No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Feature Description - Basic Configurations 01

This is NE20E-S2 V800R010C10SPC500 Feature Description - Basic Configurations
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding SSH

Understanding SSH

SSH

SSH Client

The SSH client function allows you to establish SSH connections with a router that can function as an SSH server or with a UNIX host. Figure 3-4 and Figure 3-5 show the setup of SSH channels for a local area network (LAN) and a wide area network (WAN), respectively.

Figure 3-4 Setting up an SSH channel on a LAN

Figure 3-5 Setting up an SSH channel on a WAN

SFTP

SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensures that users can log in to a remote device securely for file management and transmission, and enhances the security in data transmission. In addition, you can log in to a remote SSH server from the device that functions as an SFTP client.

STelnet

STelnet is a secure Telnet protocol, it is based on SSH2.0. Unlike Telnet, SSH authenticates clients and encrypts data in both directions to guarantee secure transmissions on a conventional insecure network.

SCP

Secure Copy (SCP) is based on SSH2.0. It guarantees secure file transfer in the traditional insecure network environment by authenticating the client and encrypting the transmitted data by using stelnet service.

SCP uses Secure Shell (SSH) for data transfer and uses the same mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit. A client can send (upload) files to a server. Client can also request files or directories from a server (download). SCP runs over TCP port 22 by default.

Unlike SFTP, SCP allows file uploading or downloading without user authentication and public key assignment, and also supports file uploading or downloading in batches.

Supporting Access Through Other Ports

The standard monitoring port number of SSH is 22. Access to this port continuously degrades the performance of the bandwidth and the server, and other clients can no longer access the port. This is a kind of the Denial of Service (DoS) attack.

After you set the monitoring port to a non-standard port on the SSH server, the attacker cannot learn about the port change. This effectively prevents the attacker from continuously accessing the standard port to use the bandwidth and system resources excessively. Legal users can access the SSH service through the non-standard port to prevent DoS attacks.

Figure 3-6 shows SSH server access through other ports.

Figure 3-6 Accessing the SSH server through other ports

Only authorized clients can set up socket connections with the SSH server through the non-standard port. The clients and server then negotiate an SSH version, algorithms, and session keys. User authentication, session requests, and interactive sessions are performed subsequently.

SSH can be applied on switched or edge devices across the network to implement secure user access and management on the devices.

Secure Remote Access

SSH provides secure remote access on insecure networks by taking the following measures:

  • Supports Rivest-Shamir-Adleman (RSA)/digital signature algorithm (DSA)/elliptic curve cryptography (ECC) public key authentication modes. The public and private keys are generated based on the encryption principle of the asymmetric encryption system, ensuring secure key exchange and session process.

  • Supports certificate authentication modes. The client uses certificate signatures to authenticate the server, preventing the middleman attack.

  • Supports data encryption algorithms, such as Data Encryption Standard (DES), 3DES, and Advanced Encryption Standard (AES).

  • Encrypts the data exchanged between the SSH client and the server, including the user name and password. This encryption prevents the password from being intercepted.

  • SM2 elliptic curves cryptography (ECC) algorithm

    The SM2 and RSA algorithms are based on the ECC and belong to the asymmetric cryptography system. The differences between the ECC and RSA algorithms are as follows:

    • The RSA algorithm is based on large number factorization, which increases the key length. And the long keys slow down the computing speed and complicate the key storage and management.
    • Based on discrete logarithm, the ECC algorithm is difficult to crack and is more secure.

    Compared with the RSA algorithm, the ECC algorithm shortens the key length while ensuring the same security.

    Compared with the RSA algorithm, the ECC algorithm secures the encryption with short keys, which speeds up encryption. The ECC algorithm has the following advantages:

    • ECC algorithm provides same security with shorter key length than the RSA algorithm.
    • Features a shorter computing process and higher processing speed than the RSA algorithm.
    • Requires less storage space than the RSA algorithm does.
    • Requires lower bandwidth than the RSA algorithm does.
NOTE:

To ensure high security, do not use the DES algorithm/3DES algorithm/RSA algorithm whose length is less than 2048 digits as the authentication type for the SSH user and data encryption. You are advised to use a securer ECC authentication algorithm for higher security.

Supporting ACL

The SSH server can use access control lists (ACLs) to limit SSH users' incoming and outgoing call authorities. ACL prevents unauthorized users from setting up TCP connections and entering the SSH negotiation phase, which improves SSH server access security.

Figure 3-7 Applying ACL on the SSH server

Support for IPv6 in the NE20E

SSH clients support access to IPv6 host addresses, and SSH servers can receive IPv6 connection requests.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055465

Views: 3296

Downloads: 2

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next