Previous Page Next Page

Securing Management Access for Security Appliance

This section discusses the various system management security features available for security appliances such as the Cisco PIX 500 series, ASA 5500 Series Adaptive Security Appliances, and IPS 4200 series appliance sensors.

PIX 500 and ASA 5500 Security Appliance—Device Access Security

This section describes how to secure the Cisco PIX 500 and ASA 5500 Series Adaptive Security Appliances for system management through Telnet, SSH, and HTTPS, and authentication mechanism using AAA.

Telnet Access

Cisco PIX 500 and ASA 5500 Series Adaptive Security Appliances allow Telnet connections for management purposes. For security reasons, users cannot telnet to the lowest security interface unless Telnet is encapsulated in an IPsec tunnel. Security appliance allows a maximum of five concurrent Telnet connections per context, if available, with a maximum of 100 connections divided among all contexts. For Telnet access to the Security appliance, IP addresses need to be configured for hosts from which the appliance accepts connections, as shown in Example 3-9. The telnet command from the global configuration mode can be used to define the IP address/network and the interface from which the hosts are allowed to telnet.

Example 3-9. Configuring Telnet Access for PIX

Pix(config)# telnet <source_IP_address> mask <source_interface>

SSH Access

Telnet protocol in general is the most popular protocol used to perform device management, but it is highly insecure because communications in the Telnet session are in clear text. A more reliable approach is to use the SSH protocol. Security appliance supports SSH connections for management purposes. Security appliance supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and supports DES and 3DES ciphers. To configure SSH, generate an RSA key pair, which is required for SSH, and then identify the IP addresses/networks from which the appliance accepts connections by using the ssh command from the global configuration mode. Other requirements need to be fulfilled to configure SSH, such as configuring the domain name and creating the RSA key pair.

The most secure and highly recommended device management access control combination is obtained by using SSH with AAA authentication with either TACACS+ or RADIUS. (AAA authentication is discussed in Chapter 8, "Securing Management Access.")

HTTPS Access for ADSM

Cisco Adaptive Security Device Manager (ASDM) is a security management and monitoring application for Cisco PIX 500 and ASA 5500 Series Adaptive Security Appliances that is used through an intuitive, easy-to-use, web-based management interface. ADSM will be discussed more in Chapter 24, "Security and Policy Management."

To use ASDM, the HTTPS server needs to be enabled to allow SSL connections to the security appliance. A step-by-step setup wizard is available to configure all these tasks using the setup command. An alternative is to configure all steps manually. Example 3-10 shows how to enable the HTTPS server and allow hosts on the 10.1.1.0/24 network from the inside interface to access ASDM.

Example 3-10. Configuring HTTPS Access for ASDM

Pix(config)# crypto key generate rsa modulus 1024
Pix(config)# write mem
Pix(config)# http server enable
Pix(config)# http 10.1.1.0 255.255.255.0 inside

The appliance allows a maximum of five concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances among all contexts.

Note

Security contexts will be discussed in detail in Chapter 6, "Cisco Firewalls: Appliance and Module."


Authenticating and Authorizing Using Local and AAA Database

The security appliance supports authentication, authorization, and accounting capabilities using the AAA servers and a local database stored on the appliance. AAA provides an extra level of protection, scalability, and better control for user access.

AAA services are available using TACACS+, Radius, and the local database type on the security appliance. Note that accounting with a local database is not supported, and Radius command authorization is not supported. This is not a limitation within the appliance but is protocol inherent.

AAA technology will be discussed in depth in Part II of this book.

IPS 4200 Series Appliance Sensors (formerly known as IDS 4200)

The IPS sensor appliance system management can be performed in two ways:

A step-by-step setup wizard is available to configure basic initialization tasks using the setup command. The setup command allows configuring basic sensor settings, including the hostname, IP interfaces, Telnet server, web server port, ACLs, time settings, and assigning and enabling interfaces. After the sensor is initialized, it can communicate over the network using the IDM, VMS, or Cisco Intrusion Prevention System Device Manager. Use the show configuration command or the more current-config command to verify sensor settings. Cisco IPS Sensor is covered in detail in Chapter 20, "Network Intrusion Prevention."

IPS Device Manager (IDM)

IDM is a web-based Java application to configure and manage the sensor. The web server for IDM resides on the sensor. IDM can be accessed through the common web browsers such as Internet Explorer, Netscape, or Mozilla. IDM is suitable for managing small deployments such as 3 to 5 sensors in the network. For large-scale sensor deployments, Cisco Security Manager is used. Both IDM and Cisco Security Manager are discussed in Chapter 24.

HTTP/HTTPS Access

By default, sensor appliance has built-in web server service enabled with HTTPS on the standard TCP port 443 and enabled to use Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols.

SSL enables encrypted communications between a client web browser and the sensor appliance. If required, TLS/SSL can be disabled, and the standard HTTP port can be used instead, but this is not recommended because HTTP is insecure. The web server port can be changed from its default.

Note

If the web services are changed from HTTPS to HTTP or if the web server port is changed, you should specify the port in the URL address in the browser when connecting to the IDM in the format https://sensor_ip_address:port or http://sensor_ip_address:port (for example, https://10.1.1.254:8080 or http://10.1.1.254:8080, respectively).


Telnet and SSH Access

As discussed earlier, Telnet protocol is not a secure access method and therefore is disabled by default on the sensor appliance. However, SSH is enabled by default on the sensor and is a secure access method. If required, Telnet protocol can be enabled by using the telnet-option enabled command under the network settings in the service host mode or can be enabled when using the setup wizard.

Access Control List

Sensor appliance uses the ACL to enforce authorized access to the appliance via HTTP, HTTPS, FTP, Telnet, SSH, or SCP. If you use an ACL, you need to configure a list of authorized IP addresses and networks that are allowed to log in to the sensor (for example, hosts that need to Telnet/SSH to the sensor or access via IDM, or management workstations). By default, the Class A subnet 10.0.0.0/8 is permitted. When a host with an IP address that is not defined in the ACL attempts to log in to the sensor appliance, the sensor will drop the connection automatically.

The access-list [ip_address / netmask] command in the network-settings submode in service host mode can be used to configure the list of hosts or networks requiring sensor access.

User Accounts

User accounts can be managed on the local sensor because there is no support for AAA servers on sensor appliance. Each user is associated with a role that controls what that user can and cannot modify. There are four basic user roles:

Caution

User access in the service account is not supported except under direct supervision of Cisco TAC or Cisco development engineering.


Previous Page Next Page