Best Security Practices for Cisco IOS and IOS-XE (Part 1)

It is recommended to implement the separation of management and data/customer traffic in your Datacenter switches like  Cisco IOS and IOS-XE (e.g. ASR1000).  Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA.

Here’s the recommended configuration or practices for these management services.

  1. Configure Authentication, Authorization and Accounting (AAA)
    -preferably to setup centralized TACACS+ to manage all your devices, some uses Cisco® Identity Services Engine (ISE) for central network management that can implement security protocol to audit and control configuration. It can setup individual or group profiles with respective access rights like read-only or allow specific commands only.
    -recommended to integrate the TACACS+ server to Lightweight Directory Access Protocol (LDAP) or Active Directory so can easily track changes, setup password complexity requirements and can have certain password expiry.Sample Configuration:

ASR1K# show run aaa
aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting send stop-record authentication failure
!
tacacs server TACACS1
address ipv4 192.168.10.10
key 7 00B13081131E3F3A214EF21
tacacs server TACACS2
address ipv4 192.168.20.10
key 7 00B13081131E3F3A214EF21
!
aaa local authentication attempts max-fail 5
aaa new-model
aaa session-id common

Related link –> TACACS (AAA) Configuration in Cisco (IOS-XR, IOS-XE, IOS, NX-OS)

2. Use Secure Shell (SSH) for Remote Access
– to provide secure remote connection to a device as the traffic is encrypted.

  • enable and run only the latest SSH Version 2 (SSHv2)

ip ssh version 2

Verify:

ASR1K#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-ctr hmac-sha1 Session started user1
%No SSHv1 server connections running.

 

  • Configure Access Lists (ACL) to secure management sessions
    Assuming your jump host IPs are:
    192.168.30.11
    192.168.40.11Step1. Create your ACL to allow only authorized IPs and deny all

ip access-list extended SSH_ACL
permit tcp host 192.168.30.11 any eq 22
permit tcp host 192.168.40.11any eq 22
deny tcp any any eq 22

Step2.  Apply the ACL under line

line vty 0 4
access-class SSH_ACL in

Related link –> SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR)

3. Configure Idle Timeout for SSH and console sessions
-this is to prevent unauthorized users from accessing your unattended login sessions. Recommended not more than 10 minutes.

This is to configure the timeout for an inactive session in 5 minutes.
NEXUS-SW1(config)#

line vty 0 4
access-class SSH_ACL in
exec-timeout 5 0
password 7 01ABC55XYZ
login authentication VTY
transport input ssh

Related link –> Best Security Practices for SSH (Secure Shell) Remote Access in Cisco

4. Configure stricter password policies
If tacacs not reachable, it will look for the local account. It is advisable to implement stricter password requirements and complexity such as:

  • at least 8 characters
  • should contain both uppercase and lowercase characters
  • should contain numbers
  • does not contain any dictionary words

service password-encryption

5. Configure SNMP
SNMP or Simple Network Mangement Protocol is  an application–layer protocol  for exchanging management information between network devices via SNMP managers and agents.
It is advisable to run version 3 as it provides better security because of authentication and encryption between this communication.

Here’s sample recommended configuration:

a. Configure ACL to allow only authorized SNMP requests from NMS

ip access-list standard ACL_SNMP
permit 192.168.60.0 0.0.0.255

b. Configure SNMPv3

SNMPv3

snmp-server group SNMP_GROUP v3 priv notify ALL_VIEW access ACL_SNMP
snmp-server view ALL_VIEW org included

-Some Network Management, Configuration Management and Inventory Management system still not full ready to use SNMPv3, thus only options is to configure SNMPv2c with a stricter policies such as:
a. complex community string
b. configure Access-list

SNMPv2c

snmp-server community Fr33Netw0rk5nmP RO ACL_SNMP

c. Configure SNMP traps

SNMPv2c:

Sample:

snmp-server trap-source Loopback0
snmp-server host 192.168.11.99 Fr33Netw0rk5nmP

 

Related link –> SNMPv2c and SNMPv3 Polling and Traps Configuration in Cisco (IOS-XR)

6. Configure Syslog Logging

Recommended configuration: (Assuming syslog server IP is 192.168.15.254)

 

logging facility local6
logging source-interface Loopback0
logging host 192.168.15.254

 

Related link –> Out of Band (OOB) Management Configuration in Cisco IOS-XR (SSH,SNMP,NTP,AAA,Syslog)

7. Configure NTP
-Network Time Protocol is networking protocol for clock synchronization. It is highly recommended to configure device date/time in a centralized NTP server within your network ( that includes your NMS pointing to the same NTP)  as it will be helpful to see the accurate view if there’s any outage, technical or security incident,  and in co-relating events.
Note: It is recommended to configure NTP with authentication. But it depends if your NTP server supports it.

Sample configuration: (Assuming 192.168.30.30 and 192.168.40.40 are NTP servers, and vrf is configured)

ip access-list standard NTP-SERVERS
permit 192.168.30.30
permit 192.168.40.40

ip access-list standard NTP-DENY
deny any

ntp source Loopback0
ntp access-group peer NTP-SERVERS
ntp access-group serve NTP-DENY
ntp access-group serve-only NTP-DENY
ntp access-group query-only NTP-DENY
ntp server 192.168.30.30
ntp server 192.168.40.40

Verify:

ASR1K#show ntp associations

address ref clock st when poll reach delay offset disp
*~192.168.30.30 .GPS. 1 409 1024 377 0.666 1.118 1.067
+~192.168.40.40 .GPS. 1 768 1024 377 0.334 1.085 1.070
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured

Optional: Configure Timezone

Sample config:

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
clock timezone SGT 8 0

Related link –> Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, IOS-XR, NX-OS)

8. Configure MOTD or Banners
-MOTD or Message of the Day will display before login, this is advisable to configure to notify unauthorized users for possible penalties upon accessing the device.

Sample config:

banner login ^CCC

*************************************************************************
        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device.Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
*************************************************************************

^C

Related link:
Configuring Banner or Login Message in Cisco

Be First to Comment

Leave a Reply