Manual
Table Of Contents
- Table of Contents
- List of Figures
- Preface
- Chapter 1
- Overview
- Section I
- Basic Operations
- Chapter 2
- Starting a Local or Telnet Management Session
- Chapter 3
- Enhanced Stacking
- Chapter 4
- Basic Switch Parameters
- When Does a Switch Need an IP Address?
- Configuring an IP Address and Switch Name
- Activating the BOOTP and DHCP Client Software
- Rebooting a Switch
- Configuring the Manager and Operator Passwords
- Setting the System Time
- Configuring the Console Startup Mode
- Configuring the Console Timer
- Enabling or Disabling the Telnet Server
- Setting the Baud Rate of the RS-232 Terminal Port
- Pinging a Remote System
- Returning the AT-S62 Software to the Factory Default Values
- Viewing System Hardware and Software Information
- Setting the Switch’s Temperature Threshold
- Chapter 5
- SNMPv1 and SNMPv2c Configuration
- Chapter 6
- Port Parameters
- Chapter 7
- MAC Address Table
- Chapter 8
- Port Trunking
- Chapter 9
- Port Mirroring
- Chapter 10
- Ethernet Statistics
- Section II
- Advanced Operations
- Chapter 11
- File System
- Chapter 12
- File Downloads and Uploads
- Chapter 13
- Event Log
- Chapter 14
- Quality of Service
- Chapter 15
- IGMP Snooping
- Chapter 16
- Denial of Service Defense
- Section III
- SNMPv3 Operations
- Chapter 17
- SNMPv3 Configuration
- SNMPv3 Overview
- Configuring the SNMPv3 Protocol
- Configuring the SNMPv3 User Table
- Configuring the SNMPv3 View Table
- Configuring the SNMPv3 Access Table
- Configuring the SNMPv3 SecurityToGroup Table
- Configuring the SNMPv3 Notify Table
- Configuring the SNMPv3 Target Address Table
- Configuring the SNMPv3 Target Parameters Table
- Configuring the SNMPv3 Community Table
- Displaying SNMPv3 Table Menus
- Displaying the Display SNMPv3 User Table Menu
- Displaying the Display SNMPv3 View Table Menu
- Displaying the Display SNMPv3 Access Table Menu
- Displaying the Display SNMPv3 SecurityToGroup Table Menu
- Displaying the Display SNMPv3 Notify Table Menu
- Displaying the Display SNMPv3 Target Address Table Menu
- Displaying the Display SNMPv3 Target Parameters Table Menu
- Displaying the Display SNMPv3 Community Table Menu
- Section IV
- Spanning Tree Protocols
- Chapter 18
- Spanning Tree and Rapid Spanning Tree Protocols
- Chapter 19
- Multiple Spanning Tree Protocol
- Section V
- Virtual LANs
- Chapter 20
- Tagged and Port-based Virtual LANs
- VLAN Overview
- Port-based VLAN Overview
- Tagged VLAN Overview
- Creating a Port-based or Tagged VLAN
- Example of Creating a Port-based VLAN
- Example of Creating a Tagged VLAN
- Modifying a VLAN
- Displaying VLANs
- Deleting a VLAN
- Deleting All VLANs
- Displaying PVIDs and Port Priorities
- Enabling or Disabling Ingress Filtering
- Specifying a Management VLAN
- Chapter 21
- GARP VLAN Registration Protocol
- Chapter 22
- Multiple VLAN Modes
- Section VI
- Port Security
- Section VII
- Management Security
- Chapter 25
- Web Server
- Chapter 26
- Encryption Keys
- Chapter 27
- Public Key Infrastructure Certificates
- Chapter 28
- Secure Shell (SSH) Protocol
- Chapter 29
- RADIUS and TACACS+ Authentication Protocols
- Chapter 30
- Management Access Control List
- Section VIII
- Web Browser Management
- Chapter 31
- Starting a Web Browser Management Session
- Chapter 32
- Enhanced Stacking
- Chapter 33
- Basic Switch Parameters
- Chapter 34
- SNMPv1 and SNMPv2c Community Strings
- Chapter 35
- Port Parameters
- Chapter 36
- MAC Address Table
- Chapter 37
- Port Trunking
- Chapter 38
- Port Mirroring
- Chapter 39
- File Downloads and Uploads
- Chapter 40
- Event Log
- Chapter 41
- Quality of Service
- Chapter 42
- IGMP Snooping
- Chapter 43
- Denial of Service Defense
- Chapter 44
- SNMPv3 Protocol
- Configuring the SNMPv3 Protocol
- Enabling the SNMP Protocol
- Configuring the SNMPv3 User Table
- Configuring the SNMPv3 View Table
- Configuring the SNMPv3 Access Table
- Configuring the SNMPv3 SecurityToGroup Table
- Configuring the SNMPv3 Notify Table
