Managed switch with https support?

[Jefferson344]

Hello

I am looking for a switch fulfilling the following requirements
- 8 ports (a few more would be ok too, up to 12)
- managed
- https support for web interface

I have searched a bit and found these switches which are really nice and almost fit:
ZyXEL GS1200-8 [link]
Netgear GS108E [link]
TP-Link TL-SG108E

BUT the crucial issue is that all these switches apparently only have insecure http web interface.
So is there any switch similar to the ones listed above, but also having secure access (https support, or something else)?

Thanks for any tips
Best Regards

 

[CaptainSTX]

Hello

I am looking for a switch fulfilling the following requirements
- 8 ports (a few more would be ok too, up to 12)
- managed
- https support for web interface

I have searched a bit and found these switches which are really nice and almost fit:
ZyXEL GS1200-8 [link]
Netgear GS108E [link]
TP-Link TL-SG108PE

BUT the crucial issue is that all these switches apparently only have insecure http web interface.
So is there any switch similar to the ones listed above, but also having secure access (https support, or something else)?

Thanks for any tips
Best Regards

Any particular reason you want HTTPS access for a switch? Since switches are normally used behind a router any access to them is normally from the LAN by addressing the switch's IP on the LAN My SG108E will handle a password with up to 16 characters. I can't see that https access would offer much additional security. IMHO biggest security risk to a switch on your LAN is that normally a LAN user in your network is often in the same facility as your switch and they therefore might have physical access to the switch and could manually reset the switch and remove/change VLAN assignments or other security.

 

[tgl]

I have a Zyxel XGS1250-12 managed switch that can do https on its management GUI. Dunno anything about their other models, though.

 

[Tech9]

crucial issue is that all these switches apparently only have insecure http web interface

Because they assume operation in protected environment already. People who use such a small switch are usually in small office or personal home and need under 1min time to get physically to it. One press of a button and your smart switch with encryption is converted into a dumb switch with default password.

 

[JoeHz]

Hello

I am looking for a switch fulfilling the following requirements
- 8 ports (a few more would be ok too, up to 12)
- managed
- https support for web interface

I have searched a bit and found these switches which are really nice and almost fit:
ZyXEL GS1200-8 [link]
Netgear GS108E [link]
TP-Link TL-SG108E

BUT the crucial issue is that all these switches apparently only have insecure http web interface.
So is there any switch similar to the ones listed above, but also having secure access (https support, or something else)?

Thanks for any tips
Best Regards

Any Cisco managed Switch from the discontinued SG-200 series (level 2) and SG-300 (layer 3) or more recent does this. If this is all you care about you can probably find a suitable model on ebay.

 

[tgl]

Any Cisco managed Switch from the discontinued SG-200 series (level 2) and SG-300 (layer 3) or more recent does this. If this is all you care about you can probably find a suitable model on ebay.

Agreed --- my core switches are Cisco CBS-350 series, and they also have https GUIs. But those are a whole different league from the ones the OP mentioned, in terms of management complexity, and for a typical home network they're pretty massive overkill. I got mine on sale, and I still feel that I paid more than they are worth to me. If you just want VLAN control, save your shekels and get something with less ambition.

 

[tgl]

Because they assume operation in protected environment already.

[ and similarly from @CaptainSTX ] This is a fair argument up to a point. The thing I think makes it not airtight is that most of us have wifi on our LANs now. Somebody who can break into your wifi could read non-encrypted traffic, thus grab your switch password, and then wreak havoc without ever having physical access to the switch. There's a lot to argue about there in terms of the probability of different attack scenarios. Personally, I've exclusively used ssh or https connections between local machines for the last decade or so, even though I think my wifi-based LAN is reasonably secure. YMMV, and I'm not here to make security judgments for you, but it's worth thinking about.

 

[JoeHz]

Agreed --- my core switches are Cisco CBS-350 series, and they also have https GUIs. But those are a whole different league from the ones the OP mentioned, in terms of management complexity, and for a typical home network they're pretty massive overkill. I got mine on sale, and I still feel that I paid more than they are worth to me. If you just want VLAN control, save your shekels and get something with less ambition.

Yeah, I have a 24 port SG-200 at home. It's long since EOL and still massive overkill, but it was being retired from the place that had it and so the price was all of "Hey, you want this?". It's staying in my rack until 10g shows up or until I sell the house because you know someone will want it baaad.

 

[CaptainSTX]

[ and similarly from @CaptainSTX ] This is a fair argument up to a point. The thing I think makes it not airtight is that most of us have wifi on our LANs now. Somebody who can break into your wifi could read non-encrypted traffic, thus grab your switch password, and then wreak havoc without ever having physical access to the switch. There's a lot to argue about there in terms of the probability of different attack scenarios. Personally, I've exclusively used ssh or https connections between local machines for the last decade or so, even though I think my wifi-based LAN is reasonably secure. YMMV, and I'm not here to make security judgments for you, but it's worth thinking about.

Assuming someone hacks into your WiFi network, determines the IP address of the target switch, and you have used the maximum 16 character mix of letters, numbers, special characters and the hacker has access to a powerful computer the site I used estimates that it could take 12 days to crack your password on the switch plus whatever time it took to hack your WiFi SSID. IMHO most hackers are not going to devote that much effort breaking into a SOHO network.

 

[tgl]

Like I said, there's room to argue about how probable any such attack is. But what I had in mind was not brute-forcing the switch password, but just watching it go by next time you log in, which could happen if your connection to the switch is http not https. (Admittedly, if a hacker has gotten into your network enough to sniff LAN traffic, you probably have other problems.)

 

[Tech9]

I accept both arguments. For business network encryption makes more sense as well as physically securing the access to the equipment. For home network perhaps less. Environment dependent risk management. When I purchase insurance usually go for common theft, fire, rain flood, hail, sewer backup, etc. but skip tsunami (location based) and meteorite impact (probability).

 

[sfx2000]

So is there any switch similar to the ones listed above, but also having secure access (https support, or something else)?

One of the perhaps frustrating things with WebUI's is browsers preferring and/or requiring HTTPS these days...

Mostly to avoid complications with CSRF attacks...

 

[Tech9]

It's okay.

 

[sfx2000]

It's okay.

View attachment 66293

Ok being what?

 

[Tech9]

Nothing is much frustrating, the browser complains about http or missing certificate, but doesn’t block the connection.

 

[CaptainSTX]

Like I said, there's room to argue about how probable any such attack is. But what I had in mind was not brute-forcing the switch password, but just watching it go by next time you log in, which could happen if your connection to the switch is http not https. (Admittedly, if a hacker has gotten into your network enough to sniff LAN traffic, you probably have other problems.)

How often do you need to log into a switch's administrative pages to make changes or look at statistics? On my primary network switches, I probably don't log into them more than once a quarter. On some old Linksys 54G routers being used as switches to provide multiple Ethernet ports in media cabinets I probably don't even log into them more than once a year if that often. In either case anyone monitoring my LAN hoping to intercept a password is probably going to have to be both lucky and patient.

 

[Tech9]

In either case anyone monitoring my LAN hoping to intercept a password is probably going to have to be both lucky and patient.

The cat lady next door has unlimited amount of free time.