Security
32
System Management Guide
3HE 11018 AAAC TQZZA Edition: 01
3.4.1.1 SSH File Transfer Protocol (SFTP)
When an SSH server is enabled on the 7705 SAR, users can connect to the node
through SFTP. SFTP runs on top of SSH and uses the same password and
authentication process, and once logged in, SFTP users will appear as regular SSH
users. Additionally, all other user management features apply to users logging in to
the 7705 SAR with an SFTP client.
Event logs are created to capture both successful and unsuccessful attempts to
access the node through SFTP.
3.4.2 CSM Filters and CSM Security
IP forwarding supports CSM filters that are applied to IP packets extracted to the
control plane. CSM filters are used to protect the control plane from DoS attacks,
unauthorized access to the node, and similar security breaches.
IP filters scan all traffic and take the appropriate (configured) action against matching
packets. Packets that are not filtered by the IP filters and are destined for the
7705 SAR are scanned by the configured CSM filter.
For information on IP filters, refer to the 7705 SAR Router Configuration Guide.
Both IPv4 and IPv6 CSM filters are supported.
IPv4 CSM filters drop or accept incoming packets based on the following match
criteria:
• DSCP name
• destination IP address
• destination port
• fragmentation
• ICMP code
•ICMP type
• IP option value
• multiple options
Note: Although the Control and Switching module on the 7705 SAR is called a CSM, the
CSM filters are referred to as CPM filters in the CLI in order to maintain consistency with
other SR routers.
To Next Page
Loading...
