© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Securing Management and Reporting Features

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Management and Reporting Planning Considerations

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Management and Reporting Planning Considerations Which are the most important logs? How are important messages separated from routine notifications? How do you prevent tampering with logs? How do you make sure time stamps match? What log data is needed in criminal investigations? How do you deal with the volume of log messages? How do you manage all the devices? How can you track changes when attacks or network failures occur?

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Management and Reporting Architecture

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Management and Reporting Architecture

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Information Paths

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v In-Band Management Considerations Which management protocols does each device support? Does the management channel need to be active at all times? Is SNMP necessary?

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Secure Management and Reporting Guidelines In-band management guidelines: –Apply only to devices needing to be managed or monitored. –Use IPsec when possible. –Use SSH or SSL instead of Telnet. –Decide whether the management channel needs to be open at all times. –Keep clocks on hosts and network devices synchronized. –Record changes and archive configurations. OOB management guidelines: –Provide highest level of security and mitigate the risk of passing insecure management protocols over the production network. –Keep clocks on hosts and network devices synchronized. –Record changes and archive configurations.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring an SSH Server for Secure Management and Reporting

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring an SSH Server for Secure Management and Reporting Austin2#configure terminal Austin2(config)#ip domain-name cisco.com Austin2(config)#crypto key generate rsa general-keys modulus 1024 Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled Austin2(config)#ip ssh timeout 120 Austin2(config)#ip ssh authentication-retries 4 Austin2(config)#line vty 0 4 Austin2(config-line)#no transport input telnet Austin2(config-line)#transport input ssh Austin2(config-line)#end 1. Configure the IP domain name 2. Generate the RSA keys 3. Configure the SSH timeout interval 4. Configure the SSH retries 5. Disable vty inbound Telnet sessions 6. Enable vty inbound SSH sessions

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Using Syslog Logging for Network Security

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Implementing Log Messaging for Security Routers should be configured to send log messages to one or more of these: –Console –Terminal lines –Memory buffer –SNMP traps –Syslog Syslog logging is a key security policy component.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Syslog Systems Syslog server: A host that accepts and processes log messages from one or more syslog clients. Syslog client: A host that generates log messages and forwards them to a syslog server.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Log Severity Levels Debug messageDebugging7 Informational messageInformational6 Normal but important eventNotifications5 Warning conditionWarnings4 Error conditionErrors3 Condition criticalCritical2 Immediate action requiredAlerts1 Router unusableEmergencies0 DescriptionNameLevel

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Log Message Format Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 ( ) Time Stamp Log Message Name and Severity Level Message Text

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Syslog Logging

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Syslog Router(config)# logging [host-name | ip-address] Router(config)# logging trap level Router(config)# logging facility facility-type 1. Sets the destination logging host 2.(Optional) Sets the log severity (trap) level 3.(Optional) Sets the syslog facility

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Syslog (Cont.) Router(config)# logging source-interface interface-type interface-number Router(config)# logging on 4.(Optional) Sets the source interface 5. Enables logging

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Syslog Implementation Example R3(config)#logging R3(config)#logging trap informational R3(config)#logging source-interface loopback 0 R3(config)#logging on

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMP Version 3

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMPv1 and SNMPv2 Architecture The SNMP NMS asks agents embedded in network devices for information, or tells the agents to do something.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Community Strings Used to authenticate messages between a management station, and an SNMPv1 or SNMPv2 engine: Read only community strings can get information, but can not set information in an agent. Read-write community strings can get and set information in the agent. Having read-write access is like having the enable password for the device.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMP Security Models and Levels ModelLevelAuthenticationEncryptionWhat Happens v1v1noAuthNoPrivCommunity StringNoAuthenticates with a community string match v2v2noAuthNoPrivCommunity StringNoAuthenticates with a community string match v3v3noAuthNoPrivUsernameNoAuthenticates with a username authNoPrivMD5 or SHANoProvides HMAC MD5 or SHA algorithms for authentication authPrivMD5 or SHADESProvides HMAC MD5 or SHA algorithms for authentication Provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard Definitions: Security model is a security strategy used by the SNMP agent Security level is the permitted level of security within a security model

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMPv3 Architecture

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMPv3 Operational Model

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMPv3 Features and Benefits FeaturesMessage integrity: Ensures that a packet has not been tampered with intransit. Authentication: Determines that the message is from a valid source. Encryption: Scrambles the contents of a packet to prevent it from being seen by an unauthorized source. BenefitsData can be collected securely from SNMP devices without fear of the data being tampered with or corrupted. Confidential information, such as, SNMP Set command packets that change a router configuration, can be encrypted to prevent its contents from being exposed on the network.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring an SNMP Managed Node

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMPv3 Configuration Task List Cisco IOS SNMPv3 server configuration tasks: 1. Configuring the SNMP-server engine ID 2. Configuring the SNMP-server group names 3. Configuring the SNMP-server users 4. Configuring the SNMP-server hosts

