Eric's Tech Notes: xylan-security

Steps to secure a Xylan OmniSwitch

An unofficial guide.

---

Xylan recommends performing the following steps to secure your Xylan switch. These steps should normally be performed AFTER configuring the switch and BEFORE backing up the configuration. This way, the configuration is saved with the default passwords in the backup copy in case the new passwords are ever forgotton.

• 1) Login to switch with the serial console port as "diag". Don't 'telnet' in.

  	Welcome to the Xylan OmniSwitch! Version 3.2.6
  	login   : diag
  	password: switch (or whatever your password is)
  

• 2) Change the "admin" password:

  	/ % pw admin
  	Changing password for account: admin
  	Old password: switch                       
  	New password: new password (password won't be displayed)
  	Retype new:   new password (password won't be displayed)
  	/ %           
  

• 3) Change the "user" password:

  	/ % pw user
  	Changing password for account: user
  	Old password: switch                       
  	New password: new password (password won't be displayed)
  	Retype new:   new password (password won't be displayed)
  	/ %           
  

• 3) Change the "diag" password:

  	/ % pw diag
  	Changing password for account: diag
  	Old password: switch                       
  	New password: new password (password won't be displayed)
  	Retype new:   new password (password won't be displayed)
  	/ %           
  

• 4) Change the SNMP "Community Strings" with "snmpc":

  	/ % snmpc
  	SNMP current configuration:
                             
  	 1) Set Community Name   - public
  	 2) Get Community Name   - public
  	 3) Trap Community Name  - public
  	 4) Broadcast Traps      - disabled
  	 5) 0  Unicast Traps     - disabled
                                     
  	(save/quit/cancel)
  	   : 1={new read-write password}
  	(save/quit/cancel)
  	   : 2={new read-only password}
  	(save/quit/cancel)
  	   : 3={new remote-control password}
  	(save/quit/cancel)
  	   : ?            
  	 1) Set Community Name   - Password string WILL BE displayed.
  	 2) Get Community Name   - Password string WILL BE displayed.
  	 3) Trap Community Name  - Password string WILL BE displayed.   
  	 4) Broadcast Traps      - disabled
  	 5) 0  Unicast Traps     - disabled
                                     
  	(save/quit/cancel)
  	   : save
  	/ %
  

• 5) Reboot the switch. This can been done hours, or days later if desired. Whenever you're ready to experience a one-to-five minute downtime and risk the switch possibly not coming back up is a good time.

  	/ % reboot
  	   Confirm? (n) : y
  	Locking filesystem...locked.
  	System going down immediately...
  	switch[48041de0]: System rebooted by admin
  	                                          
  	        System rebooted by user 'admin' on session 0
  
  

  The switch should just come back up and begin operating as before in a few minutes. Allow it to fully initialize before attempting login.

  NOTE: If you ever see a message saying "Chassis status changing, hit CTRL-C to abort", DO NOT hit CTRL-C. That option is for emergencies only. Using CTRL-C may appear to help but actually will just leave the switch in an uncertain state. Just be patient and a minute or two later it should be ready.

---

For Dual-MPM switches only:

After the switch finishes booting up, login to the Primary MPM (the one with the PRI L.E.D. light lit) and issue the "imagesync" and "configsync" commands to load the upgraded "code" onto the Seconday MPM. If the wrong MPM boots up as Primay, you can issue the "renounce" command to have the switch reboot with the Secondary MPM as Primary.

---

A note about Passwords:

(The following is a modified excerpt from the UNIX System V User's Manual.)

   Hints for user passwords

       The security of a password depends upon the size of the  key  space. 
The size of the key space depends upon the randomness of the password which
is selected.

       Compromises in password security normally result from careless
password selection or handling.  For this reason, you should select a
password which does not appear in a dictionary or which must be written
down.  The password should also not be a proper name, your license number,
birth date, or street address.  Any of these may be used as guesses to
violate system security.

       Your  password  must  easily  remembered  so  that you will not be
forced to write it on a piece of paper.  This can be accomplished by
appending two small words together and separating each with a special
character or digit.  For example, Pass%word.

       Other  methods  of  construction  involve selecting an easily
remembered phrase from literature and selecting the first or last letter
from each.  An example of this is

            Ask not for whom the bell tolls.

       which produces

            An4wtbt.

---

If you have any questions or encounter any problems associated with securing your Xylan equipment, please contact Xylan technical support.

Following these directions by no means assures that your Xylan product is entirely secure. Xylan offers no warranty or guarantee against unauthorized intrusions into your equipment. Other traditional security measures should be employed to assure that you are properly protected.

Find an error or omission? Sorry about that! Please e-mail Eric at eric@ericshalov.com and let him know!

All of Eric's Tech Notes are provided on an as-is basis, and may contain errors or omissions. No statement is made as to thier suitability for any particular purpose, and no warranty is given. Use at your own risk! All trademarks are the property of their respective owners.
No duplication of the above information is permitted without prior written permission of the author(s).
©Copyright 2007 Eric Shalov. All Rights Reserved.

Last modified Monday, 17th August, 2009 @ 10:55pm