Best Security Practices for Cisco Nexus OS (NX-OS) on Management Plane

It is recommended to implement the separation of management and data/customer traffic in your Datacenter switches like  Cisco Nexus devices (e.g. Nexus 7000, Nexus 9000).  Traffic passing through the management plane should be exclusively for management or administrative access purposes only like SSH, SNMP, NTP and AAA.

Here’s the recommended configuration or practices for these management services.

  1. Configure Authentication, Authorization and Accounting (AAA)
    -preferably to setup centralized TACACS+ to manage all your devices, some uses Cisco® Identity Services Engine (ISE) for central network management that can implement security protocol to audit and control configuration. It can setup individual or group profiles with respective access rights like read-only or allow specific commands only.
    -recommended to integrate the TACACS+ server to Lightweight Directory Access Protocol (LDAP) or Active Directory so can easily track changes, setup password complexity requirements and can have certain password expiry.Sample Configuration:

NEXUS-SW1# show run tacacs all

feature tacacs+

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server test username test password test idle-time 0
tacacs-server timeout 5
tacacs-server deadtime 0
tacacs-server host 192.168.10.10 key 7 “fnt_ywabcd”
tacacs-server host 192.168.20.10 key 7 “fnt_ywabcd”
tacacs+ commit
aaa group server tacacs+ TACACSGRP1
server 192.168.10.10
server 192.168.20.10
use-vrf default

Related link –> TACACS (AAA) Configuration in Cisco (IOS-XR, IOS-XE, IOS, NX-OS)

2. Use Secure Shell (SSH) for Remote Access
– to provide secure remote connection to a device as the traffic is encrypted.

  • Disable Telnet services

NEXUS-SW1# conf
NEXUS-SW1(config)#

no feature telnet

 

  • enable and run only the latest SSH Version 2 (SSHv2)

feature ssh
ssh login-attempts 3
ssh key rsa 2048

Verify:

NEXUS-SW1# show ssh server
ssh version 2 is enabled

  • Configure Access Lists (ACL) to secure management sessions
    Assuming your jump host IPs are:
    192.168.30.11
    192.168.40.11Step1. Create your ACL to allow only authorized IPs and deny all

NEXUS-SW1(config)#
ip access-list ACL_MGMT
10 permit tcp 192.168.30.11/32 any eq 22
20 permit tcp 192.168.40.11/32 any eq 22
30 deny ip any any log

Step2.  Apply the ACL in management interface and line vty

NEXUS-SW1(config)#
interface mgmt0
ip access-group ACL_MGMT in

 

line vty
access-class acl_mgmt_101 in

Related link –> SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR)

3. Configure Idle Timeout for SSH and console sessions
-this is to prevent unauthorized users from accessing your unattended login sessions. Recommended not more than 10 minutes.

This is to configure the timeout for an inactive session in 5 minutes.
NEXUS-SW1(config)#

line console
exec-timeout 5

line vty
exec-timeout 5
session-limit 10

Note: session-limit [sessions] –> to configure maximum number of virtual sessions , the default is 32.

Related link –> Best Security Practices for SSH (Secure Shell) Remote Access in Cisco

4. Configure stricter password policies
If tacacs not reachable, it will look for the local account. It is advisable to implement stricter password requirements and complexity such as:

  • at least 8 characters
  • should contain both uppercase and lowercase characters
  • should contain numbers
  • does not contain any dictionary words

Enable the following configuration:
NEXUS-SW1(config)#

password strength-check
password secure-mode

“prompt secure-mode” = to enable secure mode for changing password
“strength-check” = to enable strength check of password

Verify:

NEXUS-SW1#show password strength-check
Password strength check enabled

5. Configure SNMP
SNMP or Simple Network Mangement Protocol is  an application–layer protocol  for exchanging management information between network devices via SNMP managers and agents.
It is advisable to run version 3 as it provides better security because of authentication and encryption between this communication.

Here’s sample recommended configuration:

a. Enable globally enforce privacy for all the users

snmp-server globalEnforcePriv

b. Configure SNMP users with access levels

SNMPv3
Syntax:
snmp-server user [user] [groupname] auth [md5/sha] [userauthpass] priv aes-128 [privacypass] localizedkey

where:
auth Authentication parameters for the user
md5 Use HMAC MD5 algorithm for authentication
sha Use HMAC SHA algorithm for authentication
priv Encryption parameters for the user
aes-128 Use 128-bit AES algorithm for privacy
localizedkey Specifies whether the passwords are in localized key format

Sample config: (auth and priv password will be automatically encrypted)

snmp-server user snmpuser groupname auth md5 0xd8d0d4ef415d6d0d1575d priv aes-128 0x882816e69d38d8a273dbb242493 localizedkey

-Some Network Management, Configuration Management and Inventory Management system still not full ready to use SNMPv3, thus only options is to configure SNMPv2c with a stricter policies such as:
a. complex community string
b. configure Access-list

SNMPv2c
Syntax:
snmp-server community [communitystring] use-ipv4acl [aclsnmp]

where:
[communitystring] = SNMP community string (Max Size 32)
[aclsnmp] IPv4 ACL name to filter snmp requests (Max Size 32)

