Best Security Practices for Cisco IOS-XR on Management Plane

It is recommended to implement the separation of management and data/customer traffic in your Datacenter switches like  Cisco IOS-XR devices (e.g. ASR 9000, CRS).  Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA.

Here’s the recommended configuration or practices for these management services.

  1. Configure Authentication, Authorization and Accounting (AAA)
    -preferably to setup centralized TACACS+ to manage all your devices, some uses Cisco® Identity Services Engine (ISE) for central network management that can implement security protocol to audit and control configuration. It can setup individual or group profiles with respective access rights like read-only or allow specific commands only.
    -recommended to integrate the TACACS+ server to Lightweight Directory Access Protocol (LDAP) or Active Directory so can easily track changes, setup password complexity requirements and can have certain password expiry.Sample Configuration:

RP/0/RP0/CPU0:ASR9K# show run aaa

aaa accounting exec default start-stop group TACACS-GROUP group tacacs+
aaa accounting commands default start-stop group TACACS-GROUP group tacacs+
aaa group server tacacs+ TACACS-GROUP
vrf MANAGEMENT
server-private 192.168.10.10 port 49
key 7 00B13081131E3F3A214EF21
!
server-private 192.168.20.10 port 49
key 7 00B13081131E3F3A214EF21
!
!
aaa authorization exec default group TACACS-GROUP group tacacs+ none
aaa authorization commands default group TACACS-GROUP group tacacs+ none
aaa authorization eventmanager default group tacacs+
aaa authentication login default group TACACS-GROUP group tacacs+ local
aaa default-taskgroup netadmin

Related link –> TACACS (AAA) Configuration in Cisco (IOS-XR, IOS-XE, IOS, NX-OS)

2. Use Secure Shell (SSH) for Remote Access
– to provide secure remote connection to a device as the traffic is encrypted.

  • Disable Telnet services

no telnet ipv4 server

 

  • enable and run only the latest SSH Version 2 (SSHv2)

ssh server v2
ssh server vrf default
ssh server vrf MANAGEMENT
ssh timeout 60

Verify:

RP/0/RP0/CPU0:ASR9K#show ssh
SSH version : Cisco-2.0

id chan pty location state userid host ver authentication connection type
————————————————————————————————————————–
Incoming sessions
0 1 vty0 0/RP0/CPU0 SESSION_OPEN user1 192.168.1.123 v2 key-intr Command-Line-Interface

  • Configure Access Lists (ACL) to secure management sessions
    Assuming your jump host IPs are:
    192.168.30.11
    192.168.40.11Step1. Create your ACL to allow only authorized IPs and deny all

ipv4 access-list SSH_ACL
10 permit tcp host 192.168.30.11 any eq 22
20 permit tcp  host 192.168.40.11 any eq 22
30 deny ip any any log

Step2.  Apply the ACL under line

line default
access-class ingress SSH_ACL

Related link –> SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR)

3. Configure Idle Timeout for SSH and console sessions
-this is to prevent unauthorized users from accessing your unattended login sessions. Recommended not more than 10 minutes.

This is to configure the timeout for an inactive session in 5 minutes.
NEXUS-SW1(config)#

line default
secret 5 $1$aBcD.$xyz6dFCOfv8SvL9yM
login authentication default
timestamp
exec-timeout 5 0
session-timeout 5
transport input ssh

Related link –> Best Security Practices for SSH (Secure Shell) Remote Access in Cisco

4. Configure stricter password policies
If tacacs not reachable, it will look for the local account. It is advisable to implement stricter password requirements and complexity such as:

  • at least 8 characters
  • should contain both uppercase and lowercase characters
  • should contain numbers
  • does not contain any dictionary words

5. Configure SNMP
SNMP or Simple Network Mangement Protocol is  an application–layer protocol  for exchanging management information between network devices via SNMP managers and agents.
It is advisable to run version 3 as it provides better security because of authentication and encryption between this communication.

