Home » D-Link Manuals » Hubs & Switches » D-Link DES-3526 » Manual Viewer

D-Link DES-3526 Product Manual - Page 195

Secure Socket Layer (SSL), Download Certificate - firmware download

UPC - 790069265969

Add to My Manuals
Save this manual to your list of manuals

Page 195 highlights

xStack® DES-3500 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual Secure Socket Layer (SSL) Secure Sockets Layer or SSL is a security feature that will provide a secure communication path between a host and client through the use of authentication, digital signatures and encryption. These security functions are implemented through the use of a ciphersuite, which is a security string that determines the exact cryptographic parameters, specific encryption algorithms and key sizes to be used for an authentication session and consists of three levels: 1. Key Exchange: The first part of the cyphersuite string specifies the public key algorithm to be used. This switch utilizes the Rivest Shamir Adleman (RSA) public key algorithm and the Digital Signature Algorithm (DSA), specified here as the DHE DSS Diffie-Hellman (DHE) public key algorithm. This is the first authentication process between client and host as they "exchange keys" in looking for a match and therefore authentication to be accepted to negotiate encryptions on the following level. 2. Encryption: The second part of the ciphersuite that includes the encryption used for encrypting the messages sent between client and host. The Switch supports two types of cryptology algorithms: • Stream Ciphers - There are two types of stream ciphers on the Switch, RC4 with 40-bit keys and RC4 with 128bit keys. These keys are used to encrypt messages and need to be consistent between client and host for optimal use. • CBC Block Ciphers - CBC refers to Cipher Block Chaining, which means that a portion of the previously encrypted block of encrypted text is used in the encryption of the current block. The Switch supports the 3DES EDE encryption code defined by the Data Encryption Standard (DES) to create the encrypted text. 3. Hash Algorithm: This part of the ciphersuite allows the user to choose a message digest function which will determine a Message Authentication Code. This Message Authentication Code will be encrypted with a sent message to provide integrity and prevent against replay attacks. The Switch supports two hash algorithms, MD5 (Message Digest 5) and SHA (Secure Hash Algorithm). These three parameters are uniquely assembled in four choices on the Switch to create a three-layered encryption code for secure communication between the server and the host. The user may implement any one or combination of the ciphersuites available, yet different ciphersuites will affect the security level and the performance of the secured connection. The information included in the ciphersuites is not included with the Switch and requires downloading from a third source in a file form called a certificate. This function of the Switch cannot be executed without the presence and implementation of the certificate file and can be downloaded to the Switch by utilizing a TFTP server. The Switch supports SSLv3 and TLSv1. Other versions of SSL may not be compatible with this Switch and may cause problems upon authentication and transfer of messages from client to host. Download Certificate This window is used to download a certificate file for the SSL function on the Switch from a TFTP server. The certificate file is a data record used for authenticating devices on the network. It contains information on the owner, keys for authentication and digital signatures. Both the server and the client must have consistent certificate files for optimal use of the SSL function. The Switch only supports certificate files with .der file extensions. The Switch is shipped with a certificate pre-loaded though the user may need to download more, depending on user circumstances. To view the following window, click Configuration > Secure Socket Layer (SSL) > Download Certificate: Figure 7- 38. Download Certificate window To download certificates, set the following parameters and click Apply. Parameter Description Certificate Type Enter the type of certificate to be downloaded. This type refers to the server responsible for issuing certificates. This field has been limited to local for this firmware release. Server IP Enter the IP address of the TFTP server where the certificate files are located. Certificate File Name Enter the path and the filename of the certificate file to download. This file must have a .der extension. (Ex. c:/cert.der) Key File Name Enter the path and the filename of the key file to download. This file must have a .der extension (Ex. c:/pkey.der) 180

