Document toolboxDocument toolbox

Managing Security Operations

Owned by Panna .
Oct 03, 2024
4 min read

The Master Grid provides certain security-related features. The following sections describe the different security-related features that you can set. For information about how to configure these features, Configuring Security Features.

Enabling Support Access

Infoblox Technical Support might need access to the Master Grid to troubleshoot problems. This function enables an SSH (Secure Shell) daemon that only Infoblox Technical Support can access. If you have any questions, contact Infoblox Technical Support. By default, this option is disabled.

Enabling Remote Console Acces s

This function makes it possible for a superuser admin to access the Infoblox CLI from a remote location using an SSH (Secure Shell) v2 client. The management system must have an SSH v2 client to use this function. After opening a remote console connection using an SSH client, log in using a superuser name and password. By default, this option is disabled. Note that only superusers can log in to the appliance through a console connection.

Permanently Disabling Remote Console and Support Access

You can permanently disable remote console (Secure Shell v2) access for appliance administration and for Infoblox Technical Support to perform remote troubleshooting. Disabling this type of access might be required in a high-security environment.

WARNING: After permanently disabling remote console and support access, you cannot re-enable them! Not even resetting an appliance to its factory default settings can re-enable them.

Restricting GUI/API Acces s

You can specify the IP addresses from which administrators are allowed to access the Master Grid. When the appliance receives a connection request, it tries to match the source IP address in the request with IP addresses in the list. If there is at least one item in the HTTP Access Control list and the source IP address in the request does not match it, the appliance ignores the request.

Caution: If you specify an address or network other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect.

Enabling HTTP Redire ction

You can enable the Master Grid to redirect administrative connection requests using HTTP to the secure HTTPS protocol. When you disable redirection, the appliance ignores any administrative connection requests not using HTTPS. By default, the appliance does not redirect HTTP connection requests to HTTPS. When you change this setting, the application restarts and your management session terminates.

Modifying the Session Timeout Setting

You can set the length of idle time before an administr ative session to Multi-Grid Manager times out. The default timeout value is 600 seconds (10 minutes).
If a user does not interact with the application for the specified time, the appliance displays a message that a timeout has occurred. Click OK to restart the Multi-Grid Manager session.

Note: If you change the session timeout value, the new setting takes effect only after you log out and log back in.

Disabling the LCD Input Buttons

By default, the LCD input function is enabled, which allows you to use the LCD buttons on the front panel of the appliance to change the IP address settings of the LAN port. You can disable this function if the appliance is in a location where you cannot restrict access exclusively to the appliance administrators and you do not want anyone to be able to make changes through the LCD.

Configuring Security Features

To configure security features for the Master Grid:

  1. Multi-Grid Master: From the Master Grid tab, click Master Grid Properties -> Edit from the Toolbar.
    or
    Member: From the Master Grid tab, select the Members tab -> master_grid_member checkbox, and then click the Edit icon.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Security tab, complete the following:
    • Session Timeout(s): This field is in the Master Grid Properties editor only. Enter a number between 60 and 31536000 seconds (one minute – one year) in the Session Timeout field. The default session timeout is 600 seconds (10 minutes).
    • Minimum Password Length: This field is in the Master Grid Properties editor only. Specify the minimum number of characters allowed for an admin password.
    • Redirect HTTP to HTTPS: This field is in the Master Grid Properties editor only. Select this option to have the appliance redirect HTTP connection requests to HTTPS.
    • Restrict GUI/API Access: This field is in the Master Grid Properties editor only. To restrict access to the GUI and API, select this option and click the Add icon. To allow administrative access to the GUI and API from a single IP address, enter the IP address in the Address field. Note that if you specify an address other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect.
      To restrict administrative access to the GUI and API to a subnet, enter the network address in the Address field. Note that if you specify a subnet other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect.
    • Enable Remote Console Access: Select this option to enable superuser admins to access the Infoblox CLI from a remote location using SSH (Secure Shell) v2 clients.
    • Enable Support Access: Select this checkbox to enable an SSH (Secure Shell) daemon that only Infoblox Technical Support can access.
    • Restrict Remote Console and Support Access to the MGMT Port: This field is in the Grid Member Properties editor only. Select this checkbox to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connections—both of which use SSH v2—to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the checkbox to allow SSH v2 access to both the MGMT and LAN ports.
    • Permanently Disable Remote Console and Support Access: This field is in the Grid Properties editor only.
      Select this option to permanently disable remote console (Secure Shell v2) access for appliance administration and for Infoblox Technical Support.
    • Enable LCD Input: Select this checkbox to allow use of the LCD buttons on the front panel of the appliance to change the IP address settings of the LAN port. Clear this checkbox to disable this function.
  3. Save the configuration.