Description:
This article describes the different possibilities to secure access to a GS-23xx series switch from the local network.
Requirements:
- LCOS SX as of version 3.32 (download latest version)
- Any web browser for accessing the webinterface of the device
Procedure:
Possibility 1: Limiting management access to specific IP addresses or IP address ranges
If access to the switch should only be allowed from specific IP addresses or specific IP address ranges, it is practical to limit access correspondingly. In doing so, the webinterface can only be invoked by a device with this IP address or from this IP address range.
For this purpose, adjust the following parameters in the menu Security → Access Management → Configuration and click Apply:
- Set the Mode to Enabled.
- Specify an IP address range for Start IP Address and End IP Address from which access to the switch should be allowed. It is also possible to only allow access from a single IP address by entering the same IP address in both fields.
- Choose, which management protocols should be allowed for the IP address or IP address range (HTTP/HTTPS, SNMP, Telnet/SSH).
A maximum number of 16 entries can be created.
Possibility 2: Deactivate the protocol HTTP and activate the HTTPS redirect
LANCOM Systems recommends to deactivate the insecure protocol HTTP. Additionally it is practical to activate the automatic redirect to HTTPS, so that devices, which invoke the webinterface via HTTP, are redirected to the encrypted variant with HTTPS.
For this purpose, adjust the following parameters in the menu Security → HTTPS → Configuration and click Apply:
- HTTPS Automatic Redirect: In the dropdown menu select the option Enabled. In doing so a redirect to HTTPS takes place, when the webinterface is invoked via HTTP.
- HTTP Mode: In the dropdown menu select the option Disabled to deactivate the protocol HTTP.
Possibility 3: Deactivate login for insecure management protocols
LANCOM Systems recommends to deactivate the login for the insecure protocols TFTP and HTTP. The login for the protocol Telnet is already deactivated in the factory defaults.
In the menu Security → Auth Method set the Authentication Method for the protcols TFTP and HTTP to none to deactivate the login. Click Apply afterwards.
Mit dieser Methode wird nicht das Protokoll selber deaktiviert, sondern lediglich der Login unterbunden. So wird z.B. mit der Einstellung HTTP auf none, das Webinterface noch angezeigt, der Login ist aber nicht möglich.
Möglichkeit 4: Konfigurations-Login-Sperre
Um das Erraten der Zugangsdaten durch mehrfache Login-Versuche zu erschweren, gibt es einen Brute-Force-Schutz.
Passen Sie bei Bedarf in dem Menü Security → Auth Method die Werte für den Configuration login lock an und klicken auf Apply.
In den Standardeinstellungen wird der Login nach 5 Fehllogins für 5 Minuten für das verwendete Protokoll gesperrt.
Abschließender Schritt: Speichern der Start-Konfiguration:
Damit Konfigurations-Änderungen bootpersistent gespeichert werden, muss die Konfigration als Start-Konfiguration gespeichert werden.
Wechseln Sie in das Menü Maintenance → Save/Restore → Save Start und klicken auf Save, um die Konfiguration als Start-Konfiguration zu speichern.
Die Start-Konfiguration bleibt auch nach einem Neustart des Gerätes oder einem Stromausfall erhalten.
