Chapter 4: Securing the Management Plane on Cisco IOS Devices and AAA

Securing the Management Plane on Cisco IOS Devices and AAAThis chapter describes how to securely implement the management and reporting features of Cisco IOS devices. More precisely, it discusses the following:• Technologies used in secure management and reporting, such as syslog, Network Time Protocol (NTP), Secure Shell (SSH), and Simple Network Management Protocol version 3 (SNMPv3).• Proper password configuration, management, and password recovery procedures and how to safeguard a copy of the operating system and configuration file with the use of authentication, authorization, and accounting (AAA) both locally and on an external database.• The use and configuration of Cisco Secure Access Control Server (ACS) as an external AAA database• Secure management and reporting, as well as AAA, from both the command-line interface (CLI) and from Cisco Configuration Professional (CCP).ContentsRemote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the Cisco IOS device from a computer on the same subnet or a different subnet. Configuring Secure Administration AccessDedicated Management NetworkConfiguring an SSH Daemon for Secure Management AccessStep 1: Configure the IP domain name.Step 2: Generate one-way secret RSA keys.Step 3: Create a local database username entry.Step 4: Enable VTY inbound SSH sessions.R1# conf tR1(config)# ip domain-name span.comR1(config)# crypto key generate rsa general-keys modulus 1024R1(config)# ip ssh authentication-retries 4R1(config)# ip ssh time-out 120R1(config)# username Bob secret ciscoR1(config)# line vty 0 4R1(config-line)# login localR1(config-line)# transport input sshR1(config-line)# exitAll routers need a locally configured password for privileged access and other access.Configuring Passwords on Cisco IOS DevicesR1R1(config)# enable secret ciscoR1(config)# line con 0R1(config-line)# password ciscoR1(config-line)# loginR1(config)# line aux 0R1(config-line)# password ciscoR1(config-line)# loginR1(config)# line vty 0 4R1(config-line)# password ciscoR1(config-line)# loginTo steal passwords, attackers:Shoulder surf.Guess passwords based on the user's personal information.Sniff TFTP packets containing plaintext configuration files. Use readily available brute force attack tools such as L0phtCrack or Cain & Abel.Strong passwords are the primary defense against unauthorized access to a router!Cisco Router PasswordsStrong PasswordsPasswords should NOT use dictionary words Dictionary words are vulnerable to dictionary attacks.Passwords may include the following:Any alphanumeric character.A mix of uppercase and lowercase characters.Symbols and spaces.A combination of letters, numbers, and symbols.Note:Password-leading spaces are ignored, but all spaces after the first character are NOT ignored.Change passwords frequently.Implement a policy defining when and how often the passwords must be changed. Limits the window of opportunity for a hacker to crack a password.Limits the window of exposure after a password has been cracked.Local rules can make passwords even safer.Strong PasswordsOne well known method of creating strong passwords is to use passphrases. Basically a sentence / phrase that serves as a more secure password. Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of the strong password or pass phrase. For example:“My favorite spy is James Bond 007.” = MfsiJB007.“It was the best of times, it was the worst of times.” = Iwtbotiwtwot.“Fly me to the moon. And let me play among the stars.” = FmttmAlmpats.PassphrasesUse a password length of 10 or more characters. The longer, the better.Make passwords complex by including a mix of UPPERCASE and lowercase letters, numbers, symbols, and spaces. Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.Change passwords often so if a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.Do not write passwords down and leave them in obvious places such as on the desk or monitor.Password Protection GuidelinesCisco Router PasswordsTo increase the security of passwords, the following Cisco IOS commands should be utilized:Enforce minimum password length: security passwords min-length.Disable unattended connections: exec-timeout.Encrypt config file passwords: service password-encryption.Enforce Minimum Password LengthsMake passwords lengthy. IOS 12.3 and later passwords can be 0 to 16 characters in length.The best practice is to have a minimum of 10 characters. To enforce the minimum length use the global command:security passwords min-length length The command affects all “new” router passwords.Existing router passwords are unaffected. Any attempt to create a new password that is less than the specified length fails and results in an “Password too short” error message”By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session. The timer can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used.exec-timeout minutes secondsNote:exec-timeout 0 0 means that there will be no timeout and the session will stay active for an unlimited time. Great for Labs Bad in production networks!Never set the value to 0!Disable Unattended ConnectionsDefault time is 10 minutes.Terminates an unattended connection (console or vty).Provides additional level of security if an administrator walks away from an active console session.To terminate an unattended console connection after 3 minutes and 30 seconds:To disable the exec process on the line:Disable Unattended ConnectionsRouter(config-line)#exec-timeout minutes [seconds]Sudbury(config)# line console 