PCI requires SSH access to networking devices. I have following questions regarding to that:
1) I have IOS IP image on my cisco routers. I found that I need 3DES support in IOS for SSH, which comes with IP Plus 3DES feature set. So, do I need to purchase a license to use new feature set just to get SSH support?
2) I have been told that we also needed SSH support for our layer 2 switches. First of all, is that correct? If it is, how can I get SSH support for the following cisco switch:
cisco29-1.vancouver (enable) sh version
WS-C2948 Software, Version NmpSW: 4.5(9)
Copyright (c) 1995-2000 by Cisco Systems, Inc.
NMP S/W compiled on Sep 28 2000, 15:48:46
GSP S/W compiled on Sep 28 2000, 15:02:24
System Bootstrap Version: 5.4(1)
Hardware Version: 2.3 Model: WS-C2948 Serial #: JAB045106BT
Mod Port Model Serial # Versions
--- ---- ---------- -------------------- ---------------------------------
1 0 WS-X2948 JAB045106BT Hw : 2.3
2 50 WS-C2948G JAB045106BT Hw : 2.3
DRAM FLASH NVRAM
Module Total Used Free Total Used Free Total Used Free
------ ------- ------- ------- ------- ------- ------- ----- ----- -----
1 65536K 17479K 48057K 12288K 3801K 8487K 480K 112K 368K
Uptime is 204 days, 20 hours, 33 minutes
In answer to your first question, if you change the feature set of your router you may need to purchase an additional license, you should consult your Account Manager regarding this. Many router models include SSH in the Base IP image, you can do a feature search to find these images if you do not wish to purchase a license, but may need to move to version 12.4
As for your Switch, yes you need to use encrypted protocols for management of all network devices. Looking for versions of your switch I do see that there is SSH support in release trains 6,7 and 8 of the crypto images which will run on your version of bootstrap software. As I remember the 2948G runs the same code as a Cat4000, but you may want to open a TAC case and have them recommend versions specific to your network environment just to be sure.
not only do you need ssh but ssh v2. we are in the process of PCI remediation as well and have run into this issue on more than a few of our devices. I have several 2600's that apparently do not support ssh v2 and i cannot find the right IOS that will support v2.
On this very same topic, how do you ensure that you do not loose access to the router or switch if ssh is the only remote access enabled? For instance, you loose your subnet and no longer can ssh from your desktop subnet to the router/switch. Or if the active Sup become standby and the standby one become Active, does this not change the session encryption key?
Under this circumstance, what is the compliance way to have a backdoor to the router/switch for operational support per PCI?
I am going thru the PCI remediation process right now as well and needing to address this same topic. But I am very concern about have a backdoor access to the router/switch that is PCI compliance as well.
If your router loses connection to the ACS server for remote role based authentication (via active directory or other directory services), we have configured local adminstrator authentication as a back up method.
Depending on your network and support model you might require localized personel to be present in the event of a WAN failure but the router would be capable of authentication and secure.
We also enabled a Cisco feature "no password recovery" that prohibits the password recovery feature if some one was to get physical access to the router. The config gets wiped back to store default protecting the retailers configuration information.
This avoids "back doors" and makes it more secure while preserving a remote and failure method of authentication.
Does this help?
We went through PCI compliance and implemented out of band access through console servers.
The console server uses a combination of TACACS+ and local user accounts for SSH authentication. The layer2/layer3 devices have console authentication via TACACS turned on and fall back to local user accounts.