Westermo RedFox Series User Manual

Page 406

Advertising
background image

Westermo OS Management Guide

Version 4.17.0-0

Note

WeOS use the term ”management interface” rather than ”management
VLAN”. This is because management is not be limited only to VLAN net-
work interfaces. For example, the operator may wish to manage a switch
remotely through a modem connection (i.e., a PPP interface on a switch
equipped with a serial port).
The equivalent of a management VLAN can be setup by filtering out man-
agement services on all interfaces but the network interfaces associated
with that VLAN.

The default behaviour aims to avoid unintentional loss of management access
to the switch.

Sections 19.2.2

and

19.2.3

describe the default settings for net-

work interfaces, settings at factory default as well as settings for newly created
interfaces

1

.

Warning

Access to management services on all interfaces is convenient, but may
pose a security risk if connected to an untrusted network. By default the
device is (typically) manageable via all network interfaces, it is therefore
strongly recommended that the operator use the interface management fil-
ter to only allow a select set of services, or none, on untrusted networks.
E.g., for an interface connected to the public Internet one should consider
disallowing all management services, or perhaps only allow management
via secure protocols such as SSH and HTTPS.
Also crucial to cyber security is the password policy and setting up ade-
quately secure passwords when providing management access via an inter-
face connected to an untrusted/public network.

A word of caution is in order, it is entirely possible to get locked out of a device
when setting up the management service filter. For devices with a console port
this may not be a problem, for others this is the time to be reminded about the
”crossed–cables factory reset” (

section 7.1.3.3

).

However, WeOS actually does implement some safeguards to prevent against
locking yourself out. If all management is disabled on all interfaces, the system
falls back to enabling secure shell, SSH, access on interface vlan1. Furthermore,
if Web (for instance) is the only management service allowed on any interface,

1

As mentioned in

section 19.2.2

factory default on Falcon switches include a separate VLAN for

the xDSL port, and the associated interface (vlan1006) has management services disallowed for
security purposes.

406

➞ 2015 Westermo Teleindustri AB

Advertising
This manual is related to the following products:

Wolverine Series, Falcon Series, Viper Series

Popular Brands
Popular manuals