0Sudbury(config-line)# exec-timeout 3 30Sudbury(config)# line aux 0Sudbury(config-line)# no exec-timeoutEncrypt all passwords in the router configuration file.Encrypt All Passwordsservice password-encryptionRouter(config)#R1(config)# service password-encryptionR1(config)# exitR1# show running-configenable password 7 06020026144A061E!line con 0 password 7 094F471A1A0A login!line aux 0 password 7 01100F175804575D72 loginline vty 0 4 password 7 03095A0F034F38435B49150A1819 loginSecure the local database passwords.Traditional user configuration with plaintext password.Use MD5 hashing for strong password protection.More secure than the type 7 encryption.Securing Local Database Passwordsusername name secret {[0] password | encrypted-secret}username name password {[0] password | 7 hidden-password}Securing Local Database PasswordsR1# conf tR1(config)# username JR-ADMIN password letmein% Password too short - must be at least 10 characters. Password configuration failedR1(config)# username JR-ADMIN password cisco12345R1(config)# username ADMIN secret cisco54321R1(config)# line con 0R1(config-line)# login localR1 con0 is now availablePress RETURN to get started.User Access VerificationUsername: ADMINPassword: R1>R1# show run | include usernameusername JR-ADMIN password 7 060506324F41584B564347username ADMIN secret 5 $1$G3oQ$hEvsd5iz76WJuSJvtzs8I0R1#R1(config)# no service password-recoveryWARNING:Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery.Are you sure you want to continue? [yes/no]: yesR1(config)#Securing ROM MonitorR1(config)# secure boot-imageR1(config)# secure boot-configSecuring the Cisco IOS Image and Configuration FilesPrivilege LevelsPrivilege Levels Privilege LevelsThe needs of a network security operator may not be the same as that of WAN engineer.Cisco routers allow configuration at various privilege levels for administrators. Different passwords can be configured to control who has access to the various privilege levels. There are 16 privilege levels.Levels 2 to 14 can be configured using the privilege global configuration command. Level 0: Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.Level 1(User EXEC mode): The default level for login with the router prompt Router>. A user cannot make any changes or view the running configuration file.Levels 2 –14: May be customized for user-level privileges. Commands from lower levels may be moved up to a higher level, or commands from higher levels may be moved down to a lower level. Level 15 (Privileged EXEC mode): Reserved for the enable mode privileges (enable command). Users can view and change all aspects of the configuration. Privilege LevelsRouter Privilege LevelsRouter(config)#privilege mode {level level command | reset command}CommandDescriptionmodeThis command argument specifies the configuration mode. Use the privilege ? command to see a list of router modes.level(Optional) This command enables setting a privilege level with a specified command. level command(Optional) This parameter is the privilege level that is associated with a command. You can specify up to 16 privilege levels, using numbers 0 to 15.reset(Optional) This command resets the privilege level of a command.command(Optional) This is the command argument to use when you want to reset the privilege level.In this example, four user accounts were created.A USER account with normal Level 1 access.A SUPPORT account with Level 1 and ping command access.A JR-ADMIN account with the same privileges as the SUPPORT account plus access to the reload command.An ADMIN account which has all of the regular privileged EXEC commands.Router Privilege Levels ExampleR1# conf tR1(config)# username USER privilege 1 secret ciscoR1(config)#R1(config)# privilege exec level 5 pingR1(config)# enable secret level 5 cisco5R1(config)# username SUPPORT privilege 5 secret cisco5R1(config)#R1(config)# privilege exec level 10 reloadR1(config)# enable secret level 10 cisco10R1(config)# username JR-ADMIN privilege 10 secret cisco10R1(config)# R1(config)# username ADMIN privilege 15 secret cisco123R1(config)#The administrator tests the accounts and logs in as the Level 1 user.Usernames are not case-sensitive by default.Notice the prompt indicates Level 1 (R1>).The ping command which is typically available from Level 1 is no longer available.Router Privilege LevelsUser Access VerificationUsername: userPassword: R1> show privilegeCurrent privilege level is 1R1# ping 10.10.10.1 ^% Invalid input detected at '^' marker.R1>The administrator now verifies the Level 5 access.The enable level command is used to switch from Level 1 to Level 5.Notice now the user can ping but cannot use the reload command.Router Privilege LevelsR1> enable 5Password:R1#R1# show privilegeCurrent privilege level is 5R1# R1# ping 10.10.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR1# R1# reloadTranslating "reload"Translating "reload"% Unknown command or computer name, or unable to find computer addressR1#The administrator now verifies the Level 10 access.Again, the enable level command is used to switch from Level 5 to Level 10.Notice now the ping command and reload command are available however, the show running-config command is not.Router Privilege LevelsR1# enable 10Password:R1# show privilegeCurrent privilege level is 10R1# ping 10.10.10.