background image

Chapter 4: Remote Management HTTP and SNMP

Management Passwords

Note: In order to log in with Internet Explorer 7+ or if difficulty occurs when logging in with credentials  
known to be valid, firmware prior to October 18

th

, 2007 must be upgraded to ameliorate a new feature 

present in IE7 authentication messages.  This is also the case with some versions of Opera.  Contact the  
factory for an upgrade or attempt to login with FireFox, Mozilla, or a browser earlier than IE7+ for  
immediate resolution.

The HTTP management statistics page is initially accessible without a password.  The HTTP settings page 
is initially accessible within the first several minutes after powerup with username 

admin

 and no password. 

If the unit has not had its default password changed, after several minutes the settings page will be locked 
for security reasons.  It is desirable to change the default password of the unit.  For security reasons, 
changing the default password of the unit must be done within the first several minutes of powerup.  If the 
HTTP management password is lost or forgotten, it may be reset by accessing the HTTP management 
settings within the first minute after powerup and with no BNC cables attached to the unit.

SNMP statistics may initially be accessed using the read-only community name 

public

.  Write-community 

names and variable access authorization may be set through the HTTP management interface.

Security

Please also refer to the password section above.

HTTP Interface Security

Access to the HTTP management interface statistics and settings pages can be selectively limited to users 
knowing the HTTP management password, which is transmitted securely on the network using MD5 
encoding.  New values of management settings, or modifications of the administrator password are not 
encrypted and are visible to users monitoring network packets, as is statistical data requested by an MD5 
authorized user or any information visible on a HTTP page.

When logging out from any secure webpage, the browser window should always be closed!

  Browsers 

typically continue to send administrator credentials continuously even after apparent logout.

SNMP Security

The converter implements SNMPv2c, which is inherently an insecure protocol; however, the converter 
enhances security by implementing view-based access management (VACM), which can restrict read or 
write access to specific management settings and statistics.  When shipped, the converter allows read access 
to “safe” SNMP statistics and prohibits read and write access to statistics and settings which could allow 
determination of network topology or interfere with normal link traffic.  The VACM configuration can be 
updated through the HTTP management interface to meet the user's needs, and most SNMP variables can 
also be set through the HTTP management interface in a more secure manner than SNMP allows.

–  SNMP VACM Security Warning  –

As shipped, the default “safe_ro_view” is secure but not private.

View based access model VACM for SNMPv2c provides good restriction

 of access to only specified statistics but no data privacy and 

 minimal user authentication. When a specific variable is enabled

 for reading or writing, from a security perspective it should

 be considered either public for reading or public for writing.

Alternatively, most configuration parameters can be set through

 the HTTP password-protected interface which is secure.

Viewing snmpd.conf exposes it and community names to visibility by 

 3rd party network sniffers. All SNMPv2c data on the network 

 is visible. All community names can be "guessed" and, when used,

 become visible to sniffers. Source IP addresses of requests

 can be forged. Enabling a write community should be considered

 insecure with respect to the specific view variables enabled.

10

Summary of Contents for High-Speed Ethernet to Single/Dual DS3/E3 Network Extender V5.4

Page 1: ...High Speed Ethernet to Single Dual DS3 E3 Network Extender V5 4 October 31st 2011 Operating Information...

Page 2: ...ronado Ave San Carlos CA 94070 U S A http www ds3switch com support ds3switch com TEL 1 650 241 9941 FCC STATEMENT This device complies with Part 15 of the FCC Rules Operation is subject to the follow...

Page 3: ...quipment were derived for commercial and industrial environments to provide reasonable protection against interference with licensed communication equipment Attention This is a Class A product In a do...

Page 4: ...PMDL 12 PACKET FLOW 13 Packet Order and Channel Bonding Aggregation 13 PORT TO PORT PACKET FLOW 13 LAN to LAN 14 Forwarding 14 Loopback 14 LAN PORT SETTINGS 14 LAN Port Speed 15 Autonegotiation Probl...

Page 5: ...0 TROUBLESHOOTING 20 GENERAL 20 LOOPBACK OF DS3 21 Warnings 21 Terminology 21 Limitations 21 Alternatives to Loopback 22 Initiating Loopback 22 PERFORMANCE 23 INTEROPERABILITY 23 LABORATORY TESTING 23...

Page 6: ...firmware shipped after February 2007 If the dual DS3 E3 option or password upgrade has been purchased then LAN data is forwarded at twice the single DS3 E3 data rate across the link The converter wil...