Section	Page
	1
Table of Contents	3
	9
Preface	10
	10
Intended Readers	11
Typographical Conventions	11
Bold font	11
	11
Notes, Notices, and Cautions	11
Safety Instructions	12
Safety Cautions	12
General Precautions for Rack-Mountable Products	13
Protecting Against Electrostatic Discharge	14
Switch Description	15
Features	15
Ports	15
Front-Panel Components	15
Side Panel Description	15
Rear Panel Description	15
Gigabit Combo Ports	15
Switch Description	15
Features	15
Ports	16
	16
Front-Panel Components	17
LED Indicators	18
Rear Panel Description	19
Side Panel Description	19
Gigabit Combo Ports	20
Package Contents	22
Before You Connect to the Network	22
Installing the Switch without the Rack	22
Rack Installation	22
Power On	22
Package Contents	22
Before You Connect to the Network	22
Installing the Switch without the Rack	23
Installing the Switch in a Rack	24
Mounting the Switch in a Standard 19\	25
Power On (AC Power)	26
Power Failure	26
Connecting DC Power to DES-3526DC	26
Switch to End Node	27
Switch to Hub or Switch	27
Connecting To Network Backbone or Server	27
Switch to End Node	27
Switch to Hub or Switch	28
Connecting To Network Backbone or Server	29
Management Options	30
Web-based Management Interface	30
SNMP-Based Management	30
Managing User Accounts	30
Command Line Console Interface through the Serial Port	30
Connecting the Console Port (RS-232 DCE)	30
First Time Connecting to the Switch	30
Password Protection	30
SNMP Settings	30
IP Address Assignment	30
Connecting Devices to the Switch	30
Management Options	30
Web-based Management Interface	30
SNMP-Based Management	30
Connecting the Console Port (RS-232 DCE)	30
First Time Connecting to the Switch	32
Password Protection	32
	33
SNMP Settings	34
	34
Traps	34
MIBs	34
IP Address Assignment	35
Connecting Devices to the Switch	36
Introduction	37
Login to Web manager	37
Web-Based User Interface	37
Basic Setup	37
Reboot	37
Basic Switch Setup	37
Network Management	37
Switch Utilities	37
Network Monitoring	37
IGMP Snooping Status	37
Introduction	37
Login to Web Manager	37
Web-based User Interface	38
Areas of the User Interface	38
Web Pages	39
Switch Information	40
IP Address	40
Advanced Settings	40
Port Configuration	40
Port Description	40
Port Mirroring	40
Link Aggregation	40
LACP Port Setting	40
MAC Notification	40
IGMP	40
Spanning Tree	40
Forward Filtering	40
VLANs	40
Traffic Control	40
Port Security	40
QoS	40
System Severity Settings	40
System Log Server	40
SNTP Settings	40
ACL	40
Time Range Settings	40
IP-MAC Binding	40
Limited IP Multicast Range Settings	40
Layer 3 IP Networking	40
LLDP	40
	40
Switch Information	41
IP Address	41
Advanced Settings	45
Port Configuration	47
Port Description	49
Port Mirroring	50
	50
Link Aggregation	51
Understanding Port Trunk Groups	51
LACP Port Setting	54
MAC Notification	55
MAC Notification Port Settings	56
IGMP	57
IGMP Snooping	57
Static Router Ports Entry	59
Forbidden Router Ports Entry	60
IGMP Multicast VLAN	61
Spanning Tree	64
802.1s MSTP	64
802.1w Rapid Spanning Tree	64
Port Transition States	64
Edge Port	65
P2P Port	65
802.1d/802.1w/802.1s Compatibility	65
STP Bridge Global Settings	66
MST Configuration Table	69
MSTI Settings	71
STP Instance Settings	72
	73
MSTP Port Information	74
Loopback Detection	77
Forwarding Filtering	78
Unicast Forwarding	78
Multicast Forwarding	79
Multicast Port Filtering Mode	80
VLANs	82
Understanding IEEE 802.1p Priority	82
VLAN Description	82
Notes about VLANs on the xStack® DES-3500 Series switches	82
IEEE 802.1Q VLANs	82
802.1Q VLAN Tags	84
Port VLAN ID	84
Tagging and Untagging	85
Ingress Filtering	85
Default VLANs	85
Port-based VLANs	86
VLAN Segmentation	86
Asymmetric VLANs	87
VLAN and Trunk Groups	88
Static VLAN Entry	88
GVRP Setting	91
Traffic Control	92
Port Security	96
QoS	97
Advantages of QoS	97
Understanding QoS	98
Port Bandwidth	99
Scheduling	100
802.1p Default Priority	101
802.1p User Priority	101
Traffic Segmentation	102
System Severity Alerts	103
System Log Server	103
SNTP Settings	105
Time Setting	105
Time Zone and DST	106
	108
ACL	108
Access Profile Table	108
ACL Flow Meter	126
CPU Interface Filtering	127
CPU Interface Filtering Profile Table	127
Time Range Settings	138
IP-MAC Binding	138
ACL Mode	138
IP-MAC Binding Port	141
IP-MAC Binding Table	142
IP-MAC Binding Blocked	143
DHCP Snooping Entries	143
IP-MAC Binding Permit IP Pool	144
Limited IP Multicast Range	145
Limited IP Multicast Range Profile Settings	145
Limited IP Multicast Range Status Setting	146
Limited IP Multicast Range Setting	147
Layer 3 IP Networking	148
Static ARP Table	148
Gratuitous ARP Settings	149
DHCP/BOOTP Relay	150
DHCP / BOOTP Relay Global Settings	150
The Implementation of DHCP Information Option 82 in the xStack® DES-3500 Series switches	152