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msR1# reloadSystem configuration has been modified. Save? [yes/no]: ^CR1# show running-config ^% Invalid input detected at '^' marker.R1#Finally, the administrator verifies the privileged EXEC Level 15 access.Again, the enable level command is used to switch from Level 10 to Level 15.Now all commands are available.Router Privilege LevelsR1# enable 15Password: R1# show privilegeCurrent privilege level is 15R1# show running-configBuilding configuration...Current configuration : 1145 bytes!version 12.4No access control to specific interfaces, ports, logical interfaces, and slots on a router.Commands available at lower privilege levels are always executable at higher levels.Commands specifically set on a higher privilege level are not available for lower privileged users.Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. An example is the show ip route command.If an administrator needs to create a user account that has access to most but not all commands, privilege exec statements must be configured for every command that must be executed at a privilege level lower than 15. This can be a tedious process.Privilege Level LimitationsRole-Based CLIPrivilege levels and enable mode passwords do not provide the necessary level of detail needed when working with Cisco IOS routers and switches.The Role-Based CLI Access feature allows the administrator to define “views”.Views are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration mode commands.Views restrict user access to Cisco IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration information is visible.Role-Based CLI OverviewRoot View is required to defines Views and Superviews.Views contain commands. A command can appear in more than one view.Root ViewView #1View #2View #3View #4View #5View #6show ip routeshow runint fa0/0show interfacesRoot ViewRoot view is the highest administrative view.Creating and modifying a view or ‘superview’ is possible only from root view.The difference between root view and privilege Level 15 is that only a root view user can create or modify views and superviews.Role-Based CLI views require AAA new-model:This is necessary even with local view authentication.A maximum of 15 CLI views can exist in addition to the root view.Role-Based CLI OverviewBefore a view is entered or created, AAA must be enabled via the aaa new-model command.Next, use the enable command with the view parameter to enter the root view. E.g., enable viewOptionally you can also use enable view root.Use the privilege 15 password (enable secret), if prompted for authentication (if authentication is configured).Getting Started with Role-Based CLIEnter a privilege level or a CLI view.Use enable command with the view parameter to enter the root view.Root view requires privilege Level 15 authentication. The aaa-new model command must be entered.Getting Started with Role-Based CLIRouter#enable [privilege-level] [view [view-name]]R1(config)# aaa new-modelR1(config)# exitR1# enable viewPassword:R1#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'enable ParametersParameterDescriptionprivilege-level(Optional) Sets the privilege level at which to log in.view(Optional) Enters root view, which enables users to configure CLI views. This keyword is required if you want to configure a CLI view.view-name(Optional) Enters or exits a specified CLI view. This keyword can be used to switch from one CLI view to another CLI view.Router#enable [privilege-level] [view [view-name]]Creates a view and enters view configuration mode.Sets a password to protect access to the view.Adds commands or interfaces to a view.Example config setting a password and adding commands to the view named MONITOR-VIEW.Configuring CLI ViewsRouter(config)#R1(config)# parser view MONITOR-VIEWR1(config-view)# password ciscoR1(config-view)# commands exec include show versionparser view view-nameRouter(config-view)#password encrypted-password commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]commands ParametersParameterDescriptionparser-modeSpecifies the mode in which the specified command exists (e.g. exec mode).includeAdds a command or an interface to the view and allows the same command or interface to be added to an additional view.include-exclusiveAdds a command or an interface to the view and excludes the same command or interface from being added to all other views.excludeExcludes a command or an interface from the view; that is, users cannot access a command or an interface.all(Optional) Specifies a “wildcard” that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view.interface interface-name(Optional) Specifies an interface that is added to the view.command(Optional) Specifies a command that is added to the view.Router(config-view)#commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]The CLI view FIRST is created and configured to include the commands show version, configure terminal, and all commands starting with show ip.Role-Based CLI Configuration ExampleR1(config)# aaa new-modelR1(config)# exitR1# enable view%PARSER-6-VIEW_SWITCH: successfully set to view ‘root’.R1# configure terminalR1(config)# parser view FIRST%PARSER-6-VIEW_CREATED:view ‘FIRST’ successfully created.R1(config-view)# secret firstpassR1(config-view)# command exec include show versionR1(config-view)# command exec include configure terminalR1(config-view)# command exec include all show ipR1(config-view)# exitNext, the administrator will verify the configuration by entering and viewing the available commands.When a user enters the CLI view, an indication message appears. Apart from the commands enable and exit that are available in all views, the only two commands that are visible in the CLI view are configure and show. Role-Based CLI Configuration ExampleR1> enable view FIRSTPassword: %PARSER-6-VIEW_SWITCH:successfully set to view ‘FIRST'.R1# ?Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC show Show running system informationTo further verify the view configuration, the administrator looks at the available options of the show command. The available options include parser, which is always available, and the configured keywords ip and version.Role-Based CLI Configuration ExampleR1# show ? ip IP information parser Display parser information version System hardware and software statusRole-Based CLI Configuration ExampleNext, the user verifies that all sub-options of the show ip command are available in the view.R1# show ip ?access-lists List IP access lists accounting The active IP accounting database aliases IP alias table arp IP ARP table as-path-access-list List AS path access lists bgp BGP information cache IP fast-switching route cache casa Display casa information cef Cisco Express Forwarding community-list List community-list dfp DFP information dhcp Show items in the DHCP database drp--More-- Now assign the view to a user.Role-Based CLI Configuration ExampleR1# config tR1(config)# username Bob view FIRST password cisco123Another Sample ConfigR1(config)# parser view SHOWVIEW*Mar 1 09:54:54.873: %PARSER-6-VIEW_CREATED: view ‘SHOWVIEW' successfully created.R1(config-view)# secret ciscoR1(config-view)# commands exec include show versionR1(config-view)# exitR1(config)# parser view VERIFYVIEW*Mar 1 09:55:24.813: %PARSER-6-VIEW_CREATED: view ‘VERIFYVIEW' successfully created.R1(config-view)# commands exec include ping% Password not set for the view VERIFYVIEWR1(config-view)# secret cisco5R1(config-view)# commands exec include pingR1(config-view)# exitR1(config)# parser view REBOOTVIEWR1(config-view)#*Mar 1 09:55:52.297: %PARSER-6-VIEW_CREATED: view ‘REBOOTVIEW' successfully created.R1(config-view)# secret cisco10R1(config-view)# commands exec include reloadR1(config-view)# exitDisplay ViewsR1# show running-configparser view SHOWVIEW secret 5 $1$GL2J$8njLecwTaLAc0UuWo1/Fv0 commands exec include show version commands exec include show!parser view VERIFYVIEW secret 5 $1$d08J$1zOYSI4WainGxkn0Hu7lP1 commands exec include ping!parser view REBOOTVIEW secret 5 $1$L7lZ$1Jtn5IhP43fVE7SVoF1pt. commands exec include reload!Superviews contain Views but not commands. Two Superviews can use the same View. For example, both Superview 1 and Superview 2 can include CLI View 4.SuperViewsView #2command exec View #3command exec View #1command exec Superview #1View #4command exec View #5command exec View #6command exec Superview #2CLI ViewsRoot ViewView #2command exec View #3command exec View #1command exec View #4command exec View #5command exec View #6command exec View #4command exec A CLI view can be shared among multiple superviews.Commands cannot be configured for a superview.Commands are added to CLI views.Users who are logged in to a superview can access all of the commands that are configured for any of the CLI views that are part of the superview.Each superview has a password that is used to switch between superviews or from a CLI view to a superview.If a superview is deleted, CLI views associated with that superview are not deleted.Superview CharacteristicsAppending the keyword superview to the parser view command creates a superview and enters view configuration mode.Sets a password to protect access to the superview.Password must be created immediately after creating a view otherwise an error message will appear.Adds a CLI view to a superview.Multiple views may be added.Views may be shared between superviews.Configure a SuperviewRouter(config)#parser view view-name superviewRouter(config-view)#secret encrypted-password Router(config-view)#view view-nameConfigure ViewsR1(config)# parser view USER superview* Mar 1 09:56:26.465 : %PARSER-6-SUPER_VIEW_CREATED: super view 'USER' successfully created. R1(config-view)# secret ciscoR1(config-view)# view SHOWVIEW*Mar 1 09:56:33.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview USER.R1(config-view)# exitR1(config)# parser view SUPPORT superview*Mar 1 09:57:33.825 : %PARSER-6-SUPER_VIEW_CREATED: super view 'SUPPORT' successfully created.R1(config-view)# secret cisco1R1(config-view)# view SHOWVIEW*Mar 1 09:57:45.469: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview SUPPORT.R1(config-view)# view VERIFYVIEW*Mar 1 09:57:57.077: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview SUPPORT.R1(config-view)# exit R1(config)# parser view JR-ADMIN superview*Mar 1 09:58:09.993: %PARSER-6-SUPER_VIEW_CREATED: super view 'JR-ADMIN' successfully created.R1(config-view)# secret cisco2R1(config-view)# view SHOWVIEW*Mar 1 09:58:26.973: %PARSER-6-SUPER_VIEW_EDIT_ADD: view SHOWVIEW added to superview JR-ADMIN.R1(config-view)# view VERIFYVIEW*Mar 1 09:58:31.817: %PARSER-6-SUPER_VIEW_EDIT_ADD: view VERIFYVIEW added to superview JR-ADMIN.R1(config-view)# view REBOOTVIEW*Mar 1 09:58:39.669: %PARSER-6-SUPER_VIEW_EDIT_ADD: view REBOOTVIEW added to superview JR-ADMIN.R1(config-view)# exitDisplay ViewsR1# show running-config!parser view SUPPORT superview secret 5 $1$Vp1O$BBB1N68Z2ekr/aLHledts. view SHOWVIEW view VERIFYVIEW!parser view USER superview secret 5 $1$E4k5$ukHyfYP7dHOC48N8pxm4s/ view SHOWVIEW!parser view JR-ADMIN superview secret 5 $1$8kx2$rbAe/ji220OmQ1yw.568g0 view SHOWVIEW view VERIFYVIEW view REBOOTVIEW!Verify the USER ViewR1# enable view USERPassword:*Mar 1 09:59:46.197: %PARSER-6-VIEW_SWITCH: successfully set to view 'USER'.R1# ?Exec commands: enable Turn on privileged commands exit Exit from the EXEC show Show running system informationR1#R1# show ? flash: display information about flash: file system version System hardware and software statusR1#Verify the SUPPORT ViewR1# enable view SUPPORTPassword:*Mar 1 10:00:11.353: %PARSER-6-VIEW_SWITCH: successfully set to view 'SUPPORT'.R1# ?Exec commands: enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages show Show running system informationR1#Verify the JR-ADMIN ViewR1# enable view JR-ADMINPassword:*Mar 1 10:00:28.365: %PARSER-6-VIEW_SWITCH: successfully set to view 'JR-ADMIN'.R1# ?Exec commands: enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages reload Halt and perform a cold restart show Show running system informationR1#When monitoring role-based CLI, use the command show parser view to display information about the view that the user is currently in. The all keyword displays information for all configured views. The all keyword is available only to root users. However, the keyword can be configured by a user in root view to be available for users in any CLI view.To display debug messages for all views, use the debug parser view command in privileged EXEC mode.Role-Based CLI MonitoringVerify All ViewsR1# show parser viewNo view is active ! Currently in Privilege Level ContextR1# R1# enable viewPassword:*Mar 1 10:38:56.233: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.R1# R1# show parser viewCurrent view is 'root'R1# R1# show parser view allViews/SuperViews Present in System: SHOWVIEW VERIFYVIEW REBOOTVIEW SUPPORT * USER * JR-ADMIN * ADMIN *-------(*) represent superview-------R1#Implementing Secure Management and ReportingIn this section, we examine the skills necessary to implement secure management and reporting of Cisco IOS devices. The technologies will discuss in this section are as follows:• Syslog• Network Time Protocol (NTP)• Simple Network Management Protocol Version 3 (SNMPv3)Implementing Secure Management and ReportingConfiguring logging for your Cisco routers is a straightforward operation when your network contains only a few Cisco routers. However, logging and reading information from hundreds of devices can prove to be a challenging proposition and can raise the following issues and considerations:• What are the most important logs?• How are important messages separated from routine notifications?• How do you prevent tampering with logs?• How do you ensure that time stamps match?• What log data is needed in criminal investigations?• How do you deal with the volume of log messages?• How do you manage all the devices?• How can you track changes when attacks or network failures occur?Planning Considerations for Secure Management and ReportingSecure Management and Reporting ArchitectureInformation flow between management hosts and the managed devices can take two paths.Out of Band (OOB):Information flows within a network on which no production traffic resides.In-Band:Information flows across the enterprise production network or the Internet (or both).• Management guidelines• Keep clocks on hosts and network devices synchronized.• Record changes and archive configurations.• OOB management guidelines• Provide the highest level of security and mitigate the risk of passing unsecure management protocols over the production network.• In-band management guidelines to manage or monitor devices:• Use VPN, SSH, or SSL (HTTPS with CCP) when possible.• Decide whether the management channel needs to be open at all times.The guidelines for ManagementYou can use Cisco Configuration Professional to configure the date and time settings of the router in three ways:• Synchronize with the local PC clock• Manually edit the date and time• Configure NTPR1# conf tR1(config)# ntp authenticateR1(config)# ntp trusted-key 99R1(config)# ntp masterR1(config)# key chain NTPR1(config-keychain)# key 99R1(config-keychain-key)# key-string PR0PERT1MER1(config-keychain-key)# endEnabling Time FeaturesSyslog implementations contain two types of systems:• Syslog servers: These systems are also known as log hosts. These systems accept and process log messages from syslog clients.• Syslog clients: Syslog clients are routers or other types of Cisco equipment that generate and forward log messages to syslog servers.Using Syslog Logging for Network SecurityR3(config)# logging 10.2.2.6R3(config)# logging trap informationalR3(config)# logging source-interface loopback 0R3(config)# logging onR3Lo0Syslog ImplementationCisco Log Severity LevelsLevel and NameDefinitionExample0 LOG_EMERGA panic condition normally broadcast to all usersCisco IOS software could not load1 LOG_ALERTA condition that should be corrected immediately, such as a corrupted system databaseTemperature too high2 LOG_CRITCritical conditions; for example, hard device errorsUnable to allocate memory3 LOG_ERRErrorsInvalid memory size4 LOG_WARNINGWarning messagesCrypto operation failed5 LOG_NOTICEConditions that are not error conditions but should possibly be addressedInterface changed state, up or down6 LOG_INFOInformational messagesPacket denied by ACL7 LOG_DEBUGMessages that contain information that is normally used only when debuggingPacket type invalidLog Message FormatOct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6)Time StampLog Message Name and Severity LevelMessage TextNote: The log message name is not the same as a severity level name.SNMP Version 1 (SNMPv1) and SNMP Version 2 (SNMPv2) are based on three concepts:• Managers (network management systems [NMS] installed on servers)• Agents (installed on managed nodes)• Management Information Bases (MIB)Using SNMP