This post provides an overview of securing the management plane on Cisco routers/switches.
Secure Passwords
Create local passwords using a Type 8 or 9 password, by using secret keyword, which creates a hashed password, instead of using the password keyword, which creates Type 0 passwords. Type 0 passwords are insecure and appear in the running configuration as cleartext.
Examples:
enable algorithm-type sha256 secret <Passphrase> will create a type 8 hashed password. enable secret <Passphrase> will create a type 9 hashed password. username netadmin secret <Passphrase>
Privilege Levels
Unless explictly configured a local user authenticated to a device is assigned privilege level 15. Commands can be moved from level 15 to a lower level to assign custom level rights to different users. For example, a junior engineer who is only allowed to change the VLAN on an interface.
The example below creates a username priv5 who has a privilege level of 5. The privilege level 5 is explictly configure to change the access VLAN.
username priv5 privilege 5 secret <Passphrase> ! privilege exec level 5 configure terminal privilege configure level 5 interface privilege interface level 5 switchport access vlan
Any other command not explictly configured under privilege level 5 will not be accepted.
AAA
Authentication, Authorisation and Accounting (AAA) via a RADIUS or TACACS+ server is the best way to centrally manage management access to network devices. A TACACS+ server such as Cisco ISE can centrally authenticate users and authorise the individual commands entered by administrators on the network devices, this is the preferred method rather than using local user accounts and privilege levels configured on each switch/router.
Enable AAA New Mode
aaa new-model
Define TACACS Server
tacacs server ISE1 address ipv4 192.168.10.20 key Cisco1234
Define AAA Group
aaa group server tacacs+ ISE_TACACS server name ISE1
Define TACACS Source Interface
ip tacacs source-interface Loopback 0
Define Authentication Commands
aaa authentication login default group ISE_TACACS local aaa authentication login CONSOLE none
The default method list will be used for the vty lines (ssh/telnet) and configured to use the TACACS group previously defined. TACACS will not be used for console access, so a new method list called CONSOLE has been defined and does not required authentication (NO TACACS servers defined).
Define Authorisation Commands
aaa authorization exec default group ISE_TACACS local if-authenticated aaa authorization exec CONSOLE none
The command runs authorisation to determine whether the user is allowed to access the EXEC Shell.
aaa authorization commands 1 default group ISE_TACACS local if-authenticated aaa authorization commands 15 default group ISE_TACACS local if-authenticated aaa authorization config-commands
Authorisation for all commands at specified levels sent to TACACS group specified
Define Accounting Commands
aaa accounting exec default start-stop group ISE_TACACS aaa accounting commands 1 default start-stop group ISE_TACACS aaa accounting commands 15 default start-stop group ISE_TACACS
All commands executed by the user is sent to the ISE_TACACS group
Console/VTY Configuration
line con 0 logging synchronous login authentication CONSOLE ! line vty 0 4 logging synchronous
As only the console has been configured with the non-default method list (CONSOLE), we need to define the method list. We do not need to specify a method list for the VTY line as this is using the default method list.
CPU and Memory Thresholding
CPU and Memory thresholding is used by network devices (switches/routers) to SNMP traps when certain CPU and Memory thresholds have been reached, this is useful when the device is under a Denial of Service (DoS) attack.
Memory Thresholding
Memory thresholding notification can be used to provide notification when available memory drops below a certain level. You configure memory threshold using the memory free low-watermark command. When configured the router/switch issues a notification when available free memory falls below the specified threshold, and again once available free memory rises to 5 percent above the specified threshold.
memory free low-watermark processor 10000
Memory reservation is used to ensure the device is able to continue to send critical notifications, such as event logging and continue to function even when the device memory is exhausted.
The following example shows how to reserve 2500 KB of memory for critical notifications:
memory reserved critical 2500
CPU Thresholding
The CPU Thresholding Notification feature notifies users when a predefined threshold of CPU usage is crossed by generating a SNMP trap message. There are two types of CPU utilisation thresholds.
