© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Implementing Secure Management and Reporting

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Secure Management and Reporting Planning Considerations Secure Management and Reporting Architecture Using Syslog Logging for Network Security Using Logs to Monitor Network Security Using SNMPv3 Configuring an SSH Server for Secure Management and Reporting Enabling Management Features Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Considerations for Secure Management and Reporting What are the most important logs? How are important messages separated from routine notifications? How do you prevent tampering with logs? How do you ensure that time stamps match? What log data is needed in criminal investigations? How do you deal with the volume of log messages? How do you manage all the devices? How can you track changes when attacks or network failures occur?

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Management and Reporting Architectural Perspective Syslog Server Access Control Server SNMP Server System Administrator Host To All Device Console Ports Terminal Server Cisco IOS Firewall with VPN Protected Management Network (Behind Firewall) OOB Network Management Encrypted In-Band Network Management (VPN) Production Network In-band management Out-of-band (OOB) management

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Management and Reporting Architectural Perspective (Cont.) Syslog Server Access Control Server SNMP Server System Administrator Host To All Device Console Ports Terminal Server Cisco IOS Firewall with VPN Protected Management Network (Behind Firewall) OOB Network Management Encrypted In-Band Network Management (VPN) Production Network OOB Configuration Management Stateful Packet Filtering and IPsec Termination for Management Private VLANs Configuration and Content Management (SSH if Possible)

© 2006 Cisco Systems, Inc. All rights reserved. SND v In-Band Management Considerations What management protocols does each device support? Does the management channel need to be active at all times? Do you really need this management tool? Is there a change management policy or plan in place?

© 2006 Cisco Systems, Inc. All rights reserved. SND v Secure Management and Reporting General Guidelines OOB management guidelines: –Provide the highest level of security and mitigate the risk of passing insecure management protocols over the production network –Keep clocks on hosts and network devices synchronized –Record changes and archive configurations In-band management guidelines: –Apply only to devices needing to be managed or monitored –Use IPsec when possible –Use SSH or SSL –Decide whether the management channel needs to be open at all times –Keep clocks on hosts and network devices synchronized –Record changes and archive configurations

© 2006 Cisco Systems, Inc. All rights reserved. SND v Implementing Log Messaging for Security Routers should be configured to send log messages to one or more of these items: –Console –Terminal lines –Buffered logging –SNMP traps –Syslog Syslog logging is a key security policy component.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Syslog Systems A syslog server is a host that accepts and processes log messages from one or more syslog clients. A syslog client is a host that generates log messages and forwards them to a syslog server. e0/ e0/ e0/ R3 User Public Web Server Mail Server Administrator Server Syslog Server Protected LAN /24 DMZ LAN /24 Syslog Client

© 2006 Cisco Systems, Inc. All rights reserved. SND v Cisco Log Severity Levels Debug messageDebugging7 Informational messageInformational6 Normal but important eventNotifications5 Warning conditionWarnings4 Error conditionErrors3 Condition criticalCritical2 Immediate action requiredAlerts1 Router unusableEmergencies0 DescriptionNameLevel

© 2006 Cisco Systems, Inc. All rights reserved. SND v Log Message Format Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 ( ) Time Stamp Log Message Name and Severity Level Message Text

© 2006 Cisco Systems, Inc. All rights reserved. SND v Using Logs to Monitor Network Security 1. Choose Monitor 2. Choose a level from the Select a Logging Level to View drop-down menu. 3. Monitor network security using log entries shown in this window

© 2006 Cisco Systems, Inc. All rights reserved. SND v SNMPv1 and SNMPv2 Architecture The SNMP NMS asks agents embedded in network devices for information or tells the agents to do something. Agents can send unsolicited traps to the NMS to report an event such as an interface that has gone down. SNMP Agent NMS Gets Sets SNMP: Security Is Not My Problem Managed Node Trap

© 2006 Cisco Systems, Inc. All rights reserved. SND v Community Strings Used to authenticate messages between a management station and an SNMPv1 or SNMPv2c engine: Read-only community strings can get information but cannot set information in an agent. Read-write community strings can get and set information in the agent. Set access is equivalent to having the enable password for a device.