to Manage Network DevicesSNMP asks agents for information or tells the agents to do something.SNMPv1 and SNMPv2 ArchitectureIn SNMPv1, asynchronous event reports are called traps while in later versions they are called notifications. The actions GET and SET are the vulnerabilities that open SNMP to an attack.SNMPv3 ArchitectureAAA Accounting Using Named Method Lists ProcedureEnabling SNMP Options Using Cisco CCP(Optional) Configure the SNMP-server engine ID to identify the devices for administrative purposesConfigure the SNMP-server group names for grouping SNMP usersConfigure the SNMP-server users to define usernames that reside on hosts that connect to the local agentConfigure SNMP Traps (Informs)Configure the SNMP-server hosts to specify the recipient of a notification operation (trap or inform)Configuring an SNMPv3 Managed NodeSNMPv3 Configuration ExampleTrap_sender(config)# snmp-server group SNMP-GROUP v3 auth Trap_sender(config)# snmp-server group SNMP-GROUP v3 privTrap_sender(config)# snmp-server user snmpuser SNMP-GROUP v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)# snmp-server enable traps cpu Trap_sender(config)# snmp-server enable traps configTrap_sender(config)# snmp-server enable traps snmpTrap_sender(config)# snmp-server host 172.16.1.1 traps version 3 priv snmpuserTrap_sender(config)# snmp-server source-interface traps loopback 0aWalked_device(config)# snmp-server group SNMP-GROUP v3 auth Walked_device(config)# snmp-server group SNMP-GROUP v3 privWalked_device(config)# snmp-server user snmpuser SNMP-GROUP v3 auth md5 authpassword priv des56 encryptpasswordA remote engine ID can be created when an SNMPv3 inform is configured.The remote engine ID is used to compute the security digest for authenticating and encrypting packets that are sent to a user on the remote host.Informs are acknowledged traps. The agent sends an inform to the manager. When the manager receives the inform, the manager sends a response to the agent. Thus, the agent knows that the inform reached the intended destination.1- Configuring SNMP-Server Engine ID(Optional) To configure a name for either the local or remote SNMP engine, use the global configuration command snmp-server engineID. The SNMP engine ID is a unique string used to identify the device for administration purposes. An engine ID is not required for the device as a default string is generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the MAC address of the first interface on the device.1- Configuring SNMP-Server Engine IDDo not specify the entire 24-character engine ID if the ID contains trailing zeros. Specify only the portion of the engine ID up to the point at which only zeros remain in the value. This portion must be 10 hexadecimal characters or more. For example, to configure an engine ID of 123400000000000000000000, specifysnmp-server engineID local 12341- Configuring SNMP-Server Engine IDTo configure a new SNMP group, use the global configuration command snmp-server group. This command groups SNMP users that reside on hosts that connect to the local SNMP agent.2- Configuring SNMP-Server Group Namessnmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list]Router(config)#Configures a new SNMP group or a table that maps SNMP users to SNMP views.2- Configuring SNMP-Server Group NamesPR1(config)# snmp-server group JOHN-GROUP v3 authPR1(config)# snmp-server group BILL-GROUP v3 privThe first example shows how to define a group JOHN-GROUP for SNMP v3 using authentication but not privacy (encryption).The second example shows how to define a group BILL-GROUP for SNMP v3 using privacy.To add a new user to an SNMP group, use the global configuration command snmp-server user.To configure a user that exists on a remote SNMP device, specify the IP address or port number for the remote SNMP device where the user residesNote: Before configuring remote users for that device, configure the SNMP engine ID using the command snmp-server engineID with the remote option.If the remote engine ID is not configured first, the configuration command will fail.3- Configuring SNMP-Server UsersConfigure a new user to an SNMP group.3- Configuring SNMP-Server Userssnmp-server user username groupname [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list]Router(config)#The first example shows how to define a user John belonging to the group JOHN-GROUP. Authentication uses the password john2passwd and no privacy (no encryption) is applied. The second example shows how user Bill, belonging to the group BILL-GROUP, is defined using the password bill3passwd and privacy (encryption) is applied.3- Configuring SNMP-Server UsersPR1(config)# snmp-server user John JOHN-GROUP v3 auth md5 john2passwd PR1(config)# snmp-server user Bill BILL-GROUP v3 auth md5 bill3passwd priv des56 password2To enable all SNMP notifications (traps or informs) available on your system, use the snmp-server enable traps command in global configuration mode.If an snmp-server enable command is NOT entered, no notifications are sent. To configure the router to send SNMP notifications, at least one snmp-server host command must be enteredIf the command is entered with no keywords, all trap types are enabled for the host. 4- Configuring the SNMP Traps4- SNMP – Types of Traps (notifications)TrapDescriptionbgpSends Border Gateway Protocol (BGP) state change traps.configSends configuration traps.hsrpSends Hot Standby Router Protocol (HSRP) notifications.sdlcSends Synchronous Data Link Control (SDLC) traps.snmpSends SNMP traps defined in RFC 1157.syslogSends error message traps (Cisco Syslog MIB). Specify the level of messages to be sent with the logging history level command.ttySends Cisco enterprise-specific traps when a TCP connection closes.x25Sends X.25 event traps.SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send acknowledgments when the receiver receives traps.The sender cannot determine if the traps were received.An SNMP entity that receives an inform request acknowledges the message with an SNMP response PDU.Informs consume more computing resources in the agent and in the network. To be able to send an “inform,”, use the command snmp-server enable informs.4- Configuring the SNMP InformsConfigures the recipient of an SNMP trap operation.This example shows how to send configuration informs to the 10.1.1.1 remote host.5- Configuring SNMP-Server HostsRouter(config)#PR1(config)# snmp-server engineID remote 10.1.1.1 1234567890PR1(config)# snmp-server user bill BILL-GROUP remote 10.1.1.1 v3PR1(config)# snmp-server group BILL-GROUP v3 noauthPR1(config)# snmp-server enable traps PR1(config)# snmp-server host 10.1.1.1 inform version 3 noauth billPR1(config)# snmp-server managersnmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type]The next slide shows how to configure Cisco IOS routers for SNMPv3.The router Trap_sender is configured to send traps to the NMS host with the IP address 172.16.1.1. The traps are encrypted using the credentials that are configured for the local user snmpuser who belongs to the group SNMP-GROUP. The Trap_sender router sends traps that are related to CPU, configuration, and SNMP. The trap packets are sourced from the router loopback 0 interface.The router Walked_device is configured so that the NMS host can read the MIBs on the local device. The NMS server needs to use the username credentials that are configured on the Walked_device (snmpuser with respective authentication and encryption passwords) to gain access to the SNMP information of the router.SNMPv3 ConfigurationSNMPv3 Configuration ExampleTrap_sender(config)# snmp-server group SNMP-GROUP v3 auth Trap_sender(config)# snmp-server group SNMP-GROUP v3 privTrap_sender(config)# snmp-server user snmpuser SNMP-GROUP v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)# snmp-server enable traps cpu Trap_sender(config)# snmp-server enable traps configTrap_sender(config)# snmp-server enable traps snmpTrap_sender(config)# snmp-server host 172.16.1.1 traps version 3 priv snmpuserTrap_sender(config)# snmp-server source-interface traps loopback 0Walked_device(config)# snmp-server group SNMP-GROUP v3 auth Walked_device(config)# snmp-server group SNMP-GROUP v3 privWalked_device(config)# snmp-server user snmpuser SNMP-GROUP v3 auth md5 authpassword priv des56 encrypt passwordAuthentication, Authorization, and AccountingAAA is an architectural framework for configuring:AAA Security ServicesImplementing Cisco AAAManaging administrative infrastructure access is crucial.Methods:Password onlyLocal databaseAAA Local Authentication (self-contained AAA)AAA Server-basedManaging Administrative AccessAccess TypeModesNetwork Access Server PortsCommon AAA Command ElementRemote administrative accessCharacter Mode(line or EXEC mode)tty, vty, auxiliary, and consolelogin, exec, and enable commandsRemote network accessPacket (interface mode)Dial-up and VPN access including asynchronous and ISDN (BRI and PRI)ppp and network commandsYou can use AAA to secure two different types of router access mode. The mode refers to the format of the packets that are requesting AAA services:• Character mode• Packet modeAuthenticating Router AccessAAA authentication Command ParametersAAA authentication is based on method lists as its building blocks. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.Configuring AAA Authentication and Method ListsModular Objects in AAA ConfigurationThe client establishes a connection with the router.The AAA router prompts the user for a username and password.The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.AAA Local Authentication123AAARouterRemote ClientConfiguring Local Authentication Using CCPAAA is disabled by default in CCP.Create UsersConfigure a Login Authentication Method• aaa new-model: Enables AAA.• aaa authentication login default local: Defines the default method list for login authentication using the local database.• aaa authentication login list name: Defines a custom method list for login authentication using the local database, using the enable password as a fallback option. In Example 4-10, the list name is MGT-ACCESS.• username: Adds usernames and passwords to the local security database.• login authentication: Assigns a method list to an access lineAAA Authentication CLI ConfigurationR1(config)# aaa new-modelR1(config)# aaa local authentication attempts max-fail 10R1(config)# aaa authentication login default localR(config)# aaa authentication login MGT-ACCESS local enableR1(config)# enable secret SnowyDay2012R1(config)# username admin privilege 15 view root secret sanfran2012R1(config)# username FWadmin privilege 10 view CCP_Firewall secret 1StopUn0wR1(config)# line con 0R1(config-line)# login authentication MGT-ACCESSR1(config-line)# endR1# debug aaa authenticationAAA CLI Configuration Example with Local AuthenticationUser Access VerificationUsername: wrongusernamePasswor:Feb 11 11:06:47.971: AAA/BIND(0000001B): Bind i/fFeb 11 11:06:47.971: AAA/AUTHEN/LOGIN (0000001B): Pick method list 'MGT-ACCESS'Feb 11 11:06:48.223: AAA/AUTHEN/ENABLE(0000001B): Processing request action LOGINFeb 11 11:06:48.223: AAA/AUTHEN/ENABLE(0000001B): Done