This document helps the user to secure, or harden, Cisco UCS system. This document covers how to restrict access, keep track of events, and secure communications for the UCS system. Note that this document should not be taken as single sure shot reference to securing UCS systems; although topics covered here do help in most scenarios.
Familiarity with UCS manager and VMware ESX/ESXi.
Securing Device Management
Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be an end user, a machine, or an application. Authentication mechanisms differ depending on the components that are communicating.
The Cisco UCS provides two methods of user authentication:
Local accounts on Cisco UCS Manager
Remote authentication using LDAP, RADIUS or TACACS+
The Unified Infrastructure Manager supports the LDAP protocol, as well as RADIUS, External TACACS+ server, and Native Registry.
Role management helps to manage authorization, which enables you to specify the resources that users are allowed to access. Role management lets you treat groups of users as a unit by assigning users to roles such as manager, sales, member, and so on.
After you have established roles, you can create access rules. By using roles, you can establish these types of rules independent from individual users. Users can belong to more than one role.
Cisco UCS user roles include:
AAA Administrator – Read/write access to users, roles, and AAA configuration. Read access to the rest of the system.
Administrator – Complete read/write access to the entire system. The default admin account is assigned this role by default and cannot be changed.
Network Administrator – Read/write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.
Operations – Read/write access to system logs, including the syslog servers, and faults. Read access to the rest of the system.
Read-only – Read-only access to system configuration with no privileges to modify the system state.
Server Equipment Administrator – Read/write access to physical server-related operations. Read access to the rest of the system.
Server Profile Administrator – Read/write access to logical server-related operations. Read access to the rest of the system.
Server Security Administrator – Read/write access to server security-related operations. Read access to the rest of the system.
Storage Administrator – Read/write access to storage operations. Read access to the rest of the system.
Cisco UCS supports maintaning syslog at local destination or remote server. Up to three external log destinations are supported.
For local destinations, syslog can be configured for:
1) Console – If enabled, there are three possible syslog message levels:
2) Monitor – If enabled, there are eight possible syslog message levels:
Alerts – Immediate action needed
Critical – Critical conditions
Debugging – Debugging messages
Emergencies – System unusable
Errors – Error conditions
Informational – Informational messages
Notifications – Normal but significant condition
Warnings – Warning conditions
3) File – If enabled, there are eight possible syslog message levels. The "Monitor" and "File" destinations support the same message levels.
For remote destinations, syslog levels include:
Cisco UCS requires an instance-specific time zone setting and an NTP server to ensure the correct time display in Cisco UCS Manager. If you do not configure both of these settings in a Cisco UCS instance, the time does not display correctly which could affect any type of forensics.
Limiting the size and number of local log files
Limiting the size and number of local log files can help to reduce denial of service (DoS) attacks. Such attacks are characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. In Cisco UCS, the system event log (SEL) resides on the BMC in non-volatile read access memory (NVRAM). It records most server-related events, such as over and under voltage, temperature events, fan events, and events from BIOS. The SEL is mainly used for troubleshooting purposes. The SEL file is approximately 40 KB in size, and no further events can be recorded when it is full. It must be cleared before additional events can be recorded.
The SEL policy can be used to back up the SEL to a remote server, and optionally clear the SEL after a backup operation occurs. Backup operations can be triggered based on specific actions, or they can occur at regular intervals. The SEL can be manually backed up or cleared. The backup file is automatically generated. The filename format is sel-SystemName-ChassisID-ServerID-ServerSerialNumber-Timestamp.
The syslog file size can be set or modified for the Cisco UCS. The syslog file size range is 4096 to 4194304 bytes.
In Cisco UCS, the UCS Call Home feature provides an e-mail-based notification for critical system policies. A range of message formats are available for compatibility with pager services or XML-based automated parsing applications. You can use this feature to page a network support engineer, e-mail a Network Operations Center, or use Cisco Smart Call Home services to generate a case with the Technical Assistance Center (TAC).
Cisco UCS delivers Call Home messages in the following formats:
Short text format that provides a one-or two-line description of the fault that is suitable for pagers or printed reports.
Full text format that provides a fully formatted message with detailed information that is suitable for human reading.
XML machine readable format that uses Extensible Markup Language (XML) and Adaptive Messaging Language (AML) XML schema definition (XSD). The AML XSD is published on the Cisco.com website at http://www.cisco.com/. The XML format enables communication with the Cisco Systems Technical Assistance Center.
Deleting data on the Disks and BIOS
When a server is disassociated from a service profile, it is suggested to scrub the disk to destroy any data on the drive. This scrub policy is done through the Servers tab configuration tab..
Front panel security options within the BIOS setup
To prevent the front panel power and reset buttons from being used, enable the Front Panel Lockout feature. This will disable the ability to power cycle the server from the front panel. To disable the Serial Port A from being accessed, disable the serial port functionality. For the USB Front Panel Access Lock, you can disable the ability for the Cisco UCS server to boot from a USB device by setting the Make Device Non Bootable option.
Securing Network Communications
The following section illustrates how disabling optional services and granting or denying access strategies are important to your overall security strategy, and to your planned responses to threats.
Services or ports that are not used should be disabled on the Cisco UCS. The Cisco UCS uses a variety of TCP and UDP ports for management purposes. The following list of services can be enabled or disabled:
• CIM XML – Disabled by default and is read-only
• HTTP – Enabled by default (should be disabled by an administrator)
• Telnet – Disabled by default
• SNMPv2c – Disabled by default
Note- The Cisco UCS also has SSH, HTTPS (secure protocols), KVM management, and SMASH CLP services running. SMASH CLP with Cisco UCS uses SSH, and KVM management is encrypted using RC4. They are not to be disabled.
Separating management traffic and application traffic
Services running on the management interface provide an opportunity for attackers to gain privileged access to the systems.
The Cisco UCS is designed to have the UCS management components and management traffic separated from the production application traffic located on the UCS blades. Cisco UCS Fabric Interconnects has dedicated management ports with an associated management VRF (Virtual Routing and Forwarding) instance. The traffic associated with the management ports is not mixed with the production application data traffic.
Access to the Cisco UCS system should be secured through encrypted transport protocols. The Cisco UCS supports the following secure methods of access:
• SSH (TCP port 22) – Encrypted and enabled by default (it cannot be disabled)
• HTTPS (TCP port 443) – Encrypted (OpenSSL-based). HTTP is enabled by default and should be disabled.
• KVM Management (TCP port 2068) – Encrypted (RC4)
• SMASH CLP – Enabled by default and set for read-only. SMASH CLP supports a limited number of functions such as the ― “show” command. It cannot be disabled.
Virtual machine network security
Protecting against MAC address spoofing
Spoofing is a means to hide one's true identity on the network. To create a spoofed identity, an attacker uses a fake source address that does not represent the actual address of the packet. Spoofing may be used to hide the original source of an attack, or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.
Although carefully crafted spoofed packets may never be tracked to the original sender, a combination of filtering rules prevents spoofed packets from originating from your network, allowing you to block obviously spoofed packets.
Countermeasures to prevent spoofing include:
• Filter incoming packets that appear to come from an internal IP address at your perimeter
• Filter outgoing packets that appear to originate from an invalid local IP address
To efficiently switch packets between ports, the fabric interconnect maintains a MAC address table. It dynamically builds the MAC address table by using the MAC source address from the packets received and the associated port on which the packets were learned. The fabric interconnect uses an aging mechanism, defined by a configurable aging timer, to determine how long an entry remains in the MAC address table. If an address remains inactive for a specified number of seconds, it is removed from the MAC address table. On the Equipment tab, click the Equipment node. In the Work pane, click the Policies tab. Click the Global Policies subtab. In the MAC Address Table Aging area fill the "Aging Time" field.