Page 7: ...nformation Attach two 75 ohm coaxial cables from either Port 1 or 2 BNC connectors of the converter to the input and output connectors of your E3 or DS3 link Once each converter is receiving a valid s...

Page 8: ...P Converters shipped or upgraded with firmware after March 2007 contain an HTTP management interface Converters shipped or upgraded with firmware after June 2007 contain an SNMPv2c agent Unit s IP MAC...

Page 9: ...on top of the chassis or can be initially contacted at the IP address above where aa bbb matches the serial number listed on the front label For units shipped prior to November 2007 serial numbers lis...

Page 10: ...re not encrypted and are visible to users monitoring network packets as is statistical data requested by an MD5 authorized user or any information visible on a HTTP page When logging out from any secu...

Page 11: ...packet transfer CPU would be operating with the older incompatible version of firmware SNMP The converter contains an SNMP agent which can respond to version 1 and version 2c requests for network sta...

Page 12: ...tting sets the AIC bit in DS3 frames to either 0 or 1 This bit is typically ignored by the DS3 carrier however DS3 carrier equipment set to autosense the incoming DS3 framing type will need this setti...

Page 13: ...ting in the field Bonded is preferred from a data integrity and interoperability standpoint however load balancing mode will generally deliver packets to their final destination faster especially for...

Page 14: ...s in which the converter is receiving loopback data This prevents attached LAN equipment from becoming confused or disabling ports when it receives packets containing a source MAC addresses identical...

Page 15: ...to 100BaseTX full duplex Autonegotiation interoperability and standards were not well understood by the industry at the inception of 100BaseTX resulting in some older LAN equipment not understanding...

Page 16: ...link in order to allow management of the remote converter Some telecom carriers will interrupt service for 50msec once per day as a link test Firmware shipping since August 2010 has a configurable fai...

Page 17: ...bled in the settings or through autonegotiation the converter sends pause command frames to attached LAN equipment when the converter s incoming LAN buffers become nearly full The converter ignores pa...

Page 18: ...lly noisy environments it may be important to use a high quality 75 ohm cable which will have more consistent shielding and conduction The maximum length of each cable shall be 440 meters for E3 or 30...

Page 19: ...the machines connected to its LANs rather than simply dropping incoming packets For connected 100 1000BaseTX LANs the converter uses 802 3x flow control Flow control creates a much more efficient net...

Page 20: ...ith FCS CRC and length errors Link Aggregation Refer to the configuration section of this document for a thorough discussion Chapter 10 Troubleshooting General A great deal of diagnostic information i...

Page 21: ...ill no longer be accessible for management across the DS3 until a FEAC Reset code is sent on a C Bit framed DS3 link Terminology Remote Loopback A DS3 signal received at the In port of the converter i...

Page 22: ...te a flaky link even if alarm signals are OK The error counts are also available through the standard DS3 MIB variables For a sophisticated user these counts indicate where in the path the error is oc...

Page 23: ...2 1 10 30 5 1 to the Access Rights snmpd conf section submit changes and confirm error free in the Status snmpd conf section Remember to remove this line when done testing to maintain a completely sec...

Page 24: ...units at each end of the link If flashing orange green the link may be in loopback as indicated by the HTTP management status page If not in loopback the remote unit is not receiving a valid sync fro...

Page 25: ...se direction from the remote machine back to the local machine 9 Enlist the aid of a sniffer program to view at the source and destination machines exactly what data packets are being sent and receive...

Page 26: ...oftware without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLI...

Page 27: ...icense as indicated by a copyright notice that is included in or attached to the work an example is provided in the Appendix below Derivative Works shall mean any work whether in Source or Object form...

Page 28: ...ther in tort including negligence contract or otherwise unless required by applicable law such as deliberate and grossly negligent acts or agreed to in writing shall any Contributor be liable to You f...

Page 29: ...meters to radio CSU BNC 75ohm one rx one tx DS3 E3 Frame Lock 250ms typical lock time Lock maintained up to 10 2 BER typically LAN Layer 1 100BaseTX full duplex Autoneg Auto MDIX correction 1000Base...

Page 30: ...hnical Specifications and Standards 2011 E3Switch LLC Data is subject to change without notice Other brand and product names mentioned herein may be trademarks or registered trademarks of their respec...

Reviews: