Hardening Guidelines for Cisco 3000 Series VPN Concentrators 1-800-COURSES www.globalknowledge.com Expert Reference Series of White Papers Introduction Cisco’s 3000 series VPN Concentrators continue to be one of its most popular security product offerings. Due to their reliability, fault tolerance, ease of setup, management, and monitoring, they scale well from small remote sites to large enterprise solutions. The default policies shipped with the units allow an administrator to quickly and easily place a unit into production within an hour of unpacking. But, like any sophisticated security appliance, one must carefully review the default policies and be prepared to make an informed decision about what features should remain active and which to disable. The purpose of this paper is to highlight some of the most important areas where one can increase the overall security posture of the VPN Concentrator through hardening common features such as Administrative Access, User Access, Network Management Access and Interface Policies. This paper assumes the reader has experi- ence configuring the 3000 series concentrators and is familiar with navigating the menu structure in the web- based GUI and the CLI. For reference, this paper was written assuming a Cisco 3005 VPN Concentrator running version 4.7 of the VPN OS is used. Securing Administrative Access The first area of focus is securing console and remote administration access to the concentrator. If an intruder can “sniff” your username and password with a protocol analyzer, your network can be easily compromised by the eavesdropper. T here are two areas in the configuration tree that concern the control of local and remote access to the con - centrator: Administration | Access Rights and Configuration | System | Management. Securing Access Rights On your concentrator, navigate to Administration | Access Rights as shown in figure 1. David W. Chapman, Jr., Global Knowledge Instructor, CISSP-ISSAP, CCSI, CCNP, CCDP, CCSP Hardening Guidelines for Cisco 3000 Series VPN Concentrators Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 2 Figure 1 – Configure Administrator Access Click on the Administrator s link and you will be presented with a list of default user accounts. The only account that should be enabled is “admin”. Click on the Modify button to the right of the admin user. Because attackers have easy access to lists of default usernames and passwords, it is important to change not only the default password, but the username as well. Half of the difficulty of remotely cracking a password is knowing a v alid username. Use this screen to change the default username to a non-obvious value. The use of “admin”, “administrator”, “root”, or “cisco” as usernames is strongly discouraged, as attackers will surely use these. The concentrator allows usernames and passwords of up to 31 characters. Note: Unfortunately, the concentrator does not directly support an account lockout threshold. This can only be set if TACACS+ is used to authenticate administrative users. To determine if an attacker is targeting the administrator account, navigate to Monitoring | Filterable Event Log. Select the “Auth” Event Class and “Newest to Oldest” in the Direction drop-down menu, and then click the Get Log button. A popup window will show any authentication failures . The following URL will take you to a security site that lists default username/password combinations for popu- lar network equipment, including the 3000 series concentrators: http://www .governmentsecurity .org/articles/DefaultLoginsandP asswordsforNetwork edDevices .php Once you have changed the default username and password, click the apply button to return to Administration | Access Rights. Click the Access Settings link. On this page, you will modify the idle timeout, max sessions, and configuration file encryption settings. The default idle timer terminates an adminis- Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 3 t rator session after 10 minutes of inactivity. If your security policy dictates a smaller value, it can be modified from 1 to 1800 seconds. The default session limit of 10 simultaneous administrators is excessive. Typically, there should be no need for more than 2 or 3 simultaneous sessions to the administration interface. The Config File Encryption setting determines whether sensitive fields such as passwords and pre-shared key values are stored in clear text or encrypted. The difference between RC4 and DES is that with DES selected, the config file is non-portable between concentrators. RC4 encryption allows a config file to be installed into another 3000 series concentrator of the same model. In the unlikely event of a hardware failure, it is useful to be able to quickly configure the replacement unit. Securing Management Protocols The Cisco 3000 Series VPN Concentrators offer a wide array of protocols to manage, monitor, and maintain your VPN perimeter. The defaults are in place to give you the most flexible solution right out of the box. However, many of the default management protocols transfer authentication data in clear text over the wire. This presents a serious risk to the confidentiality of usernames and passwords used to access the concentrator. T able 1 lists the available management protocols and their default settings. Table 1 – 3000 Series Management Protocols Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 4 Management Protocol Enabled By Default Encrypted Transport Transport Protocol Service Port TFTP No No UDP 69 FTP Yes No TCP 21 HTTP Yes No TCP 80 Telnet Yes No TCP 23 SNMP Y es No UDP 161 HTTPS Yes Yes TCP 443 SSH Yes Yes TCP 22 O nce you have successfully made a connection via HTTPS, it is highly recommended you disable all protocols that do not use encryption. Cisco has grouped all of the non-encrypted protocols in the same section for easy access. You can access this section by navigating to Configuration | System | Management Protocols in the GUI interface as shown in figure 2. Figure 2 – Management Protocols For each protocol you decide to disable, click on its link and de-select the Enable checkbox, then click the Apply button. Be sure to save your configuration by clicking the Save Needed floppy disk icon in the upper - right corner of the page. Securing Network Management Access Cisco offers two methods to centrally manage the 3000 Series Concentrators SNMP and XML. Although SNMP is enabled by default, no community strings , such as the ubiquitous “public” and “private” are configured. Because SNMP is inherently insecure, if you must run SNMP, the best practice is to send messages over the External interface to an out-of-band network. For more information on the design of an out-of-band manage- ment network, please refer to the Management Module of Cisco’s White Paper “SAFE: A Security Blueprint for Enterprise Networks” at: http://www.cisco.com/go/safe. Unless you are using an XML-based network management system, XML management should be disabled. There is a risk that an internal attacker could exploit the XML interface to gain information about its configuration. Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 5 T o monitor the normal operation of your concentrator, it is essential that you configure logging services and define a syslog server. Begin by navigating to Configuration | System | Events | General. The default logging configuration uses the concentrator-specific logging format, allows logging of event levels 1 – 5 to enter the logging system, and event levels 1 – 5 to the console. For ease of reading and consistency with other Cisco syslog messages, change the Syslog Format to Cisco IOS Compatible. To reduce the logging load on the con- centrator CPU, disable console logging and send messages to a syslog server instead, as shown in figure 3. Figure 3 – Logging Event Configuration Next, click on the Apply button to return to Configuration | System | Events | General. Select the Syslog Servers link, click on the Add button and enter the IP address of your syslog server. Click on the Add button to complete the transaction and return to the previous menu. Because logging information is sent in clear text, it is best to send events to a syslog server on an out of band network via the External interface. Securing User Access W e will now turn our attention to the policies that control user access through the concentrator . T he first step is to examine the policies in the Base Group. The Base Group exists to set global defaults for all groups cre- ated later. Because all new groups automatically inherit the settings of the Base Group, you can save time by availing yourself of this feature. To access the Base Group, navigate to Configuration | User Management | Base Group . Many of the settings in this group will depend on your security policy, so only the most general will be examined here. Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 6 A lthough the 3000 Series VPN Concentrators support PPTP, L2TP, L2TP over IPSec, and WebVPN, most compa- nies use only IPSec. If this is the case in your organization, then uncheck all of the Tunneling Protocols except IPSec. This will effectively disable any tunneling protocols not in use. IKE (Phase I) Policies Another area of concern is the large number of default IKE Policies. Navigate to Configuration | Tunneling and Security | IPSec | IKE Proposals as illustrated in figure 4. Figure 4 – Default IKE Policies Because IKE policies are evaluated in the order they appear in the list, it is probable an IPSec client might negotiate an IKE policy you did not intend. There are also policies that are not appropriate in most environ- ments, such as IKE-DES-MD5 and IKE-3DES-MD5-DH7. The 56-bit DES is no longer considered strong enough for production use and should be deactiv ated. T he DH7 policy refers to Diffie-Hellman group 7 to sup - port Certicom IPSec clients running on PDA’s such as Palm and HP iPaq. It is recommended that all IKE policies that are not required to meet the dictates of your security policy be deactivated or deleted altogether. Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 7 IPSec (Phase II) SAs The default IKE phase II policies are located in Configuration | Policy Management | Traffic Management | Security Associations as shown in figure 5. Figure 5 – Default SAs Just like the IKE policies, Cisco provides a number of default policies to allow administrators to get their sys- tems up and running quickly. Once you have selected the appropriate policy or policies for your network, delete any un-needed SA’s by highlighting the SA and clicking the Delete button. Securing Interfaces Many administrators are unaware that the default filters on the Public interface may allow unwanted traffic to enter their network. The filter for the Public interface is accessed through Configuration | Policy Management | T r affic Management | Filter s . Highlight the filter Public (default) and click on the Assign Rules to Filter button to display the default protocol filters for the Public interface as shown in figure 6. Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 8 Figure 6 – Default Public Filters Once again, Cisco has created defaults to ease initial configuration. But now that you are ready to place your concentrator into production, it is important to remove all filters not required by your security policy. In many cases, the only filters you will require are IPSec-ESP, IKE, and NAT-T. Be certain you understand the function of any filter before you remove it. Conclusion Hopefully , you now have an increased awareness as to your responsibilities for the secure administration of Cisco 3000 Series Concentrators. Every security appliance and software application has defaults, and it is criti- cal to understand how the defaults may impact performance and security posture of your network. Although this paper is not a complete reference to all potential risks in your configuration, examining the areas present- ed will help you secure your perimeter networks. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: SNPA (Securing Networks with PIX and ASA) SND (Securing Cisco Network Devices) SNRS (Securing Networks with Cisco Routers and Switches) CSVPN (Cisco Secure Virtual Private Networks) Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 9 F or more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author David W. Chapman, Jr. has more than 15 years of experience in the IT industry. He has been designing and building enterprise network infrastructures with Cisco equipment since 1994, and began specializing in Cisco security products in 1999. David teaches CSVPN, CSPFA, CSIDS, SECUR, and CCSP Boot Camp courses for Global Knowledge. He holds numerous professional certifications including CISSP-ISSAP, CCSI, CCNP, CCDP, CSSP, and INFOSEC Professional. He is also a Senior Member of the IEEE. David is co-editor/author of the 2002 Cisco Press title, “Cisco Secure PIX Firewalls” and has authored numer- ous white papers for Global Knowledge and InformIT. Email: dchapman@securenetconsulting.com References Cisco Systems . (2005). VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7. Retrieved 3 July 2005, from http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_book09186a00803ec0ac.html Convery , S., Trudel, B., et al. (2004). SAFE: A Security Blueprint for Enterprise Networks. Retrieved 2 July 2005, from http://www.cisco.com/go/safe. Unknown. (2005). Default Logins and Passwords for Networked Devices. GovernmentSecurity.org. Retrieved 4 July 2005, from http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php Copyright ©2005 Global Knowledge Network, Inc. All rights reserved. Page 10 . Hardening Guidelines for Cisco 3000 Series VPN Concentrators 1-800-COURSES www.globalknowledge.com Expert Reference Series of White Papers. Knowledge Instructor, CISSP-ISSAP, CCSI, CCNP, CCDP, CCSP Hardening Guidelines for Cisco 3000 Series VPN Concentrators Copyright ©2005 Global Knowledge Network,