Cisco Nexus 1000V
The Cisco Nexus 1000V switches are virtual machine access switches that are an intelligent software switch implementation for vSphere environments running the Cisco NX-OS Software operating system. Together with the ESX hypervisor, the Cisco Nexus 1000V supports Cisco VN-Link server virtualization technology, which provides the following:
Policy-based virtual machine connectivity for ESX-hosted virtual machines
Mobile virtual machine security and network policy components to include DHCP snooping, Dynamic ARP Inspection, IP Source Guard, port security, and access control.
Non-disruptive operation model for server virtualisation and networking teams by leveraging VMware HA, VMware Distributed Resource Scheduler (DRS), and redundant Nexus 1000V Virtual Supervisor Modules (VSM).
For Cisco Nexus 1000V and virtual machine network security, Cisco has provided branch and campus desktop deployments, which is a suite of features known as Cisco Catalyst Integrated Security Features (CISF). This suite is no longer limited to just Cisco Catalyst products (Cisco Nexus switches support them), and the features are critical to the security of the View Agent virtual machine and the network itself. The common components that provide protection include the following:
DHCP Snooping: Acts like a firewall between untrusted hosts, for example, VDI virtual machines, and trusted DHCP servers. It helps prevent a virtual machine user from attempting to configure the virtual machine to act as a DHCP server (prevents a virtual machine from sending a DHCP OFFER).
Dynamic ARP Inspection (DAI): Validates ARP request and responses. DAI verifies that a packet has a valid IP-to-MAC address binding before updating the ARP cache or forwarding the packet. DAI uses the DHCP snooping database to check validity. DAI helps prevent an ARP poisoning-based man-in-the-middle (MITM) attack.
IP Source Guard (IPSG): Filters traffic on interfaces and permits traffic only where the IP and MAC address matches that in the DHCP snooping database or static IP source entries that are configured. IPSG helps prevent a host from spoofing and using the IP address of another host located on another port.
Port Security: Used to restrict input to a Cisco Nexus 1000V interface by limiting and identifying MAC addresses of the virtual machines that are allowed to access the port. Port Security helps prevent MAC address spoofing by rogue virtual machines.
Tenant isolation mechanisms
In multi-tenant deployments, security isolation mechanisms are very important in preventing one tenant from compromising the confidentiality, integrity, or availability of another tenant’s virtual machines or data.
A tenant’s virtual machine accesses another tenant’s resources over the network.
Tenant isolation using VLANs, ACLs, or VMware vShield zones.
A tenant’s virtual machine consumes all of a shared resource, for example: computation, storage, and network, causing DoS to other tenants.
VMware resource shares, reservations, and limits. Built-in capabilities of the vSphere hypervisor.
A tenant’s administrator is able to access another tenant’s configuration.
Administration isolation using Unified Infrastructure Manager capabilities
A tenant’s storage system is exposed to another tenant’s host system.
Multiple checks and balances at VSAN, zoning, and masking operations.
The same methods used to provide network isolation for a physical infrastructure are also available in a virtual infrastructure. In the Vblock, the Cisco Nexus 1000V can be used to provide virtual access switching in a vSphere server environment through VLANs, quality of service, and anti-spoofing features.
vShield zones can be used to provide firewall capabilities to protect virtual machines from outside traffic, limit inter-tenant traffic, and even to enforce sub-tenant segregation. These capabilities can be used in conjunction with each other to maintain tenant-level network segregation in the virtual infrastructure.
• vSphere provides a virtual firewall solution that enables virtual network separation between virtual machines, or groups of virtual machines.
• vShield zones and the Cisco Nexus 1000V Virtual Service Domains (VSD) allow for the logical grouping of virtual machines into a zone, and the application of firewall policies to network traffic that is sourced or destined to the zone.
• vSphere vSwitch and the Cisco Nexus 1000V switch provide separation between virtual machines belonging to different tenants by creating VLANs for each tenant. You can logically group virtual machines into zones based on these VLANs ─ a segmentation that is maintained regardless of where the virtual machine physically runs. vSphere includes a virtual firewall solution that enables tightly controlled network traffic flow in and out of each zone, ensuring that only authorised communication occurs between them.