Here’s sample recommended configuration:

a. Configure ACL to allow only authorized SNMP requests from NMS

ipv4 access-list ACL_SNMP
10 permit ipv4 192.168.60.0/24 any

b. Configure SNMPv3

SNMPv3
Syntax:
snmp-server user <username> <group> v3 auth md5/sha  clear/encrypted <authpass> priv 3des/aes/des56 clear/encrypted <privpass> IPv4 <ACLname>

snmp-server vrf management
snmp-server user USER1 SNMPGROUP v3 auth md5 encrypted 221E506B517355E85194A1 priv aes 256 encrypted 0C1137008231D6B629403190  IPv4 ACL_SNMP
snmp-server view ALL_VIEW 1.3 included
snmp-server group SNMPGROUP v3 priv notify ALL_VIEW read ALL_VIEW IPv4 ACL_SNMP

-Some Network Management, Configuration Management and Inventory Management system still not full ready to use SNMPv3, thus only options is to configure SNMPv2c with a stricter policies such as:
a. complex community string
b. configure Access-list

SNMPv2c
Syntax:
snmp-server community [communitystring] RO IPv4 [ACLname]
snmp-server community clear [communitystring] RO IPv4 [ACLname]

snmp-server vrf management
snmp-server community Fr33Netw0rk5nmP RO SystemOwner IPv4 ACL_SNMP

or

snmp-server community encrypted 1204D000D000ABC065A RO IPv4 ACL_SNMP

c. Configure SNMP traps

SNMPv2c:

Syntax:
snmp-server vrf <vrfname> host [trapserverIP]  traps [communitystring]
snmp-server vrf <vrfname> host [trapserverIP]  traps clear/encrypted [communitystring]

Sample:

snmp-server vrf MANAGEMENT host 192.168.11.99 traps Fr33Netw0rk5nmP

or

snmp-server vrf MANAGEMENT host 192.168.11.99 traps encrypted 0105E253E181253E

 

Related link –> SNMPv2c and SNMPv3 Polling and Traps Configuration in Cisco (IOS-XR)

6. Configure Syslog Logging

Recommended configuration: (Assuming syslog server IP is 192.168.15.254)

Syntax:
logging [syslogIP] vrf  [vrfname] severity <options> info port default

<options>
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
error Error conditions (severity=3)
info Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warning Warning conditions (severity=4)

logging 192.168.15.254 vrf default severity info port default

 

Related link –> Out of Band (OOB) Management Configuration in Cisco IOS-XR (SSH,SNMP,NTP,AAA,Syslog)

7. Configure NTP
-Network Time Protocol is networking protocol for clock synchronization. It is highly recommended to configure device date/time in a centralized NTP server within your network ( that includes your NMS pointing to the same NTP)  as it will be helpful to see the accurate view if there’s any outage, technical or security incident,  and in co-relating events.
Note: It is recommended to configure NTP with authentication. But it depends if your NTP server supports it.

Sample configuration: (Assuming 192.168.30.30 and 192.168.40.40 are NTP servers, and vrf is configured)

ipv4 access-list NTP-SERVERS
10 permit ipv4 host 192.168.30.30 any
20 permit ipv4 host 192.168.40.40 any

ipv4 access-list NTP-DENY
10 deny ipv4 any any

ntp
server vrf MANAGEMENT 192.168.30.30
server vrf MANAGEMENT 192.168.40.40
access-group ipv4 peer NTP-SERVERS
access-group ipv4 query-only NTP-DENY
update-calendar

Verify:

RP/0/RP0/CPU0:ASR9K#show ntp associations
address ref clock st when poll reach delay offset disp
+~192.168.30.30 vrf MANAGEMENT
.GPS. 1 389 1024 377 0.98 0.129 15.803
*~192.168.40.40  vrf MANAGEMENT
.GPS. 1 453 1024 377 0.98 0.148 15.806
* sys_peer, # selected, + candidate, – outlayer, x falseticker, ~ configured

Optional: Configure Timezone
Syntax:
clock timezone [TIMEZONE] <-23,+23>

where:
TIMEZONE = Name of time zone, such as PST, MST, CST, EST, etc.. (Max Size 8)
<-23,+23> Hours offset from UTC

Sample config:

clock timezone SGP 8

Related link –> Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, IOS-XR, NX-OS)

8. Configure MOTD or Banners
-MOTD or Message of the Day will display before login, this is advisable to configure to notify unauthorized users for possible penalties upon accessing the device.

Sample config:

banner login ^C

*************************************************************************
        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device.Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
*************************************************************************

^C

Related link:
Configuring Banner or Login Message in Cisco

Be First to Comment

Leave a Reply