Part 11: Securing the Management Plane on Cisco IOS Devices
Part 11: Securing the Management Plane on Cisco IOS Devices
In this article we will describe how we will discover how to secure the Management Plane on Cisco IOS Devices in different steps:
1. Securing Management Traffic
— Management Plane Best Practices
— Options for Storing Usernames, Passwords, and Access Rules
— Limiting the Administrator by Assigning a View
— Using Logging Files
2. Implementing Security Measures to Protect the Management Plane
— Implementing Strong Passwords
— User Authentication with AAA
— RBAC Privilege Level/Parser View
— Implementing Parser Views
— SSH and HTTPS
— Implementing Logging Features
— SNMP Features
— Configuring NTP
— Secure Copy Protocol
— Securing the Cisco IOS Image and Configuration Files
Summary
1. Securing Management Traffic
When you are in front of a big topology, the first question you ask: From where will I begin? So first we need to classify, describe, and identify the vulnerabilities that exist. The management plane contains how we will connect to devices that we will manage and with what privilege, also who can access the system and what he can do. The management plan also includes how to maintain event messages sent to or from switches/routers.
One of the best solutions to manage our devices is the use of a rollover cable but in the case of a huge topology that’s not a big deal. The best solution is to configure remote devices and fix a specific IP address for management, secure access with passwords, and ensure that the traffic is encrypted.
- Management Plane Best Practices
We already talked about best practice in the last article, we will mention another point:
+ Login Password Retry Lockout: We need to set a fixed number of wrong login attempts, and after them, the account will be locked out automatically.
+ Encrypted management protocols: In every management task encryption must be used, such as SSH, HTTPS, OOB and ensure that there is a completely separate network for management and for end-devices.
+ Logging and monitoring: Logging must not include only users’ configuration but also system events generated by devices. We should mention in our plane the log level that we need and classify the most important information and what information should not be logged. We must also allocate the sufficient amount of space to save logs, we can use a log server that collects all the log file in the network and ensure that all the logs sent in the network are encrypted, we can use a different server to save the log in the Cloud, for example, to guarantee that no one can change or modify those files.
+ Secure system files: We must ensure that no one can delete the configuration or IOS image of our network devices, In case the configuration or the IOS image not found, the device will not work. “Cisco offers a resilient configuration feature. This feature maintains a secure working copy of the router IOS image and the startup configuration files at all times. Once enabled, the administrator cannot disable the features remotely (only if he is connected directly). The secure files are referred to as a secure boot set.” [Cisco Book]
- Options for Storing Usernames, Passwords, and Access Rules
There are many options to store that information like AAA service where we can find ACS server, Radius server, and Tacacs+ server, they all have the same type of function, and they permit to store usernames, passwords, and rules. We can use this service to authorize user connected to our network using VPN, we authenticate those users, then we authorize them to access such devices and give them the privilege they need. Also, we can use this service to authenticate users accessing Routers and give them the right privilege for management (EXEC shell for administrators for example).
- Limiting the Administrator by Assigning a View
By assigning a view we can limit the privilege of users, we can assimilate such privilege for a user and revoke some commands.
- Using Logging Files
Log files are important to investigate attacks and configuration problem and Cisco IOS provide a different possibility to save those files:
+ Console: Can send the log files to an attached device via a specific port.
+ vty lines: Send log file to a remote terminal using SSH, for example, must run terminal monitor command to enable users connected on that vty line to see log message.
+ Buffer: Both above solutions don’t save the log file, however, we can store those logs file in the device memory where we call it to buffer.
+ SNMP server: Routers/switches/servers on the network send log files to the SNMP server.
+ Syslog servers: Log messages can directly be sent to different Syslog servers.
Let’s have an idea about Syslog severity levels:
2. Implementing Security Measures to Protect the Management Plane
- Implementing Strong Passwords
In this part we will mention the configuration part:
R#username Peerlyst secret P4ssw0rd$ (this secret is hashed using MD5 then stored)
- For line console:
R(config)#line consol 0
R(config-line)#password P4ssw0rd$
R(config-line)#login
R(config-line)#exit
- For vty line (telnet or ssh):
R(config)#line vty 0 9
R(config-line)#password P4ssw0rd$
R(config-line)#login
R(config-line)#exit
- For aux line:
R(config)#line aux 0
R(config-line)#no exec
R(config-line)#password P4ssw0rd$
R(config-line)#login
R(config-line)#exit
- Encrypt the plain text passwords:
R(config)#service password-encryption
- Show command:
R(config)#do show run | begin line
- User Authentication with AAA
In this part we will talk about how to enable AAA service with method lists that will limit users privilege:
- Enable aaa feature:
R(config)# aaa new-model
- Set Tacacs server and key:
R(config)#tacacs-server host 1.1.1.1
R(config)#tacacs-server key P4ssw0rd$
- Authenticate the user first from the local database second the enabled secret:
R(config)#aaa authentication login default local enable
- Authenticate the list of users MYLIST first from Tacacs server, second from the local database, and finally from enabled secret:
R(config)#aaa authentication login MYLIST group tacacs local enable
- Authorization method list for privilege exec mode:
R(config)#aaa authorization commands 15 TAC15 group tacacs+ local
- Accounting that will record the commands issued at level 15:
R(config)#aaa accounting commands 15 TAC-acc start-stop group tacacs+
- Create a local user in the router in case:
R(config)#username admin privilege 15 secret ziJ@D7dk(éAJ8
- Apply the method created on the line:
R(config)#line vty 0 4
R(config-line)#login authentication MYLIST
R(config-line)#authorization commands TAC15
R(config-line)#accounting commands 15 TAC-acc
- Enable logging on the buffer and clear command:
R(config)#logging buffered 7
R(config)#end
R#clear log
- Enable debug to troubleshoot AAA for Cisco Routers:
R#debug aaa authentication
R#debug aaa authorization
R#debug aaa accounting
- To see user connected:
R>who
- RBAC Privilege Level/Parser View
We can implement RBAC in AAA service where the rules are configured on an ACS server and limit what users can do, let’s see how to create and assign commands to a privilege level:
- Assign the command to configure terminal to privilege level 8 and set a password for it:
R(config)#privilege exec level 8 configure terminal
R(config)#enable secret level 8 0 Nfez8@ajef
R(config)#end
- Access privilege 8:
R>enable 8 (know the router will ask as for password)
- Assign privilege 8 to the user:
R(config)#username Hamza privilege 8 secret Password213
- Implementing Parser Views
In this part we will see how to create and work with parser views:
- Set a secret and enable AAA:
R(config)#enable secret Passwd0!
