> <enter>
Fingerprint: 52:92:fc:94:da:1e:ba:2d:4c:00:87:b0:cb:86:12:36
console(config-pubkey-key)#
CLI – Show Key Authentication• Use the following EXEC Mode command to view SSH public keys (of
clients) stored on the device:show crypto key pubkey-chain ssh [username username] [fingerprint bubble-babble | hex]
ParametersUsername – of the remote SSH clientFingerprint – bubble-babble or hex, specifies the “signature shortcut”
method of the key
console# show crypto key pubkey-chain ssh
Username Fingerprint
-------------- ---------------------------------------------------------------
George 4e:de:4d:1c:33:43:57:14:6b:aa:29:0d:d0:41:3f:a7
SSL ImplementationAT - 8000S
SSL Spec• SSL is used to provide communication privacy over the Internet.
• It is used to support security in the AT - 8000S Embedded Web Server (EWS).
• SSL provides encryption and integrity of communications along with strong authentication using digital certificates.
• Initially, client and device will exchange messages to synchronize on the security policy and public key/certificates, and will authenticate each other. After that, they agree on a session key, which will be used to encrypt /decrypt the data
SSL Spec
• RSA generated public and private keys• SSL supported version are: TLS1, V3• Certificate currently not registered with 3rd party certificate
authority.• The same libraries used for SSH encryption are used for
SSL encryption• Up to 12 SSL sessions are available (but only 4 WEB)• HTTP and HTTPS can be used concurrently
SSL Process
• At the onset of the secure session, there is a “SSL handshake” between the user and the EWS. The handshake involves:– Negotiation of the cipher suite– Establishment of a shared session– Authentication of the server (Certificate – if 3rd party exists)– Authentication of the client (optional via AAA)– Authentication of data
SSL User Controls
• User can:– Enable https server on the device (default is disabled)– Define HTTPS port (Default is 443)– Generate certificate to use – Create public and private key
SSL CLI Configuration
AT - 8000S
CLI – Enabling HTTPS Server
• Use the following Global Configuration command to enable the device to be configured from a secured browser. Use the “no” form of this command to disable this function (default is disabled):ip https serverno ip https server
• Use the following Global Configuration command to define the TCP port to use by a secure web browser to configure the device. Use the “no” form of this command to return to the default port (443):ip https port port-numberno ip https port
CLI – Creating SSL Certificateand Keys
• Use the following Global Configuration command to generate an HTTPS certificate for your device. This command also can (optionally) generate a pair of keys (public & Private):
crypto certificate [ number] generate [key-generate [ length]] [passphrase string] [cn common- name] [ou organization-unit] [o organization] [l location] [st state] [c country] [duration days]
number —Specifies the certificate number. (Range: 1 - 2)If number is unspecified, it defaults to 1.
key-generate—Regenerate SSL RSA key.length—Specifies the SSL RSA key length. (Range: 512 - 2048)
If length is unspecified, it defaults to 1024.passphrase string—Passphrase that is used for exporting the
certificate in PKCS12 file format. If unspecified the certificate is not exportable.
SSL Certificate and Keys (Cont.)
cn common- name—Specifies the fully qualified URL or IP address
of the device. If unspecified, defaults to the lowest IP address of the device (when the certificate is generated).
ou organization-unit—Specifies the organization-unit or department
name.o organization —Specifies the organization name.l location — Specifies the location or city name.st state— Specifies the state or province name.c country — Specifies the country name.duration days— Specifies number of days a certification would
be valid. If unspecified defaults to 365 days.
SSL Certificate and Keys (Cont.)
Console(config)# crypto certificate 1 generate key-generate
The command is not saved in the router configuration; however, the certificate and keys generated by this command are saved in the private configuration, which is never displayed to the user or backed up to another device.
CLI - Certificate Request
• Use the following privileged EXEC mode command to export a certificate request to a Certification Authority.
crypto certificate number request common- name [ou organization-unit] [o organization] [l location] [st state] [c country]
number—Specifies the certificate number. (Range: 1 - 2)common- name—Specifies the fully qualified URL or IP address
of the device.
ou organization-unit—Specifies the organization-unit or department name.
o organization—Specifies the organization name.l location—Specifies the location or city name.st state—Specifies the state or province name.c country— Specifies the country name.
Certificate Request (Cont.)
• The certificate request is generated in Base64-encoded X.509 format.
• Before issuing a certificate request you must first generate a self-signed certificate using the “crypto certificate generate” global configuration command.
• After receiving the certificate from the Certification Authority, use the “crypto certificate import” global configuration command to import the certificate into the device. This certificate would replace the self-signed certificate.
Certificate Request (Cont.)
console# crypto certificate 2 request
-----BEGIN CERTIFICATE REQUEST-----MIIBHjCByAIBADBiMQswCQYDVQQGEwJpbDEPMA0GA1UECBMGbWVya2F6MRAwDgYDVQQHEwd0ZWxhdml2MQ4wDAYDVQQDEwUxMjM0NTEPMA0GA1UEChMGcmFkbGFuMQ8
wDQYDVQQLEwZyYWRsYW4wXTANBgkqhkiG9w0BAQEFAANMADBJAkIAz3VGpFd5cGUsujfbeRZucwldBk7M4yVyeaFXXY0Z3LDGHecocuA4fAJOvLtmiFZr4lD3QjKLrwhP0cnj/dCMlJECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA0IAROVXG1phUu4bZR+bJHavnQWhy3s/nqOKuPAYdqjarFX+lv/19N6/VmR3IiM2O0a03XEGevnvnhnZY/Q/MEHEWgI=-----END CERTIFICATE REQUEST-----
CLI - Importing a Certificate
• Use the following Global Configuration command to accept an external certificate (signed by Certification Authority) to the device:
crypto certificate number import
number—Specifies the certificate number. (Range: 1 - 2)
• The imported certificate must be based on a certificate request created by the “crypto certificate request” privileged EXEC command.
• If the public key found in the certificate does not match the device's SSL RSA key, the command will fail.
Importing a Certificate (Cont.)
• This command is not saved in the router configuration; however, the certificate imported by this command is saved in the private configuration (which is never displayed to the user or backed up to another device).
Console(config)# crypto certificate 1 import
Activate Certificate for HTTPS
• Use the following Global Configuration command to specify the HTTPS certificate to use on the device:
ip https certificate number
number—Specifies the certificate number. (Range: 1 - 2)
• To remove a certificate:no ip https certificate
• Before using this command, use the crypto certificate generatecommand in order to generate an HTTPS certificate.
Console (config)# ip https certificate 1
CLI – HTTPS Show Commands
• Use the following Privileged EXEC command to view HTTPS server configuration:
show ip https
• Use the following Privileged EXEC command to view the SSL certificate of your device:
show crypto certificate mycertificate [number]
Thank You!!!
![SSH - Erlangerlang.org/documentation/doc-5.6.4/pdf/ssh-1.0.pdfSSH Reference Manual Short Summaries Erlang Module ssh [page 5] – Main API of the SSH application Erlang Module ssh](https://static.fdocuments.in/doc/165x107/5ca80b6888c99314128b99ee/ssh-reference-manual-short-summaries-erlang-module-ssh-page-5-main-api-of.jpg)
