Safety instructions
1.4 Security recommendations
SCALANCE X-300
Operating Instructions, 05/2016, A5E01113043-20
21
●
Handle user-defined private keys with great caution if you use user-defined SSH or SSL
keys.
●
Verify certificates and fingerprints on the server and client to avoid "man in the middle"
attacks.
●
We recommend that you use certificates with a key length of 2048 bits.
●
Change keys and certificates immediately, if there is a suspicion of compromise.
Secure/non-secure protocols
●
Avoid or disable non-secure protocols, for example Telnet and TFTP. For historical
reasons, these protocols are still available, however not intended for secure applications.
Use non-secure protocols on the device with caution.
●
Avoid or disable non-secure protocols. Check whether use of the following protocols is
necessary:
–
PNIO
–
Broadcast pings
–
Non authenticated and unencrypted interfaces
–
ICMP (redirect)
–
MRP, HRP
–
GMRP and IGMP
–
LLDP
–
Syslog
–
RADIUS
–
DHCP Options 66/67
–
TFTP
–
GMRP and GVRP
–
Multicast routing
●
The following protocols provide secure alternatives:
–
SNMPv1/v2 → SNMPv3
Check whether use of SNMPv1 is necessary. SNMPv1 is classified as non-secure.
Use the option of preventing write access. The product provides you with suitable
setting options.
If SNMP is enabled, change the community names. If no unrestricted access is
necessary, restrict access with SNMP.
Use SNMPv3 in conjunction with passwords.
–
HTTP → HTTPS
–
T
FTP → FTPS
–
Telnet → SSH
–
SNTP → NTP