R(config)#aaa new-model
R(config)#end
- Create the view:
R#enable view (after this command you will be asked to enter your secret password “Passwd0!”)
R(config)#parser view VIEW-1
R(config-view)#secret VIEWdad@ (set password required to enter the view)
R(config-view)#commands exec include ping
R(config-view)#command exec include all show
R(config-view)#commands exec include configure
R(config-view)#commands configure include access-lists
R(config-view)#exit
R(config)#exit
- Test the view:
R>enable view VIEW-1
- See what view we are using:
R#show parser view
- Associate a view to a user:
R(config)#username hamza view VIEW-1 secret Passw0rd$
- SSH and HTTPS
When we will connect to a device remotely better to use an encrypted connection like HTTPS or SSH, to enable SSH in the router we need to do the following steps:
- Define a Hostname:
Router(config)#hostname R
- Define a domain name:
R(config)#ip domain-name medium.com
- Create a new crypto key (we need to do those two steps before creating a key):
R(config)#crypto key generate rsa
- Create a user:
R(config)#username Hamza secret hamza123
- Configure the vty line:
R(config)#line vty 0 9
R(config-line)#login local
- Now we can connect via SSH:
R#ssh -l Hamza 1.1.1.1
R>show ssh
If we want to use HTTPS we just need to follow this configuration:
- Enable SSL:
R(config)#ip http secure-server
- Set how the user will be authenticated:
R(config)#ip http authentication local
- Implementing Logging Features
Activating Syslog is so simple we just need to run those following commands:
- First, we need to shut down the interface, then active log and we activate again the interface:
R(config)#int fa0/0
R(config-if)#shutdown
R(config-if)#exit
R(config)#service timestamps log datetime
R(config)#int fa0/0
R(config-if)#no shutdown
- SNMP Features
SNMP Simple Network Management Protocol is the most used for network management protocols, let’s discover SNMP components:
+ SNMP Manager: called Network Management Server NMS.
+ SNMP Agent: Run on the managed device.
+ Management Information Base: MIB contains information about managed devices.
SNMP Manager can send information and receive requests; there are three types of SNMP message:
+ GET: Used to get information from managed devices.
+ SET: Used to set a variable or to trigger an action in a managed device.
+ TRAP: Used by the managed device to notify the SNMP manager about an event.
There is a risk if an attacker gets access to the MIB or he sends many SET messages to many devices on the network, some devices have two default password “public” for read-only and “private” for read-write. SNMPv1 and 2 tried to correct those vulnerabilities but the correction still weak, today SNMPv3 uses the concept of security level and security model:
+ Security Model: Present user and group authentication.
+ Security Level: Define the algorithm used on SNMP packets:
+ noAuthNoPriv: no Authentication, No encryption for privacy.
+ authNoPriv: Authentication using HMAC, MD5, or SHA.
+ authPriv: Encryption using CBC or DES.
For SNMP configuration using CCP please check this LINK, Let’s see SNMPv3 Configuration:
- Configure community string read-only with an access-list 99 to restrict access:
R(config)#access-list 99 permit 192.168.1.1 /24
R(config)#snmp-server group medium-group v3 noauth (activate v3)
R(config)#smtp-server user medium-user medium-group v3
R(config)#snmp-server community mediumRO 99
R(config)#snmp-server trap-source Fa0/0 (set interface)
R(config)#smtp-server host 192.168.1.2 version 3 noauth medium-user
- Configuring NTP
As we active Syslog we need to set the time to know when each event is logged. NTP support authentication, to configure NTP via CCP check this LINK. To check NTP connection via CLI we run those commands:
R#show ntp status
R#show ntp association
- Secure Copy Protocol
The SCP feature provides authentication when we try to copy a device configuration or device image file. SCP implementation need an active AAA service, let’s see the enable command:
R(config)#ip scp server enable
- Securing the Cisco IOS Image and Configuration Files
In case both of the flash file system and NVRAM are deleted, Cisco provides a feature where the device can recover the IOS image and the configuration files from a secure place that a remote user can’t delete. Let’s have a look at the configuration:
R(config)#secure boot-image
R(config)#secure boot-config
R#show secure bootset
Summary
In this part, we discovered together how to secure the management plane on Cisco IOS devices.
All that you can find in this article is based on the CCNA Security book so we can ensure that everyone that assists with this training can have an idea about CCNA 210–260 Exam, I wish you all the luck ^^
Reference
CCNA Security Book 210–260