Optional:
snmp-server community [communitystring] group [groupname]

where:
groupname = Group to which the community belongs (Max Size 32)

Sample config: (for v2, it will show clear text password), that’s why not advisable to run v2

ip access-list ACL_SNMP
10 remark Authorized SNMP Server Farm
20 permit ip 192.168.11.0/25 any
30 permit ip 192.168.12.0/25 any
40 deny ip any any log

snmp-server community Fr33Netw0rk5nmP use-ipv4acl ACL_SNMP

snmp-server community Fr33Netw0rk5nmP  group network-admins

c. Configure SNMP traps

SNMPv3:

Syntax:
snmp-server host [trapserverIP]  traps version 3  [auth/noauth/priv] [WORD]
NEXUS-SW1(config)# snmp-server host 192.168.11.99  traps version 3 ?
auth Use the SNMPv3 authNoPriv Security Level
noauth Use the SNMPv3 noAuthNoPriv Security Level
priv Use the SNMPv3 authPriv Security Level

where:
WORD = SNMP community string or SNMPv3 user name (Max Size 28)

SNMPv2c:

Syntax:
snmp-server host [trapserverIP]  traps version 2c [communitystring]

Sample:

snmp-server host 192.168.11.99 traps version 2c Fr33Netw0rk5nmP

Related link –> SNMPv2c and SNMPv3 Polling and Traps Configuration in Cisco (IOS-XR)

6. Configure Syslog Logging

Recommended configuration: (Assuming syslog server IP is 192.168.15.254)

Syntax:
logging server [syslogserver] use-vrf  [vrfname]  [0-7] facility localX

where:
syslogserver  = A.B.C.D|A:B::C:D|WORD Hostname/IPv4/IPv6 address of the Remote Syslog Server
<0-7> 0-emerg;1-alert;2-crit;3-err;4-warn;5-notif;6-inform;7-debug
use-vrf = Display per-VRF information
vrfname = Known VRF name
facility = Facility to use when forwarding to server
local0 Use local0 facility
local1 Use local1 facility
local2 Use local2 facility
local3 Use local3 facility
local4 Use local4 facility
local5 Use local5 facility
local6 Use local6 facility
local7 Use local7 facility

Sample:

logging server 192.168.15.254 5 use-vrf management facility local6

logging level authpri 5

Note: <0-7> 0-emerg;1-alert;2-crit;3-err;4-warn;5-notif;6-inform;7-debug

Verify:
show logging
show logging level

Related link –> Out of Band (OOB) Management Configuration in Cisco IOS-XR (SSH,SNMP,NTP,AAA,Syslog)

7. Configure NTP
-Network Time Protocol is networking protocol for clock synchronization. It is highly recommended to configure device date/time in a centralized NTP server within your network ( that includes your NMS pointing to the same NTP)  as it will be helpful to see the accurate view if there’s any outage, technical or security incident,  and in co-relating events.
Note: It is recommended to configure NTP with authentication. But it depends if your NTP server supports it.

Sample configuration: (Assuming 192.168.30.30 and 192.168.40.40 are NTP servers, and vrf is configured)

ntp distribute
ntp server 192.168.30.30 use-vrf management
ntp server 192.168.40.40 use-vrf management
ntp source-interface mgmt0
ntp commit

Verify:

NEXUS-SW1# show ntp peers
————————————————–
Peer IP Address Serv/Peer
————————————————–
192.168.30.30 Server (configured)
192.168.40.40 Server (configured)

Configuring NTP Authentication:

Syntax:
ntp authentication-key [authnumber] md5 [md5string] 7 –> defines authentication keys
ntp server [ipaddress] key [key-id]–> Forms an association with a server.
ntp trusted-key [keynumber] –> this command provides protection against accidentally synchronizing the device to an untrusted time source

where:
number = <1-65535> Authentication key number (range 1-65535)
md5string =  MD5 string (Max Size 15)
0 Clear text
7 Encrypted
key-id = <1-65535> Value of keyid 1-65535
keynumber = <1-65535> Trusted-key number

Sample config:

ntp authentication-key 10 md5 nTPk3Y 7
ntp server 192.168.30.30  key 100
ntp trusted-key 10

Optional: Configure Timezone
Syntax:
clock timezone [TIMEZONE] [hours] [mins]

where:
TIMEZONE = Name of time zone, such as PST, MST, CST, EST, etc.. (Max Size 8)
hours =<-23-23> Hours offset from UTC
mins = <0-59> Minutes offset from UTC

Sample config:

clock timezone SST 8 0

Related link –> Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, IOS-XR, NX-OS)

8. Configure MOTD or Banners
-MOTD or Message of the Day will display before login, this is advisable to configure to notify unauthorized users for possible penalties upon accessing the device.

Sample config:

banner motd ^

*************************************************************************
        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device.Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
*************************************************************************

^

Related link:
Configuring Banner or Login Message in Cisco

Be First to Comment

Leave a Reply