3 three levels of security, 4 feature access level configuration, Three levels of security – CANOGA PERKINS 9145E NID Software Version 3.0 User Manual

9145E NID Software User’s Manual

Introduction

Three Levels of Security

2

Secure Shell version 2 (SSH-2) - SSH-2 provides authentication and encryption for a
secure remote Telnet connection. SSH can be configured to provide unique User Accounts.

Secure File Transfer Protocol (SFTP) - SFTP adds encryption to protect uploaded files
during the file transfer process, such as for a software update.

1.3 Three Levels of Security

Most Service Provider management networks provision certain access levels to technicians,
network administrators, and managers. Offering different access levels to critical applications
allows network administrators to keep closer watch on the entire network.

The 9145E allows view-based access to be set up for user interface features and SNMP access.
A capabilities file allows views to be defined in an ASCII file and downloaded to the NID. A three
(3) level security system on the 9145E controls all user interface and SNMPv3 access.

All 9145E features require that the user have a certain access level. The logged in user or
SNMPv3 manager’s access level is used to validate and control access to the 9145E features.
When accessing a menu item or an SNMP object, the user’s access level is checked against the
access level required for the feature. If the user’s access level is sufficient, then the access is
granted. If the user’s access level is not sufficient, an error message is displayed in the status
area, or an SNMP error is returned.

The three access levels are supervisor, operator, and observer.

In the default configuration, the supervisor access level is allowed complete access to all of the
9145E’s features including configuring the 9145E’s security system.

The operator access level is allowed access to the 9145E features except those relating to the
9145E’s security system. This level can be configurable by the administrator.

The observer access level is allowed access to the 9145E features that do not modify the
9145E’s configuration. This level can be configurable by the administrator.

1.4 Feature Access Level Configuration

The assignment of access levels has a default configuration built into the 9145E. Creating and
downloading a text file called 9145e.cap to the 9145E can change this assignment, however.
This file contains mappings between module features and the access level required to access
the feature.

As an example the entry that controls access to the Maximum Frame Size setting looks like

maxFrameSize=operator. This entry indicates that to change the Maximum Frame Size, a user’s
account must have “operator” access level or greater.

The default “9145e.cap” file containing the 9145E built-in security rules is provided with the
9145E release. To modify the security rules, simply modify the provided “9145e.cap” file and
download this modified file to the 9145E. The 9145e.cap file is downloaded to the 9145E via the
normal FTP/SFTP/TFTP in the same manner as downloading a firmware file to the 9145E. The
same file may be downloaded to multiple 9145E's to ensure the same security rules.

If the file 9145e.cap is not downloaded to the 9145E, then the built-in feature to access level
mappings in the 9145E are used. If a feature is not present in the file “9145e.cap” that is
downloaded to the 9145E, then the built-in feature to access level mapping in the 9145E is used.
If errors are found in this file, these errors are displayed in the System log.