Lintott Associates, Inc.

Security

Overview
The Web/SNMP Management Card provides several different security options, depending on the access interface used. Each of these individual elements is described below, and a summary table is given for each interface. In general, the security aspects of the Management Card should provide a reasonable level of access and authentication control. As a network device that passes information across the network, though, it is subject to the same exposure as other devices on the network. Protecting intranet networks that are connected to external networks (the Internet) with devices such as firewalls, is also an extremely important element in security.

Authentication versus Encryption
The Management Card does not currently use any type of encryption. This means that all the data and communication between the Management Card and any of the client interfaces, such as Telnet and the web server, is "readable" by capturing the network traffic going to and from the Management Card. For almost all applications this should not be a problem since sensitive data is not being transferred. The card does provide basic authentication via user names and passwords to control access as well as IP address verification. While these basic access modes are sufficient for most environments, the Management Card can also provide a greater level of security by enabling MD5 authentication for the web interface. For information on using MD5 see MD5 AUTHENTICATION.

User Names, Passwords and Community Names
The Administrator and Device Manager User user names and passwords are for logging into the Control Console and web interfaces. All user names, passwords and community names, for SNMP, are transferred over the network as plain-text. This means that someone capable of monitoring the network traffic can determine the user names and passwords required to access the Management Card. Any similar device with Telnet server, web server, or SNMPv1 agent will have the same constraints due to the limitations in the protocols themselves.

Port Assignments
It is possible to define the TCP ports that the Telnet, FTP and web servers utilize. These are initially set at the standard "well known port" for the particular protocol. To enable users to hide the interfaces, one can use arbitrary ports from 5000-65535. Once an interface uses a non-standard port, it is required to specify the port when using a client interface, such as a web browser. Hiding the servers provides a level of security in obscurity. In a sense, the non-standard ports are extra passwords.

MD5 Authentication
The web interface option for MD5 authentication enables a higher level of access security than provided by the basic http authentication scheme. The MD5 scheme is very similar to the the CHAP and PAP remote access protocols. When enabled, the web server will request a user name and a password phrase (distinct from the passwords). As opposed to the basic scheme, the user name and password phrase are not transmitted over the network. The small Java login applet combines the user name, password phrase and session-unique challenge number and calculates an MD5 hash number. This number is then returned to the server so that it can verify that the user has the correct login information. By passing back only the hash number, the login information is not revealed. In addition to the login authentication, each form post for configuration or control operations is also authenticated with a unique challenge and hash response. The scheme does not involve any encryption, so pages are transmitted in their plain-text form. In addition, after the authentication login, subsequent page access is restricted by IP address and a hidden session cookie. Since the MD5 authentication scheme is available only for the web interface, it is important to disable the less secure interfaces including Telnet, FTP and SNMP. For SNMP, it is possible to disable write access only so that read and trap facilities are still available. The MD5 authentication scheme provides a much higher level of security than the plain-text type access methods. Sophisticated attacks are, however, almost impossible to prevent. Well-configured firewalls are an essential element in an overall security scheme.

Each of the interfaces and access methods is described below.

Interface Security Access Notes

Serial Control Console User name & password Always enabled.

Telnet Control Console User name & password
Selectable server port
Server Enable/Disable The user name and password are transmitted plain-text./td>

SNMP Community Name
NMS IP filters
Agent Enable/Disable
Four access communities with read/write/disable capability IP filters only allow access from designated IP addresses.

FTP Server User name & password
Selectable server port
Server Enable/Disable Administrator access only.

Web Server User name & password
Selectable server port
Server Enable/Disable
MD5 Authentication option In basic HTTP authentication. mode, the user name and password are transmitted base-64 encoded (no encryption). In MD5, authentication mode uses user name and password phrase.

Interface	Security	Access Notes

Serial Control Console	User name & password	Always enabled.

Telnet Control Console	User name & password Selectable server port Server Enable/Disable	The user name and password are transmitted plain-text./td>

SNMP	Community Name NMS IP filters Agent Enable/Disable Four access communities with read/write/disable capability	IP filters only allow access from designated IP addresses.

FTP Server	User name & password Selectable server port Server Enable/Disable	Administrator access only.

Web Server	User name & password Selectable server port Server Enable/Disable MD5 Authentication option	In basic HTTP authentication. mode, the user name and password are transmitted base-64 encoded (no encryption). In MD5, authentication mode uses user name and password phrase.