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring the SNMP-Server Engine ID snmp-server engineID [local engineid-string] | [remote ip-address udp-port port-number engineid-string] Router(config)# Configures names for both the local and remote SNMP engine (or copy of SNMP) on the router PR1(config)#snmp-server engineID local 1234

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring the SNMP-Server Group Names snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] [access access-list] Router(config)# Configures a new SNMP group, or a table that maps SNMP users to SNMP views PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring the SNMP-Server Users snmp-server user username groupname [remote ip-address [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]} [access access-list] Router(config)# Configures a new user to an SNMP group PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56 password2 PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring the SNMP-Server Hosts snmp-server host host-address [traps | informs] [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [notification-type] Router(config)# Configures the recipient of an SNMP trap operation. PR1(config)#snmp-server engineID remote PR1(config)#snmp-server user bill billgroup remote v3 PR1(config)#snmp-server group billgroup v3 noauth PR1(config)#snmp-server enable traps PR1(config)#snmp-server host inform version 3 noauth bill PR1(config)#snmp-server manager

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v SNMPv3 Configuration Example Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 priv Trap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps config Trap_sender(config)#snmp-server enable traps snmp Trap_sender(config)#snmp-server host traps version 3 priv snmpuser Trap_sender(config)#snmp-server source-interface traps loopback 0 Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 priv Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring NTP Client

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Understanding NTP NTP is used to synchronize the clocks in the entire network. System clock is set by the battery system calendar during bootup. System clock can then be modified manually or via NTP. NTP runs over UDP port 123; current version is 4. Only NTP up to version 3 has been documented in RFCs. Stratum describes how many NTP hops away a machine is from authoritative time source. NTP establishes associations to synchronize time.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring NTP Authentication ntp authenticate Router(config)# Enables the authentication feature R1(config)#ntp authentication R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs R1(config)#ntp trusted-key 1 ntp authentication-key number md5 value Defines the authentication keys Used for both peer and server associations ntp trusted-key key-number Defines the trusted authentication keys Required to synchronize to a system (server association) Router(config)#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring NTP Associations ntp server {ip-address | hostname} [version number] [key keyid] [source interface] [prefer] Router(config)# R1(config)#ntp server key 1 R1(config)#ntp server key 2 prefer R1(config)#interface Fastethernet 0/1 R1(config-if)#ntp broadcast client Forms a server association with another system ntp broadcast client Receives NTP broadcast packets Router(config-if)#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Additional NTP Options ntp access-group {query-only | serve-only | serve | peer} access-list-number Router(config)# R1(config)#access-list 1 permit host R1(config)#ntp access-group peer 1 R1(config)#ntp source loopack 0 Controls NTP message exchange ntp source interface Modifies the source IP address of NTP packets Router(config)#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring NTP Server

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Implementing NTP Server Cisco IOS routers work as an NTP server by default. As soon as a router is synchronized to an authoritative time source, it will allow peers with lower stratum to synchronize to that router: –Requires a peer association You can make a router an authoritative NTP server, even if the system is not synchronized to an outside time source. Two options to establish a peer association: –Unicast –Broadcast Same exchange control methods as with client: –Packet authentication –Access group filtering

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring NTP Server ntp master [stratum] R2(config)#ntp peer key 1 R2(config)#ntp master 3 R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast Makes the system an authoritative NTP server ntp broadcast [version number][destination address][key keyid] Configures an interface to send NTP broadcast packets Router(config-int)# ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer] Router(config)# Forms a peer association with another system Router(config)#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v NTP Configuration Example Source(config)#ntp master 5 Source(config)#ntp authentication-key 1 md5 secretsource Source(config)#ntp peer key 1 Source(config)#ntp source loopback 0 Intermediate(config)#ntp authentication-key 1 md5 secretsource Intermediate(config)#ntp authentication-key 2 md5 secretclient Intermediate(config)#ntp trusted-key 1 Intermediate(config)#ntp server Intermediate(config)#ntp source loopback 0 Intermediate(config)#interface Fastethernet0/0 Intermediate(config-int)#ntp broadcast Client(config)#ntp authentication-key 1 md5 secretclient Client(config)#ntp trusted-key 1 Client(config)#interface Fastethernet0/1 Client(config-int)#ntp broadcast client

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Since OOB management provides higher levels of security and performance than in-band, the decision to use an in-band solution must be considered carefully. Management communications should use SSH rather than Telnet. Implementing a router logging facility is an important part of any network security policy. Syslog is implemented on your Cisco router using syslog router commands. Network management will be greatly enhanced by implementing the security features of SNMPv3 rather than earlier versions. Cisco IOS SNMPv3 server configuration tasks include configuring SNMP-server engine ID, group names, users, and hosts. Cisco routers can be configured as NTP servers or clients. Packet authentication and filtering should be used to protect NTP exchange.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v