DHCP/BOOTP Relay Interface Settings	153
	153
DHCP Option 60 Settings	154
DHCP Option 61 Settings	155
DHCP Local Relay Settings	156
LLDP	157
LLDP Global Settings	157
	158
Basic LLDP Port Settings	159
802.1 Extension LLDP Port Settings	160
802.3 Extension LLDP Port Settings	161
LLDP Management Address Settings	162
LLDP Statistics	163
LLDP Management Address Table	164
LLDP Local Port Table	164
LLDP Remote Port Information	167
Tustred Host	168
User Accounts	168
Port Access Entity	168
Access Authentication Control	168
Secure Sockets Layer (SSL)	168
Secure Shell (SSH)	168
SNMP Manager	168
Safeguard Engine Settings	168
Filter	168
ARP Spoofing Prevention	168
Trusted Host	168
User Accounts	169
Port Access Entity (802.1X)	171
802.1x Port-Based and MAC-Based Access Control	171
Authentication Server	172
Authenticator	172
Client	173
Authentication Process	173
Port-Based Network Access Control	174
MAC-Based Network Access Control	175
Configure Authenticator	176
PAE System Control	179
Port Capability	179
	180
Initializing Ports for Port Based 802.1x	180
Initializing Ports for MAC Based 802.1x	181
Reauthenticate Port(s) for Port Based 802.1x	181
Reauthenticate Port(s) for MAC Based 802.1x	182
RADIUS Server	182
Guest VLANs	183
Limitations Using the Guest VLAN	183
Guest VLAN Configuration	184
Access Authentication Control	184
Policy & Parameters	186
Application's Authentication Settings	186
Authentication Server Group	187
Authentication Server Hosts	188
Login Method Lists	190
Enable Method Lists	191
Local Enable Password	192
Enable Admin	192
Secure Socket Layer (SSL)	195
Download Certificate	195
Configuration	196
Secure Shell (SSH)	197
SSH Configuration	197
SSH Algorithm	198
SSH User Authentication	200
SNMP Manager	202
SNMP Settings	202
Traps	202
MIBs	202
SNMP User Table	203
SNMP View Table	205
SNMP Group Table	206
SNMP Community Table	207
SNMP Host Table	208
SNMP Engine ID	209
SNMP Trap	209
Safeguard Engine	211
Filter	213
DHCP Server Screening Setting	213
DHCP Client Filtering Setting	214
NetBIOS Filtering Setting	215
CPU Filtering Settings	217
ARP Spoofing Prevention	217
Port Utilization	219
CPU Utilization	219
Memory Usage	219
Packets	219
Errors	219
Size	219
MAC Address	219
Switch History Log	219
IGMP Snooping Group	219
IGMP Snooping Forwarding	219
VLAN Status	219
Router Port	219
Port Access Control	219
Layer 3 Feature	219
Safeguard Engine Status	219
Cable Diagnostic	219
Port Utilization	219
	220
CPU Utilization	220
	220
Memory Usage	220
Packets	222
Received (RX)	222
UMB Cast (RX)	223
Transmitted (TX)	226
	227
Errors	228
Received (RX)	228
	229
Transmitted (TX)	230
Size - Packet Size	231
	233
MAC Address	234
Switch History Log	235
	235
IGMP Snooping Group	236
IGMP Snooping Forwarding	237
	237
VLAN Status	238
Router Port	238
Port Access Control	238
Authenticator State	239
Layer 3 Features	241
Browse ARP Table	241
Safeguard Engine Status	242
Cable Diagnostic	243
TFTP Services	244
Multiple Image Services	244
Ping Test	244
Save Changes	244
Reset	244
Reset System	244
Reset Config	244
Reboot Device	244
Logout	244
TFTP Services	244
Download Firmware	244
Download Configuration File	245
Upload Configuration	245
Upload Log	246
	246
Multiple Image Services	246
Firmware Information	246
Config Firmware Image	247
Ping Test	248
Save Changes	248
Reset	249
Reset System	249
Reset Config	250
Reboot Device	250
Logout	250
Single IP Management (SIM) Overview	251
Topology	251
Firmware Upgrade	251
Configuration Backup/Restore	251
Upload Log File	251
Single IP Management (SIM) Overview	251
The Upgrade to v1.6	252
SIM Using the Web Interface	253
Topology	254
Tool Tips	256
Right-Click	257
Group Icon	257
Commander Switch Icon	258
Member Switch Icon	259
Candidate Switch Icon	260
Menu Bar	262
File	262
Group	262
Device	262
View	262
Firmware Upgrade	263
Configuration File Backup/Restore	263
Upload Log File	263
 How Address Resolution Protocol works	280
How ARP spoofing attacks a network	283
 Prevent ARP spoofing via packet content ACL	285
Configuration:	285
Copyright Statement: No part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from D-Link Corporation/D-Link Systems, Inc., as stipulated by the United States Copyright Act of 1976 and any amendments thereto. Contents are subject to change without prior notice. Copyright 2008 by D-Link Corporation/D-Link Systems, Inc. All rights reserved.	295
FCC Statement: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communication. However, there is no guarantee that interference will not occur in a particular installation. Operation of this equipment in a residential environment is likely to cause harmful interference to radio or television reception. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:	295
	297
D-Link Limited Lifetime Warranty	298

