Cisco 350 Series Administration Manual page 553

Security: Secure Sensitive Data Management
SSD Rules
NOTE
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
SSD Rules and User Authentication
SSD grants SSD permission only to authenticated and authorized users and according to the
SSD rules. A device depends on its user authentication process to authenticate and authorize
management access. To protect a device and its data including sensitive data and SSD
configurations from unauthorized access, it is recommended that the user authentication
process on a device is secured. To secure the user authentication process, you can use the local
authentication database, as well as secure the communication through external authentication
servers, such as a RADIUS server. The configuration of the secure communication to the
external authentication servers are sensitive data and are protected under SSD.
The user credential in the local authenticated database is already protected by a non SSD related
mechanism
If a user from a channel issues an action that uses an alternate channel, the device applies the
read permission and default read mode from the SSD rule that match the user credential and
the alternate channel. For example, if a user logs in via a secure channel and starts a TFTP
upload session, the SSD read permission of the user on the insecure channel (TFTP) is applied
Default SSD Rules
The device has the following factory default rules:
Rule Key
User Channel
Level 15 Secure XML
SNMP
Level 15 Secure
Level 15 Insecure
All Insecure XML
SNMP
All Secure
All Insecure
The default rules can be modified, but they cannot be deleted. If the SSD default rules have
been changed, they can be restored.
Rule Action
Read Permission Default Read Mode
Plaintext Only Plaintext
Both Encrypted
Both Encrypted
Exclude Exclude
Encrypted Only Encrypted
Encrypted Only Encrypted
19
367