Securing Management Access


Cisco networking devices provide rich management access capabilities that give the network administrator powerful configuration and diagnostics tools.

The most common form of management access to a Cisco networking device is via an EXEC session. An EXEC session is similar to a UNIX shell and is accessible via Telnet, secure shell, or the console port. Cisco devices also support management via Simple Network Management Protocol (SNMP) and Hypertext Transfer Protocol (HTTP). Figure 8-1 illustrates the various management interfaces and how they interact with a Cisco switch.

Figure 8-1. Cisco Management Interfaces


The first step to securing your switching infrastructure is to secure the switch's management interfaces. Next, you should implement techniques that improve the overall security of the switch.

The following switch security techniques are available:

  • Configuring authentication, authorization, and accounting (AAA)

  • Restricting management access

  • Using secure management protocols

  • Reducing other vulnerabilities

Configuring Authentication, Authorization, and Accounting (AAA)

The default authentication policy on a Cisco CatOS switch is extremely lax. Cisco IOS-based switches are slightly more secure by default, but the security of both platforms can be significantly improved. Table 8-1 shows the default authentication methods for accessing a CatOS and IOS switch.

Table 8-1. Default Authentication Procedures

Platform

Access Type

User EXEC Mode

Privileged EXEC Mode

CatOS

Console

None

Blank Password

Telnet

Blank Password

Blank Password

IOS

Console

None

None

Telnet

Password Required

Password Required


Table 8-1 represents the access policy for obtaining management access to the switch. Since default passwords should never be used in a production environment, the first thing you should do is configure passwords for all access methods (e.g., console, Telnet) and then configure an enable secret to protect privileged access.

You can further secure switch management access through the implementation of the techniques detailed in Table 8-2.

Table 8-2. Techniques To Secure Switch Management Access

Technique

Description

Local user authentication

Provides a per-user username and password, which can eliminate the need to share the enable secret, and adds username information to relevant log entries (e.g., configuration changes). The primary disadvantage of this technique is a lack of centralized account management. On CatOS, local user authentication is in CatOS 7.5.

Lockout parameters (CatOS only)

This feature disables access to a switch when a number of failed login attempts have occurred. This is meant to thwart brute force login attacks.

Privilege levels (IOS only)

Ranging from 0 to 15, 16 privilege levels exist. By default 1 is the user EXEC mode, and 15 is privileged EXEC mode. Commands can be assigned to each privilege level, which are then secured with a level specific enable secret.

Login banners (CatOS and IOS)

Login banners provide a means to communicate with anyone attempting to access a device. Typically these are used to inform visitors of their unwelcome status.

Session timeouts (CatOS and IOS)

Simply used to disconnect idle EXEC sessions.

Centralized AAA (CatOS and IOS)

Provides centralized user account management and accounting. Requires a TACACS+ or RADIUS server.


Restricting Management Access

In most networks, only a select handful of people need management access to switches. CatOS and Cisco IOS allow you to restrict which hosts can establish management sessions based on the source IP address.

NOTE

Known as host-based authentication, this type of access control is extremely weak because any user on the allowed host could establish a management session. Host-based authentication should be used only to supplement user-based authentication mechanisms.


Figure 8-2 illustrates restricting management access.

Figure 8-2. Restricting Management Access


Through the use of permit lists on CatOS and access classes on IOS, management sessions can be controlled on a source IP address basis for the following protocols:

  • Telnet

  • Secure shell

  • SNMP

  • HTTP

Using Secure Management Protocols

In previous sections, we discussed secure access control mechanisms. Most of the time, management access is remote, which means that management communications are passed through the network. These communications could contain sensitive information, such as username/password combinations or device configuration information. If your management communications are transmitted in clear text, it is possible for other parties on the network to eavesdrop on your management session, gleaning sensitive information such as a username/password pair. To circumvent this issue, you need to employ secure management protocols that protect the confidentiality of your management session.

Table 8-3 details the secure management protocols available on CatOS and IOS devices.

Table 8-3. The Secure Management Protocols Available on CatOS and IOS Devices

Protocol

Description

Secure shell

Provides encrypted Telnet-like terminal emulation to remote network devices. Secure shell client software and an SSH-enabled IOS or CatOS image is required.

SNMPv3

SNMPv3 greatly improves on the security of SNMP versions 1 and 2c by providing message confidentiality, authentication, and integrity. SNMPv3 is not in widespread use and device support is very limited.


Reducing Other Vulnerabilities

So far we have discussed switch access methods and protocols; now you can leverage a few other configuration tips to protect against some of the less common security vulnerabilities.

  • Password encryption Cisco IOS enables you to encrypt all passwords in the configuration file. This type of encryption is not secure and is meant only to prevent casual onlookers from learning passwords.

    TIP

    Don't rely on password encryption used in conjunction with the standard enable password, because many tools available can decrypt the encrypted password.


  • Enable secret Cisco IOS can use two types of enable passwords, known as the enable password and enable secret. The enable password uses a weak algorithm that can easily be decrypted. The enable secret, however, uses MD5, a one-way encryption algorithm that greatly increases password security.

  • Disabling unnecessary services Various services are enabled by default that might not be required on your network. An example of this is the Cisco Discovery Protocol (CDP), which multicasts information about Cisco devices. Since CDP is a very valuable troubleshooting tool, it is common practice to disable CDP only on interfaces connecting to untrusted or insecure networks.




CCNP Self-Study CCNP Practical Studies. Switching
CCNP(R) Practical Studies: Switching (CCNP Self-Study)
ISBN: 1587200600
EAN: 2147483647
Year: 2002
Pages: 135
Authors: Justin Menga

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net