This section discusses the various system management security features available for security appliances such as the Cisco PIX 500 series, ASA 5500 Series Adaptive Security Appliances, and IPS 4200 series appliance sensors.
This section describes how to secure the Cisco PIX 500 and ASA 5500 Series Adaptive Security Appliances for system management through Telnet, SSH, and HTTPS, and authentication mechanism using AAA.
Cisco PIX 500 and ASA 5500 Series Adaptive Security Appliances allow Telnet connections for management purposes. For security reasons, users cannot telnet to the lowest security interface unless Telnet is encapsulated in an IPsec tunnel. Security appliance allows a maximum of five concurrent Telnet connections per context, if available, with a maximum of 100 connections divided among all contexts. For Telnet access to the Security appliance, IP addresses need to be configured for hosts from which the appliance accepts connections, as shown in Example 3-9. The telnet command from the global configuration mode can be used to define the IP address/network and the interface from which the hosts are allowed to telnet.
Pix(config)# telnet <source_IP_address> mask <source_interface> |
Telnet protocol in general is the most popular protocol used to perform device management, but it is highly insecure because communications in the Telnet session are in clear text. A more reliable approach is to use the SSH protocol. Security appliance supports SSH connections for management purposes. Security appliance supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and supports DES and 3DES ciphers. To configure SSH, generate an RSA key pair, which is required for SSH, and then identify the IP addresses/networks from which the appliance accepts connections by using the ssh command from the global configuration mode. Other requirements need to be fulfilled to configure SSH, such as configuring the domain name and creating the RSA key pair.
The most secure and highly recommended device management access control combination is obtained by using SSH with AAA authentication with either TACACS+ or RADIUS. (AAA authentication is discussed in Chapter 8, "Securing Management Access.")
Cisco Adaptive Security Device Manager (ASDM) is a security management and monitoring application for Cisco PIX 500 and ASA 5500 Series Adaptive Security Appliances that is used through an intuitive, easy-to-use, web-based management interface. ADSM will be discussed more in Chapter 24, "Security and Policy Management."
To use ASDM, the HTTPS server needs to be enabled to allow SSL connections to the security appliance. A step-by-step setup wizard is available to configure all these tasks using the setup command. An alternative is to configure all steps manually. Example 3-10 shows how to enable the HTTPS server and allow hosts on the 10.1.1.0/24 network from the inside interface to access ASDM.
Pix(config)# crypto key generate rsa modulus 1024 Pix(config)# write mem Pix(config)# http server enable Pix(config)# http 10.1.1.0 255.255.255.0 inside |
The appliance allows a maximum of five concurrent ASDM instances per context, if available, with a maximum of 32 ASDM instances among all contexts.
Note
Security contexts will be discussed in detail in Chapter 6, "Cisco Firewalls: Appliance and Module."
The security appliance supports authentication, authorization, and accounting capabilities using the AAA servers and a local database stored on the appliance. AAA provides an extra level of protection, scalability, and better control for user access.
AAA services are available using TACACS+, Radius, and the local database type on the security appliance. Note that accounting with a local database is not supported, and Radius command authorization is not supported. This is not a limitation within the appliance but is protocol inherent.
AAA technology will be discussed in depth in Part II of this book.
The IPS sensor appliance system management can be performed in two ways:
Console access: The IPS Sensor software provides a command-line interface (CLI), which is a full-featured Cisco IOS software-like CLI that provides device configuration. Although using the CLI allows the user to configure most of the configuration and administrative tasks, a web-based graphical interface is more intuitive and easy to navigate.
Web-based GUI interface using HTTP or HTTPS: After the sensor is initialized using the console, the administrator can use the HTTP or HTTPS web-based user-interface application to perform configuration, administration, and monitoring tasks. HTTPS is enabled by default.
A step-by-step setup wizard is available to configure basic initialization tasks using the setup command. The setup command allows configuring basic sensor settings, including the hostname, IP interfaces, Telnet server, web server port, ACLs, time settings, and assigning and enabling interfaces. After the sensor is initialized, it can communicate over the network using the IDM, VMS, or Cisco Intrusion Prevention System Device Manager. Use the show configuration command or the more current-config command to verify sensor settings. Cisco IPS Sensor is covered in detail in Chapter 20, "Network Intrusion Prevention."
IDM is a web-based Java application to configure and manage the sensor. The web server for IDM resides on the sensor. IDM can be accessed through the common web browsers such as Internet Explorer, Netscape, or Mozilla. IDM is suitable for managing small deployments such as 3 to 5 sensors in the network. For large-scale sensor deployments, Cisco Security Manager is used. Both IDM and Cisco Security Manager are discussed in Chapter 24.
By default, sensor appliance has built-in web server service enabled with HTTPS on the standard TCP port 443 and enabled to use Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols.
SSL enables encrypted communications between a client web browser and the sensor appliance. If required, TLS/SSL can be disabled, and the standard HTTP port can be used instead, but this is not recommended because HTTP is insecure. The web server port can be changed from its default.
Note
If the web services are changed from HTTPS to HTTP or if the web server port is changed, you should specify the port in the URL address in the browser when connecting to the IDM in the format https://sensor_ip_address:port or http://sensor_ip_address:port (for example, https://10.1.1.254:8080 or http://10.1.1.254:8080, respectively).
As discussed earlier, Telnet protocol is not a secure access method and therefore is disabled by default on the sensor appliance. However, SSH is enabled by default on the sensor and is a secure access method. If required, Telnet protocol can be enabled by using the telnet-option enabled command under the network settings in the service host mode or can be enabled when using the setup wizard.
Sensor appliance uses the ACL to enforce authorized access to the appliance via HTTP, HTTPS, FTP, Telnet, SSH, or SCP. If you use an ACL, you need to configure a list of authorized IP addresses and networks that are allowed to log in to the sensor (for example, hosts that need to Telnet/SSH to the sensor or access via IDM, or management workstations). By default, the Class A subnet 10.0.0.0/8 is permitted. When a host with an IP address that is not defined in the ACL attempts to log in to the sensor appliance, the sensor will drop the connection automatically.
The access-list [ip_address / netmask] command in the network-settings submode in service host mode can be used to configure the list of hosts or networks requiring sensor access.
User accounts can be managed on the local sensor because there is no support for AAA servers on sensor appliance. Each user is associated with a role that controls what that user can and cannot modify. There are four basic user roles:
Administrator: The highest level of privileges with unrestricted view and can perform all operations.
Operator: The second highest level of privileges and can view everything, but perform limited operations.
Viewer: The lowest level of privileges and can view configuration and events, but cannot modify any configuration data except their user passwords.
Service: A special role that allows a user to bypass the sensor CLI and directly log in to a bash shell. Service account is mainly created for support and troubleshooting purposes. (There is no supported user configuration from within the service account.) Only one user with service privileges can be configured on a sensor. The service user cannot be used to log in to the IDM.
Caution
User access in the service account is not supported except under direct supervision of Cisco TAC or Cisco development engineering.