status GET_PASSWORDFeb 11 11:06:49.231: AAA/AUTHEN/ENABLE(0000001B): Processing request action LOGINFeb 11 11:06:49.235: AAA/AUTHEN/ENABLE(0000001B): Done status FAIL - bad password% Authentication failedUsername: adminFeb 11 11:06:51.239: AAA/AUTHEN/LOGIN (0000001B): Pick method list 'MGT-ACCESS'Password:R1>Troubleshooting Using the debug aaa authentication CommandServer-Based SolutionCisco Secure ACS BenefitsEase of useA web-based user interface simplifies the configuration for user profiles, group profiles, and ACS configuration.ScalabilityACS is built to provide large networked environments including redundant servers, remote databases, and database replication and backup services.ExtensibilitySupports the authentication of user profiles that are stored in directories from leading directory vendors, including Sun, Novell, and Microsoft.ManagementActive Directory support consolidates username and password management.AdministrationAbility to group network devices together make it easier and more flexible to control the enforcement and changes for all devices in a network.Product flexibilityCisco Secure ACS is available in three options: Cisco Secure ACS Solution Engine, Cisco Secure ACS Express, and Cisco Secure ACS for Windows.IntegrationTight coupling with Cisco IOS routers and VPN solutions.Third-party supportCisco Secure ACS offers token server support for any one-time password (OTP) vendor that provides an RFC-compliant RADIUS interface, such as RSA, PassGo, Secure Computing, ActiveCard, Vasco, or CryptoCard.ControlProvides dynamic quotas to restrict access based on the time of day, network use, number of logged sessions, and the day of the week.Cisco Secure ACSCisco Secure ACS: Appliance and Virtual Machine- Cisco Secure ACS supports multiple RADIUS-based authentication methods- Cisco Secure ACS also supports many members of the Extensible Authentication Protocol (EAP) family of protocolsCisco Secure ACS 4.2 for Windows can be installed on:Windows Server 2003 Service Pack 1, Enterprise Edition or Standard ditionWindows Server 2003, R2, Standard EditionWindows Server 2003, Service Pack 2Windows Server 2003, R2, Service Pack 2Windows Server 2008 Standard or Enterprise EditionCisco Identity Services EngineCisco Identity Services Engine (ISE) is a next-generation identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and simplify service operationsThe Cisco ACS family support:Terminal Access Control Access Control Server Plus (TACACS+)Remote Dial-in User Services (RADIUS) protocolsTACACS+ and RADIUSBoth protocols can be used to communicate between client and AAA servers.TACACS+ is considered the more secure protocol because all exchanges are encrypted.Radius only encrypts the user password.It does not encrypt user names, accounting information, or any other information carried in the radius message.TACACS+ and RADIUSTACACS+ vs. RADIUSFeatureTACACS+RADIUSFunctionalitySeparates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+.StandardMostly Cisco supportedOpen/RFC standardTransport ProtocolTCP port 49UDP port 1645 or 1812 for authenticationUDP port 1646 or 1813 for accountingCHAPBidirectional challenge and response as used in CHAPUnidirectional challenge and response from the RADIUS security server to the RADIUS client.Protocol SupportMultiprotocol supportNo ARA, no NetBEUIConfidentialityEntire packet encryptedOnly the password is encryptedCustomization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis.AccountingLimitedExtensiveConfiguration Steps for AAA Using an External DatabaseStep 1. Globally enable AAA.Step 2. Configure AAA servers and groups.Step 3. Enable AAA globally on the router.Step 4. Configure authentication policies using method lists.Step 5. (Optional) Configure authorization policies using method lists.Step 6. (Optional) Configure accounting policies using method lists.Step 7. Verify the AAA configuration.AAA on a Cisco Router Using an External DatabaseAAA Servers and GroupsR1(config)# radius-server host 10.0.1.10 auth-port 1645 acct-port 1646 key 0 ciscoOrR1(config)# aaa group server radius MYRADIUSR1(config-sg-radius)# server 10.0.1.10 auth-port 1645 acct-port 1646R1(config)# aaa authentication login AAAServer group MYRADIUS localAAA Authentication Method ListsConfiguring Authorization Method ListsAAA Authorization PoliciesAAA Accounting Using Named Method Lists ProcedureAAA Accounting Command Parametersaaa new-model!aaa authentication login TACACS_SERVER group tacacs+ localaaa authorization exec default group tacacs+aaa authorization network default group tacacs+aaa accounting exec default start-stop tacacs+aaa accounting network default start-stop tacacs+aaa accounting commands 15 default stop-only group tacacs+!tacacs-server host 10.0.1.11tacacs-server key ciscosecure!line vty 0 4 login authentication TACACS_SERVERExample of AAA Configuration for TACACS+Deploying and Configuring Cisco Secure ACSBefore: Group-Based PoliciesComplexity of a Mobile Workforce and Borderless Networks New in Cisco Secure ACS 5.2: Rule-Based PoliciesNow: More Than Just IdentitiesContext-Aware Authorization ProfilesRule-Based PoliciesCisco ACS 5.2Creating Users in Identity StoreCisco.com Resources“Cisco Configuration Professional,” “Cisco ISE Fundamentals,” “Cisco Secure Access Control System,” “Password Recovery Procedures,” Guide for the Cisco Secure Access Control System 5.2, 1305, “Network Time Protocol (Version 3) Specification, Implementation and Analysis,” 2571, “An Architecture for Describing SNMP Management Frameworks,” ShellWikipedia. “Secure Shell,”