NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

MWCLOUD's avatar
MWCLOUD
Aspirant
Jan 11, 2018
Solved

XS716T100NES Can we disable HTTP

Is there a way via CLI or GUI to disable HTTP from listening?. We would like to lock down the switch where only the ports we are using are open.
http
management
Security
  • LaurentMa's avatar
    LaurentMa
    Jan 11, 2018

    Hi MWCLOUD

     

    Thanks for asking. No, there is no way to disable Management CPU (Web GUI access via HTTP) on our XS716T 16-port 10G Smart Managed Pro switch. In fact, the per-port lock down is not very common. But Smart Managed switches don't offer management access control.

     

    Instead, Fully Managed switches provide either Out of band management (OOB - you can deactivate inband CPU management access, and only access the switch CPU for GUI, telnet etc. via the 1G service port - this is useful if you have a separate management network); or Management ACLs for protecting inband access (for instance, restricting HTTP GUI access to certain IP addresses or subnets, restricting Telnet to certain other IP addresses, etc.).

     

    If you require these features, you should look at our M4300 series. They offer both OOB management and Management ACLs:

     

     

    Regards,

     

schumaku's avatar
schumaku
Guru - Experienced User
Jan 12, 2018

Hi LaurentMa,

 

Plase consider to push in at least a control to set (and limit) the manaement VLAN to a defined VLAN on all Smart Managed Plus and Smart Managed Pro with the firmware revisions.

Example? The new XS724EM Smart Managed Plus 



This does allow certain mitigation by limiting this access to a sinlge 802.1Q VLAN.

Regards,
.Kurt



 

schumaku's avatar
schumaku
Guru - Experienced User
Jan 12, 2018

Oh sorry, my previous post wasn't really finished LaurentMa. Of course, the Smart Managed Pro already support a management VLAN setting (it's in Management -> IP Configuration).

  • LaurentMa's avatar
    LaurentMa
    NETGEAR Expert
    Jan 12, 2018

    Good point! Management VLAN is another best practice, but it requires VLANs for other users.

     

    This is good input:

    • Management VLAN can be used across Smart Managed, Pro and Fully Managed switches for protecting CPU Access (GUI etc.)
    • Out-of-band or Management ACLs can be used in Fully Managed switches when Management VLAN isn't suitable

    Regards,

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Jan 12, 2018
      LaurentMa wrote:

       

      • Management VLAN can be used across Smart Managed, Pro and Fully Managed switches for protecting CPU Access (GUI etc.)

      The implementation of the Management VLAN seems to have just started on the Smart Managed Plus switches. Have just spotted it on the brand new XS728EM, the GS110EMX released some weeks before for example does not have this feature. Queried one of your senior engineers in Tw on this difference some hours ago, he said "For Managed Plus, it depends. Case-by-case.".

      Thank you for taking care!

      -Kurt

      • MWCLOUD's avatar
        MWCLOUD
        Aspirant
        Jan 12, 2018

        Thanks for the information.  My issue is based upon regulatory requirements.  We are required to document and justify every open port on a piece of equipment.  The includes regular CVAs and baseline reviews for each piece of equipment.  As you can imagine, HTTP is deeply frowned upon. 

        We are currently using these switches in a test environment so there isn't as big of an issue. 

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More