No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Basic Configurations 01

This is NE40E V800R010C10SPC500 Feature Description - Basic Configurations
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Application Scenarios for SSH

Application Scenarios for SSH

Supporting STelnet

STelnet is based on SSH. The client and server set up a secure connection through negotiation. The client can then log in to the server through the secure Telnet service.

Figure 3-9 STelnet

As shown in Figure 3-9,

  • Devices support both the STelnet client and server functions.

    For convenience, the devices can be either STelnet servers or clients to access other STelnet servers.

  • Devices support the enabling or disabling of the STelnet server. By default, the STelnet server is disabled.

    When the STelnet server function is not required, you can disable it globally.

Supporting SFTP

SFTP is based on SSH2.0. It provides the following authentication methods: password, RSA, password-rsa, DSA, password-dsa, ECC, password-ecc, and all the above. Before logging in to the server through the SFTP client, you must enter a correct user name, password, and private key for authentication by the server. After you are authenticated, you can remotely manage files as you do using FTP. The system uses a negotiated session key to encrypt data.

Attackers do not have correct private keys or passwords, and therefore they cannot be authenticated. Attackers also cannot decrypt transmitted data to obtain session keys, though they may have listened to the data between clients and the server. This is because only specified clients and the server can decrypt the transmitted data. This mechanism ensures the security of data transmission across the network.

The system provides the following functions:

  • Supports both the SFTP client and server functions.

    For convenience, the devices can be either SFTP servers or clients to access other SFTP servers.

  • Supports the enabling or disabling of the SFTP server. By default, the SFTP server is disabled.

    When the SFTP server function is not required, you can disable it. This function is configured globally.

  • Supports the setting of the default directory that the SFTP client is allowed to access.

    The server allocates different directories to clients, which implements file isolation among different clients.

  • Supports client and server using the transparent file system, a unified file system used for accessing files on remote boards.

  • Supports the NETCONF file transfer process and provides acknowledge for a file transfer success or failure.

Figure 3-10 shows an SFTP application.

Figure 3-10 SFTP

Supporting SCP

The Secure Copy Protocol (SCP), derived from Secure Shell version 2 (SSH2), securely transfer files between hosts based on the client/server model. SCP supports the following authentication methods: password authentication, digital signature algorithm (DSA), password-DSA, elliptic curve cryptography (ECC) algorithm, password-ECC, Revist-Shamir-Adleman Algorithm (RSA), and password-RSA. A user on an SCP client must enter a correct user name, password, and private key for authentication before establish a connection to an SCP server. After authentication, the client can manage remote file transfer over a network using SCP and encrypt data with a session key negotiated with the server.

With the SCP function, an attacker does not have the correct private key or password, fails to be authenticated. In addition, the attacker cannot decrypt data or obtain a session key even though the attacker intercepts data exchanged between clients and the server. Only specified clients and the server can decrypt data exchanged between one another. SCP helps devices securely transmit data across networks.

Devices support the following SCP functions:

  • Devices support both the SCP client and server functions.

    Each device can serve as either an SCP server or client.

  • The SCP server function can be enabled and disabled. By default, the SCP server function is disabled.

    Disable the SCP server function when you do not need it. This function is configured globally.

  • The transparent file system can be used for on the client and server. A unified file system is used to obtain files on remote boards for all file operations.

  • Recursive multiple file transfer is supported.

    For example, a directory contains multiple files and sub-directories. SCP can be used to transfer all files in the directory in a batch without changing the hierarchical directory structure.

Figure 3-11 SCP networking diagram

Accessing a Private Network

HUAWEI NetEngine40E supports STelnet, SNETCONF, and SFTP client functions and can set up virtual private network (VPN)-based socket connections. The STelnet, SNETCONF, and SFTP clients access the SSH server on a private network.

Figure 3-12 shows access to a private network.

Figure 3-12 Accessing a private network

Supporting Access Through Other Ports

SSH's standard monitoring port number is 22. Attackers' continual access to this port degrades bandwidth and server performance. As a result, other clients cannot access the port. This is a kind of denial of service (DoS) attack.

After you configure a non-standard port on the SSH server, attackers cannot learn the port change and continue to send socket connection requests to port 22. When the SSH server checks that the port is not a monitoring port, it rejects the requests.

Figure 3-13 shows SSH server access through other ports.

Figure 3-13 Accessing the SSH server through other ports

Only authorized clients can set up socket connections with the SSH server through the non-standard port. The clients and server then negotiate an SSH version, algorithms, and session keys. User authentication, session requests, and interactive sessions are performed subsequently.

SSH can be applied on switched or edge devices across the network to implement secure user access and management on the devices.

Supporting ACL

The SSH server can use access control lists (ACLs) to limit SSH users' incoming and outgoing call authorities. ACL prevents unauthorized users from setting up TCP connections and entering the SSH negotiation phase, which improves SSH server access security.

Figure 3-14 Applying ACL on the SSH server

Supporting SNETCONF

The NETCONF agent, an application running on top of the SSH server, uses a secure transport channel established by SSH. NETCONF is used to access configuration and state information and to modify configuration information, and therefore the ability to access this protocol must be limited to authorized clients. To run NETCONF over SSH, the client first establishes an SSH transport connection using the SSH transport protocol. The client and server exchange keys for message integrity and encryption. Once the client is successfully authenticated, the client invokes the "SSH-connection" service, also known as the SSH connection protocol. After the SSH connection service is established, the client opens a session channel, which results in an SSH session. Once the SSH session is established, the user (or application) invokes SNETCONF as an SSH subsystem, which is a feature of SSH version 2 (SSHv2). The SSH server ensures the reliability and packet sequencing for the data packets delivered for the SNETCONF subsystem.

Figure 3-15 Applying NETCONF on the SSH server

Updated: 2019-01-03

Document ID: EDOC1100055037

Views: 5505

Downloads: 36

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next