Network Management Security

Securing Administrative Access
Copyright © www.ine.com
Module Overview
Terminal Lines
Protecting CLI Modes
Password security
Device hardening
Administrative Access Overview
Device Access methods
Local (Console)
Remote (Telnet, SSH, HTTP, HTTPS)
In-Band
Out-of-Band (OOB)
Terminal Line is a logical interface used to handle CLI sessions

Configure with line [console | vty | aux]
HTTP[S] sessions are not CLI so don’t go to lines
Line Security
Line Access can be restricted to certain protocols
Inbound sessions via transport input
Outbound sessions via transport output
Access can be disabled using transport input/output none
User EXEC
Line passwords (password)
Not secure (shared by all users)
No SSH
Identity-based protection (login local)
More secure & supports SSH
Requires at least one user account
username [password | secret]
Privileged EXEC
Password-based
Local & Remote sessions
Configuration
Clear-text password (enable password)
Optionally add service password-encryption (weak)
Recommended : MD-5 or SHA-2 (256 bits) based password via enable secret
Default Settings
User EXEC
Console
No password checking (no login)
VTY
Password is required (login), but not set
Privileged EXEC
If no password was set, this mode can be only accessed via the console
HTTP[S]
Enable password
Change with ip http authentication [enable | local | aaa]
Password Security
Password Security Guidelines
Use at least 8-10 characters (Brute Force attacks)
Enforce with security passwords min-length
Avoid dictionary words (Dictionary attacks)
User characters from at least three different groups of characters
Lower/upper
Special
Digits
Device Access Best Practices
Limit management sessions to known IPs (VTY Access Control)
Permit ACL entries define trusted addresses
On VTY apply with [ipv6] access-class
For HTTP[S] use ip http access-class
Prefer secure management protocols

Use HTTPS (ip http secure-server) instead of HTTP (ip http server)
Don’t use Telnet, choose SSH
Define a hostname (hostname) and domain (ip domain-name)
Generate RSA Key Pair (crypto key generate rsa)
Enable user authentication (use AAA or login local)
Device Hardening
Many Management/Control Plane services will never be used
E.g. BOOTP, UDP/TCP Small Servers, Finger, Proxy ARP & more
Disabling unnecessary services is also referred to as “hardening”
Preserves resources
Eliminates a risk of potential service exploitation
Unnecessary services can be disabled manually or with AutoSecure
AutoSecure evaluates current config to see what should be disabled

Interactive Mode vs One-Step Lockdown
Configure with auto secure
Role-Based CLI Access
Module Overview
Role-Based CLI overview
Configuration
Role-Based CLI Access Overview
Role-Based CLI Access (RBCA) allows to selectively control access to CLI
commands
Uses a concept of Views
A View stores all included commands (or excludes unnecessary ones)
Resembles Privilege Levels
Must be assigned to the user to take effect
Locally (username view)
Shell attribute (cli-view-name)
Views can be further merged into a Superview

Aggregates commands from all assigned views
RBCA Configuration
Pre-requisites
AAA (aaa new-model)
Root View Mode (enable view)
View Configuration
parser view name [superview]
secret
commands [exclude | include | include-exclusive | all]
Verification
enable view name
Logging
Module Overview
Logging Overview
Configuration syntax
Logging Overview
Logging allows to record & store system messages
The Severity setting determines what logs will be generated
The „debugging” level produces all log messages (plus debugs on IOS)
Generated logs can be sent to different places (destinations)

Console (logging console)
Internal buffer (logging buffered)
VTY line (logging monitor + terminal monitor)
SNMP server (logging history + snmp-server enable traps syslog)
Syslog server (logging trap + logging host)
Verify with show logging
Securing SNMP
Module Overview
SNMP overview
SNMP versions
SNMPv3
Configuration
SNMP Overview
Simple Network Management Protocol (SNMP) is an application Layer
protocol used for network monitoring & administration
SNMP Framework
Network Management Station (NMS)
SNMP Agent
Management Information Base (MIB)
SNMP Operations
Polling (GET, SET)
Notifications (TRAPS, INFORMS)
SNMP Versions
Version 1
Full Internet standard, community-based authentication
Version 2c
Introduces views, still uses communities for authentication
Version 3
Message Integrity (HMAC MD5/SHA)
Encryption (originally DES)
Username-based authentication
SNMPv3
SNMPv3 Security Model
noAuthNoPriv
No encryption, authentication based on usernames
authNoPriv
No encryption, HMAC MD5/SHA integrity
authPriv
Encryption (DES/3DES/AES) & integrity (HMAC MD5/SHA)
SNMP Configuration
Polling
Version 1/2c
snmp-server community [acl]
Version 3
snmp-server group [access acl] & snmp-server user
Notifications
snmp-server enable traps & snmp-server host
Verification
show snmp
Securing NTP
Module Overview
NTP overview
NTP security
Configuration
NTP Overview
Network Time Protocol (NTP) is used to synchronize time in a network
Time information is sent from Time Server(s) to the Clients
No DST or time zone information is transmitted in NTP Updates (UTC time is sent)
A hierarchical structure of Stratums defines accuracy of time information
A Stratum defines how „close” you are to the real time source
Stratum 1 means most precise time server (e.g. connected to an atomic clock)
NTP can be deployed in three main ways

Client-Server (request-reply)
Symmetric Active/Passive aka „NTP Peers” (mutual synchronization)
Multicast/Broadcast (simplifies deployments)
NTP Configuration
Server
ntp master
Client
ntp server [key]
Peer
ntp peer [key]
Verification
show ntp
NTP Security
IPsec
Access-Lists
Allows to control addresses of Servers/Clients
ntp access-group [peer | serve]
MD-5 Authentication
Used to authenticate a time source
ntp authenticate
ntp authentication-key
ntp trusted-key

Network Management Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Management Security

Uploaded by

Copyright:

Available Formats

Securing Administrative Access

Protecting CLI Modes

Terminal Line is a logical interface used to handle CLI sessions

HTTP[S] sessions are not CLI so don’t go to lines

Prefer secure management protocols

AutoSecure evaluates current config to see what should be disabled

Views can be further merged into a Superview

Generated logs can be sent to different places (destinations)

NTP can be deployed in three main ways

You might also like