© 2006 Cisco Systems, Inc. All rights reserved. SND v SNMP Security Models and Levels Definitions Security model: A security strategy used by the SNMP agent Security level: The permitted level of security within a security model ModelLevelAuthenticationEncryptionWhat Happens SNMPv1noAuthNoPrivCommunity String NoAuthenticates with a community string match SNMPv2cnoAuthNoPrivCommunity String NoAuthenticates with a community string match SNMPv3noAuthNoPrivUsernameNoAuthenticates with a username SNMPv3authNoPrivMD5 or SHANoProvides HMAC MD5 or HMAC SHA algorithms for authentication SNMPv3authPrivMD5 or SHADESProvides HMAC MD5 or HMAC SHA algorithms for authentication; provides DES 56-bit encryption in addition to authentication based on the CBC-DES (DES-56) standard

© 2006 Cisco Systems, Inc. All rights reserved. SND v SNMPv3 Architecture Agent may enforce access control to restrict each principal to certain actions on certain portions of its data. Managed Node DES Encryption SNMPv3 messages may be encrypted to ensure privacy. NMS Transmissions from manager to agent may be authenticated to guarantee the identity of the sender and the integrity and timeliness of a message.

© 2006 Cisco Systems, Inc. All rights reserved. SND v SNMPv3 Operational Model SNMP Manager SNMP Entity Network Management Station SNMP Agent MIB SNMP Entity Managed Node SNMP Agent MIB SNMP Entity Managed Node SNMP Agent MIB SNMP Entity Managed Node SNMP Application

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring an SSH Server for Secure Management and Reporting Austin2# config t Austin2(config)# ip domain-name cisco.com Austin2(config)# crypto key zeroize rsa Austin2(config)# crypto key generate rsa general-keys modulus 1024 Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled Austin2(config)# ip ssh timeout 120 Austin2(config)# ip ssh authentication-retries 4 Austin2(config)# line vty 0 4 Austin2(config-line)# no transport input telnet Austin2(config-line)# transport input ssh Austin2(config-line)# end Austin2# 1. Configure the IP domain name. 2. Set the existing RSA keys to zero. 3. Generate the RSA keys. 4. Configure the SSH timeout interval. 5. Configure the SSH retries. 6. Disable vty inbound Telnet sessions. 7. Enable vty inbound SSH sessions.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Enabling Syslog Logging With Cisco SDM Configure > Additional Tasks > Router Properties > Logging > Edit… 1. Choose Configure. 2. Choose Additional Tasks. 3. Choose Router Properties. 4. Choose Logging. 5. Choose Edit. 6. Choose Add…. 7. Enter a value in the IP Address/Hostname field

© 2006 Cisco Systems, Inc. All rights reserved. SND v Enabling SNMP with Cisco SDM 1. Choose Configure. 2. Choose Additional Tasks. 3. Choose Router Properties. 4. Choose SNMP. 5. Confirm that the Enable SNMP check box is checked. 6. Click Edit. 7. Click Add…. 8. Enter a value in the Community String field

© 2006 Cisco Systems, Inc. All rights reserved. SND v Enabling NTP with Cisco SDM 1. Choose Configure. 2. Choose Additional Tasks. 3. Choose Router Properties. 4. Choose NTP/SNTP. 5. Choose Add…. 6. Enter a value in the NTP Server IP address field

© 2006 Cisco Systems, Inc. All rights reserved. SND v Enabling SSH with Cisco SDM 1. Choose Configure. 2. Choose Additional Tasks. 3. Choose Router Access. 4. Choose SSH. 5. Choose Generate RSA Key

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary There are a number of factors that must be considered before configuring logging on Cisco routers. Since OOB management architectures provide higher levels of security and performance than in-band architectures, the decision to use an in-band solution must be considered carefully. Syslog is implemented on your Cisco router using syslog router commands. Implementing a router logging facility is an important part of any network security policy. Network management will be greatly enhanced by implementing the security features of SNMPv3 rather than earlier versions. Management communications should use SSH rather than Telnet. Logging, SNMP, and NTP can be configured from the Router Properties menu under the Additional Tasks option in Cisco SDM.

© 2006 Cisco Systems, Inc. All rights reserved. SND v