Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch

101

102

103

104

105

106

107

108

109

110

105

OL-11615-01

Legal notification requirements are complex, and vary in each jurisdiction and situation. Even within

jurisdictions, legal opinions vary, and this issue should be discussed with your own legal counsel. In

cooperation with counsel, you should consider which of the following information should be put into

your banner:

• A notice that the system is to be logged in to or used only by specifically authorized personnel, and

perhaps information about who can authorize use.

• A notice that any unauthorized use of the system is unlawful, and might be subject to civil and/or

criminal penalties.

• A notice that any use of the system might be logged or monitored without further notice, and that

the resulting logs can be used as evidence in court.

• Specific notices required by specific local laws.

From a security, rather than a legal, point of view, your login banner usually should not contain any

specific information about your router, its name, its model, what software it is running, or who owns it

because this kind of information can be abused by an attacker.

For more information about the set banner telnet command, refer to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/cmd_ref/ses

_sete.htm#wp1112270

For more information about the banner login command, refer to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/fun_r/cfr

_1g01.htm#wp1029652

Web-Based GUI Access

Cisco IOS and Catalyst OS software provide a web browser user interface that allows the configuration

of catalyst switches by using a web browser such as Internet Explorer or Netscape. This user interface

relies on a built-in HTTP server service that runs on Cisco IOS and Catalyst OS software, and which is

turned off by default in both operating systems.

Because of the nature of HTTP this service does not provide encryption for client connections, which

leaves communication between clients and servers vulnerable to interception and attack. Whenever

available, Secure HTTP (HTTPS) should be used instead of plain HTTP. Secure HTTP (HTTPS) uses

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to provide device authentication and

data encryption, delivering an acceptable level of protection.

Note Currently, HTTPS for Catalyst switches is available only for Cisco IOS, and is not supported in Catalyst

OS. The following section provides information on web-based GUI access for Catalyst switches running

Catalyst OS.

Web-Based GUI Access in Catalyst OS

Catalyst OS does not support HTTPS, but fortunately, there is set of mechanisms that can be used to

secure HTTP access. Follow these steps to implement the recommended security guidelines:

Step 1 Enable user authentication using protocols such as RADIUS or TACACS+.

In Catalyst OS, HTTP authentication can be enabled using the set authentication login command. The

following example shows a configuration listing for HTTP authentication using TACACS+.