×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

secure devices basic steps

Unanswered Question
May 22nd, 2012
User Badges:

Hello Experts

What is the best practise approach to control access for switches, routers, asa. I have been reading posts and mostly it says

  1.   remove telnet
  2. add ssh
  3. configure ACL
  4. add AAA / local accounts
  5. Managment VLAN segment


I want to have flexibility to access devices from home using vpn, office from different floors, different sites


Appreciate some kind feedback


thanks

Samuel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m.sir Tue, 05/22/2012 - 01:03
User Badges:
  • Gold, 750 points or more

All your points are correct

as adition to this i would suggest implement out of band access to devices.. is usually done by connection device to management network to interface dedicated only for managemet.. ASA has mgmt interface on Switches you can use routed interface on Routers spare, unused interface.. Than limit access to this interface only for terminal server what i suggest to deploy

Please consult following link for more details

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html#wp1054536

Sandeep Sharma Tue, 05/22/2012 - 01:13
User Badges:
  • Cisco Employee,

Hi Samuel



Its right that the ways that you have mentioned are right and comes under the best practices for enabling access control of the Network/security devices.



But the most important security and what is your requirement. Below is the explanation for each point why we prefer these as best practice



Remove Telnet and use SSH:- Telnet is not preferred as it is not secure where as SSH is more secure. In telnet your passwords are not encrypted.



Configure ACL/ Management VLAN segments: To control and limit to the authorized personal/ admin by only allowing permit of authorized IP address/Subnet.



Use AAA : AAA means (authentication, authorization and accounting ). Authentication :Who is allowed, Authorization: What is allowed Accounting :what is done.



So the best practice is to use the combination of all three ( SSH + ACL + AAA), in your case (SSH +AAA) can be used easily just the challenge will come with applying ACL as you want to access it from different location and even VPN, no fix IP address so you can either use a jump server where you may login and from their you can access the device.



Thanks & Regards


Sandeep

Tagir Temirgaliyev Tue, 05/22/2012 - 01:34
User Badges:
  • Silver, 250 points or more

6. syslog


and write all telnet and ssh connections atempts in syslog


access-list 10 permit any log

line vty 0 4

access-class 10 in


so all telnet and ssh connections atempts will be logged


and if you do access devices from home using vpn so you dont need to remove telnet access

hobbe Tue, 05/22/2012 - 02:04
User Badges:
  • Gold, 750 points or more

Hi

If you want to use devices over the Internet i strongly urge you to use another port than 22 for SSH.

There are alot of bots trying that port and you will get a lot of "static interference" in your logs.

.

Things that have not been mentioned before is to keep track of your configurations.

You can get alot of help with that buy fx using an EEM script.

an eem script that sends the configuration to a tftp server everytime you do log out or if you want to everytime you do a command.


Other stuff would be to shutdown all the different services that are running and you do not need.

ie hardening the devices.

There are some whitepapers from cisco that helps you out, but all cisco devices are not the same and do not do things the same way.

do a search for "hardening cisco devices" and you will find some cisco and other papers.


On some modules there are a special port that is used for management only.


One thing that I tend to do is set up what I call a spider net.

That is a separate serial network (usb/rs232) to control the devices "out of band" so even if links are down or swamped/overwhelmed i still can take full control over the devices and shut down offenders.


You can double up links with port channels and flexlinks if something happens to the cabelsystem or ports.

but that is more helping out day to day normal operations.

samuel_M9 Tue, 05/22/2012 - 03:31
User Badges:

Thanks all for posting

I put a template for SSH, how to restrict ssh access to management vlan only.

can I initiate ssh session from a router to any swich/router to connect


management vlan

172.16.17.0/24


--------------------------------------------

hostname router

aaa new-model

username 123 password 123


ip domain-name CISCO.COM


crypto key generate ras

ip ssh time-out 60

ip ssh authentication-retries  2



line vty 0 4

transport input ssh


line vty 5 15

transport input ssh


---------------------------------------

Actions

This Discussion

Related Content