- Configuring the SNMPv3 Target Address Table
- Configuring the SNMPv3 Target Parameters Table
- Configuring the SNMPv3 Community Table
- Displaying SNMPv3 Tables
- Chapter 45
- STP, RSTP, and MSTP
- Chapter 46
- Virtual LANs
- Chapter 47
- GARP VLAN Registration Protocol
- Chapter 48
- MAC Address Security
- Chapter 49
- 802.1x Port-based Access Control
- Chapter 50
- Secure Shell Protocol
- Chapter 51
- Encryption Keys, PKI, and SSL
- Chapter 52
- RADIUS and TACACS+ Authentication Protocols
- Chapter 53
- Management Access Control List
- Appendix A
- AT-S62 Default Settings
- Basic Switch Default Settings
- Enhanced Stacking Default Setting
- SNMP Default Settings
- Port Configuration Default Settings
- Event Log Default Settings
- Quality of Service
- IGMP Snooping Default Settings
- Denial of Service Prevention Default Settings
- STP, RSTP, and MSTP Default Settings
- VLAN Default Settings
- GVRP Default Settings
- MAC Address Security Default Settings
- 802.1x Port-Based Network Access Control Default Settings
- Web Server Default Settings
- SSL Default Settings
- PKI Default Settings
- SSH Default Settings
- Server-Based Authentication Default Settings
- Management Access Control List Default Setting
- AT-S62 Default Settings
- Appendix B
- Index
AT-S62 User’s Guide
Section VII: Management Security 497
Asymmetrical (Public Key) Encryption
Asymmetrical encryption algorithms use two keys—one for encryption
and one for decryption. The encryption key is called the public key
because it cannot be used to decrypt a message and therefore does not
have to be kept secret. Only the decryption, or private key, needs to be
kept secret. The other name for this type of algorithm is public key
encryption. The public and private key pair cannot be randomly
assigned, but must be generated together. In a typical scenario, a
decryption station generates a key pair and then distributes the public
key to encrypting stations. This distribution does not need to be kept
secret, but it must be protected against the substitution of the public
key by a malicious third party. Another use for asymmetrical encryption
is as a digital signature. The signature station publishes its public key,
and then signs its messages by encrypting them with its private key. To
verify the source of a message, the receiver decrypts the messages with
the published public key. If the message that results is valid, then the
signing station is authenticated as the source of the message.
The most common asymmetrical encryption algorithm is RSA. This
algorithm uses mathematical operations which are relatively easy to
calculate in one direction, but which have no known reverse solution.
The security of RSA relies on the difficulty of factoring the modulus of
the RSA key. Because key lengths of 512 bits or greater are used in public
key encryption systems, decrypting RSA encrypted messages is almost
impossible using current technology. The AT-S62 software uses the RSA
algorithm.
Asymmetrical encryption algorithms require enormous computational
resources, making them very slow when compared to symmetrical
algorithms. For this reason they are normally only used on small blocks
of data (for example, exchanging symmetrical algorithm keys), and not
for entire data streams.
Data
Authentication
Data authentication for switches is driven by the need for organizations
to verify that sensitive data has not been altered.
Data authentication operates by calculating a message authentication
code (MAC), commonly referred to as a hash, of the original data and
appending it to the message. The MAC produced is a function of the
algorithm used and the key. Since it is easy to discover what type of
algorithm is being used, the security of an authentication system relies
on the secrecy of its key information. When the message is received by
the remote switch, another MAC is calculated and checked against the
MAC appended to the message. If the two MACs are identical, the
message is authentic.