- Rising threshold specifies the percentage of CPU resources that if exceeded will trigger a threshold notification.
- Falling threshold specifies the percentage of CPU resources that if falls below this level will trigger a threshold notification.
In this example, the CPU utilization threshold is set to 75 percent for a rising threshold notification and 20 percent for a falling threshold notification, with a 5-second polling interval.
process cpu threshold type total rising 75 interval 5 falling 20 interval 5
SNMP traps for CPU thresholding violation notification as traps and inform requests.
snmp-server enable traps cpu threshold
Sends CPU traps to the specified address
snmp-server host 192.168.10.15 traps snmp-community cpu
Securing Access
Management of the Cisco switch/router should use only secure protocols such as SSH, insecure protocols such as telnet should be disabled. Create an RSA SHA key and enable SSH version 2.
ip domain-name lab.local crypto key generate rsa modulus 2048 label SSH-KEY ip ssh version 2 ip ssh rsa keypair-name SSH-KEY
Configure the VTY lines to use SSH only, this will disable telnet.
line vty 0 15 transport input ssh
SSH can be secured further by restricting access using an ACL applied to the VTY lines, this will deny SSH connections from untrusted networks.
ip access-list standard ACL-MGMT permit 192.168.10.0 0.0.0.255 deny any log ! line vty 0 15 access-class ACL_MGMT in
SNMP
Simple Network Monitoring Protocol (SNMP) is used for monitoring of network devices. There are three versions of SNMP 1, 2c and 3. Using versions 1 and 2c are considered insecure, as communication between the switch/router and the SNMP server is in plaintext. SNMPv3 is the most secure, authenticating and encrypting the traffic.
There are 3 levels of SNMPv3 operation:-
- authPriv – users usernme with HMAC authentication and provides encryption using AES and older less secure protocols using DES or 3DES.
- authNoPriv – users a username with SHA or MD4 HMAC for authentication
- noAuthNoPriv – uses a username with no HMAC or encryption.
Define an SNMP group, version and level of operation (auth, noauth or priv), then create a user and make a member of the previously created group, define the authentication and privacy settings.
snmp-server group <GROUP-NAME> v3 (auth|noauth|priv)
snmp-server user <USERNAME> <GROUP-NAME> v3 auth (md5|sha) <authentication password> [priv {3des|aes 128|aes 192|aes 256|des} <privacy password>
Notifications
A switch/router can generate unsolicited notifications which are sent the Network Management System (NMS), these notfications can include information such as interface up/down status, loss of neighbour adjacency, security violations etc. These notifications can either be traps or inform messages. Traps do not require acknowledgement from the NMS the message has been received, inform messages are traps that require confirmation of receipt from the NMS.
The snmp-server enable command is used to specify which SNMP notifications are sent globally for all traps. Optionally the traps may be enabled individually. The example below enables traps for port-security and cpu threshold.
snmp-server enable traps port-security snmp-server enable traps cpu threshold
The SNMP host must be defined, otherwise no notifications are sent via SNMP.
snmp-server host 192.168.10.15 traps version 3 priv <USERNAME>
Access Control List
SNMP access to the switch/router can be further restricted using an Access Control List, which permits SNMP queries from trusted sources.
ip access-list standard ACL-SNMP permit 192.168.10.15 deny any log
The ACL is applied to the SNMP using the command access <ACL NAME>
snmp-server group SNMPGROUP v3 priv access ACL-SNMP
SNMP Views
By default, SNMP on the Cisco switch/router allows access to the whole MIB tree. SNMP views can be used to restrict which MIBS the SNMP Group can access. Run the command show snmp mib which will display all the MIBs supported by the hardware, these MIB names can then be used when defining the SNMP View.
snmp-server view VIEW1 system included snmp-server view VIEW2 ip included snmp-server view VIEW2 interfaces included
The SNMP Views are then applied to the SNMP group, any user a member of the group will be able to access the SNMP MIBs as defined in the View.
snmp-server group GRP1 v3 noauth read VIEW1 snmp-server group GRP2 v3 noauth read VIEW2
Reference