Securing the Management Plane on Cisco IOS Devices and AAA © 2012 Cisco and/or its affiliates All rights reserved Contents This chapter describes how to securely implement the management and reporting features of Cisco IOS devices More precisely, it discusses the following: • Technologies used in secure management and reporting, such as syslog, Network Time Protocol (NTP), Secure Shell (SSH), and Simple Network Management Protocol version (SNMPv3) • Proper password configuration, management, and password recovery procedures and how to safeguard a copy of the operating system and configuration file with the use of authentication, authorization, and accounting (AAA) both locally and on an external database • The use and configuration of Cisco Secure Access Control Server (ACS) as an external AAA database • Secure management and reporting, as well as AAA, from both the command-line interface (CLI) and from Cisco Configuration Professional (CCP) © 2012 Cisco and/or its affiliates All rights reserved Configuring Secure Administration Access Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the Cisco IOS device from a computer on the same subnet or a different subnet © 2012 Cisco and/or its affiliates All rights reserved Dedicated Management Network © 2012 Cisco and/or its affiliates All rights reserved Configuring an SSH Daemon for Secure Management Access • Step 1: Configure the IP domain name • Step 2: Generate one-way secret RSA keys • Step 3: Create a local database username entry • Step 4: Enable VTY inbound SSH sessions R1# conf t R1(config)# ip domain-name span.com R1(config)# crypto key generate rsa general-keys modulus 1024 R1(config)# ip ssh authentication-retries R1(config)# ip ssh time-out 120 R1(config)# username Bob secret cisco R1(config)# line vty R1(config-line)# login local R1(config-line)# transport input ssh R1(config-line)# exit © 2012 Cisco and/or its affiliates All rights reserved Configuring Passwords on Cisco IOS Devices • All routers need a locally configured password for privileged access and other access R1(config)# enable secret cisco R1(config)# line vty R1(config)# line aux R1(config-line)# password cisco R1(config-line)# password cisco R1(config-line)# login R1(config-line)# login R1 R1(config)# line R1(config-line)# password cisco R1(config-line)# login © 2012 Cisco and/or its affiliates All rights reserved Cisco Router Passwords • • To steal passwords, attackers: – Shoulder surf – Guess passwords based on the user's personal information – Sniff TFTP packets containing plaintext configuration files – Use readily available brute force attack tools such as L0phtCrack or Cain & Abel Strong passwords are the primary defense against unauthorized access to a router! © 2012 Cisco and/or its affiliates All rights reserved Strong Passwords • Passwords should NOT use dictionary words – • Dictionary words are vulnerable to dictionary attacks Passwords may include the following: – Any alphanumeric character – A mix of uppercase and lowercase characters – Symbols and spaces – A combination of letters, numbers, and symbols Note: – Password-leading spaces are ignored, but all spaces after the first character are NOT ignored © 2012 Cisco and/or its affiliates All rights reserved Strong Passwords • • Change passwords frequently – Implement a policy defining when and how often the passwords must be changed – Limits the window of opportunity for a hacker to crack a password – Limits the window of exposure after a password has been cracked Local rules can make passwords even safer © 2012 Cisco and/or its affiliates All rights reserved Passphrases • • One well known method of creating strong passwords is to use passphrases – Basically a sentence / phrase that serves as a more secure password – Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of the strong password or pass phrase For example: – “My favorite spy is James Bond 007.” = MfsiJB007 – “It was the best of times, it was the worst of times.” = Iwtbotiwtwot – “Fly me to the moon And let me play among the stars.” © 2012 Cisco and/or its affiliates All rights reserved = FmttmAlmpats 10 AAA Authentication Method Lists R1(config)# aaa authentication login AAAServer group MYRADIUS local © 2012 Cisco and/or its affiliates All rights reserved 112 AAA Authorization Policies Configuring Authorization Method Lists © 2012 Cisco and/or its affiliates All rights reserved 113 AAA Accounting Using Named Method Lists Procedure © 2012 Cisco and/or its affiliates All rights reserved 114 AAA Accounting Command Parameters © 2012 Cisco and/or its affiliates All rights reserved 115 Example of AAA Configuration for TACACS+ aaa new-model ! aaa authentication login TACACS_SERVER group tacacs+ local aaa authorization exec default group tacacs+ aaa authorization network default group tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting network default start-stop tacacs+ aaa accounting commands 15 default stop-only group tacacs+ ! tacacs-server host 10.0.1.11 tacacs-server key ciscosecure ! line vty login authentication TACACS_SERVER © 2012 Cisco and/or its affiliates All rights reserved 116 Deploying and Configuring Cisco Secure ACS © 2012 Cisco and/or its affiliates All rights reserved 117 Before: Group-Based Policies © 2012 Cisco and/or its affiliates All rights reserved 118 Complexity of a Mobile Workforce and Borderless Networks © 2012 Cisco and/or its affiliates All rights reserved 119 Now: More Than Just Identities New in Cisco Secure ACS 5.2: Rule-Based Policies © 2012 Cisco and/or its affiliates All rights reserved 120 Context-Aware Authorization Profiles © 2012 Cisco and/or its affiliates All rights reserved 121 Rule-Based Policies © 2012 Cisco and/or its affiliates All rights reserved 122 Cisco ACS 5.2 © 2012 Cisco and/or its affiliates All rights reserved 123 Creating Users in Identity Store © 2012 Cisco and/or its affiliates All rights reserved 124 References Cisco.com Resources “Cisco Configuration Professional,” http://www.cisco.com/go/ccp “Cisco ISE Fundamentals,” http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/ise_fundamentals.html “Cisco Secure Access Control System,” http://www.cisco.com/go/acs “Password Recovery Procedures,” http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml User Guide for the Cisco Secure Access Control System 5.2, http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html RFCs RFC 1305, “Network Time Protocol (Version 3) Specification, Implementation and Analysis,” http://www.faqs.org/rfcs/rfc1305.html RFC 2571, “An Architecture for Describing SNMP Management Frameworks,” http://www.ietf.org/rfc/rfc2571.txt Secure Shell Wikipedia “Secure Shell,” http://en.wikipedia.org/wiki/Secure_Shell © 2012 Cisco and/or its affiliates All rights reserved 125 ... to Cisco? ?IOS EXEC and configuration mode commands – Views restrict user access to Cisco? ?IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration... procedures and how to safeguard a copy of the operating system and configuration file with the use of authentication, authorization, and accounting (AAA) both locally and on an external database • The. .. Role-Based CLI Configuration Example • The CLI view FIRST is created and configured to include the commands show version, configure terminal, and all commands starting with show ip R1(config)# aaa new-model