Match case Limit results 1 per page

xStack

DES-3500 Series Layer 2 Stackable Fast Ethernet Managed Switch User Manual

180

Secure Socket Layer (SSL)

Secure Sockets Layer or SSL is a security feature that will provide a secure communication path between a host and client through

the use of authentication, digital signatures and encryption. These security functions are implemented through the use of a

ciphersuite

, which is a security string that determines the exact cryptographic parameters, specific encryption algorithms and key

sizes to be used for an authentication session and consists of three levels:

Key Exchange:

The first part of the cyphersuite string specifies the public key algorithm to be used. This switch utilizes

the Rivest Shamir Adleman (RSA) public key algorithm and the Digital Signature Algorithm (DSA), specified here as the

DHE DSS

Diffie-Hellman (DHE) public key algorithm. This is the first authentication process between client and host as

they “exchange keys” in looking for a match and therefore authentication to be accepted to negotiate encryptions on the

following level.

Encryption:

The second part of the ciphersuite that includes the encryption used for encrypting the messages sent

between client and host. The Switch supports two types of cryptology algorithms:

•

Stream Ciphers – There are two types of stream ciphers on the Switch,

RC4 with 40-bit keys

and

RC4 with 128-

bit keys

. These keys are used to encrypt messages and need to be consistent between client and host for optimal use.

•

CBC Block Ciphers – CBC refers to Cipher Block Chaining, which means that a portion of the previously

encrypted block of encrypted text is used in the encryption of the current block. The Switch supports the

3DES EDE

encryption code defined by the Data Encryption Standard (DES) to create the encrypted text.

Hash Algorithm

: This part of the ciphersuite allows the user to choose a message digest function which will determine a

Message Authentication Code. This Message Authentication Code will be encrypted with a sent message to provide

integrity and prevent against replay attacks. The Switch supports two hash algorithms,

MD5

(Message Digest 5) and

SHA

(Secure Hash Algorithm).

These three parameters are uniquely assembled in four choices on the Switch to create a three-layered encryption code for secure

communication between the server and the host. The user may implement any one or combination of the ciphersuites available,

yet different ciphersuites will affect the security level and the performance of the secured connection. The information included in

the ciphersuites is not included with the Switch and requires downloading from a third source in a file form called a

certificate

This function of the Switch cannot be executed without the presence and implementation of the certificate file and can be

downloaded to the Switch by utilizing a TFTP server. The Switch supports SSLv3 and TLSv1. Other versions of SSL may not be

compatible with this Switch and may cause problems upon authentication and transfer of messages from client to host.

Download Certificate

Figure 7- 38. Download Certificate window

To download certificates, set the following parameters and click

Apply

Parameter

Description

Certificate Type

Enter the type of certificate to be downloaded. This type refers to the server responsible for

issuing certificates. This field has been limited to

local

for this firmware release.

Server IP

Enter the IP address of the TFTP server where the certificate files are located.

Certificate File Name

Enter the path and the filename of the certificate file to download. This file must have a .der

extension. (Ex. c:/cert.der)

Key File Name

Enter the path and the filename of the key file to download. This file must have a .der

extension (Ex. c:/pkey.der)

This window is used to download a certificate file for

the SSL function on the Switch from a TFTP server.

The

certificate

file

data

record

used

for

authenticating devices on the network. It contains

information on the owner, keys for authentication and

digital signatures. Both the server and the client must

have consistent certificate files for optimal use of the

SSL function. The Switch only supports certificate files

with .der file extensions. The Switch is shipped with a

certificate pre-loaded though the user may need to

download more, depending on user circumstances.

To view the following window, click

Configuration >

Secure Socket Layer (SSL) > Download Certificate