Solved: SD Access DNAC - Hardening

akhil kamalakaran · ‎10-04-2024

Hi All,

Recently deployed SD Access. Please suggest what are the hardening points we need to consider for DNAC.

Below points are already completed

1. Tacacs Integration

2. Syslog Configuration

3. NTP

4. Login Banner

5. SNMP Configuration

6. Backup Server Configuration

Maher Abdelshkour · ‎10-04-2024

Hi Akhil,

The following are some points you can consider for Cisco DNA Center (DNAC) to further secure your SD-Access deployment:

1. Role-Based Access Control (RBAC):
Ensure that users only have the necessary permissions to perform their tasks. Configure appropriate roles for administrators, network operators, and other users.
Regularly audit user roles and access permissions.
2. Enable Secure Communication (HTTPS/SSH):
Ensure all management communication to and from DNAC is encrypted.
Enforce HTTPS for the DNAC web interface and SSH for CLI access.
Disable weaker encryption protocols (like HTTP or Telnet) to reduce exposure.
3. Certificate Management:
Use valid SSL certificates for the DNAC GUI.
Consider integrating DNAC with a Certificate Authority (CA) for automatic certificate provisioning and renewal.
4. Segmentation of Management Traffic:
Ensure that the management traffic (e.g., between DNAC and the network devices) is isolated using VLANs or dedicated management networks.
Restrict access to the DNAC management interface from untrusted networks.
5. IP Whitelisting and ACLs:
Configure Access Control Lists (ACLs) on upstream network devices to allow only specific IP addresses to communicate with DNAC.
Restrict access to DNAC based on IP address, ensuring only approved devices and administrators can reach it.
6. Two-Factor Authentication (2FA):
Integrate 2FA/Multi-factor authentication (MFA) for DNAC login to enhance security for user accounts.
7. Software and Patch Management:
Regularly check for and apply software updates and security patches for DNAC and the underlying infrastructure.
Automate patch management if possible to avoid gaps in security.
8. Audit Logs and Monitoring:
Review audit logs regularly for suspicious activities. Enable full logging capabilities (e.g., login attempts, configuration changes).
Integrate DNAC logs with a SIEM (Security Information and Event Management) system to monitor and analyze security events.
9. Disable Unused Services and Ports:
Identify and disable any unused services or unnecessary ports on DNAC to reduce the attack surface.
Verify that the only essential ports are open (e.g., for TACACS+, syslog, SSH, HTTPS).
10. API Security:
If using the DNAC APIs, ensure that they are secured with proper authentication and access controls.
Apply rate-limiting to prevent API abuse.
11. DNAC Identity and Trust Settings:
Securely configure DNAC trust settings for device onboarding, such as using secure protocols and ensuring that devices are authenticated before accessing the network.
12. Encrypted Data at Rest:
Ensure that any sensitive data stored on DNAC is encrypted at rest.
Consider disk encryption for physical and virtual deployments.
13. Password Policy Enforcement:
Enforce a strong password policy for DNAC users and ensure periodic password changes.
Implement account lockout policies for repeated failed login attempts to prevent brute-force attacks.
14. Device Hardening and Compliance Checks:
Use DNAC’s compliance features to ensure that network devices are hardened and meet security standards.
Regularly check compliance for outdated device configurations, weak passwords, or open security vulnerabilities.
Implementing these measures will significantly improve the security posture of your Cisco DNAC deployment in SD-Access environments.

View solution in original post

Maher Abdelshkour · ‎10-04-2024

Hi Akhil,

The following are some points you can consider for Cisco DNA Center (DNAC) to further secure your SD-Access deployment:

1. Role-Based Access Control (RBAC):
Ensure that users only have the necessary permissions to perform their tasks. Configure appropriate roles for administrators, network operators, and other users.
Regularly audit user roles and access permissions.
2. Enable Secure Communication (HTTPS/SSH):
Ensure all management communication to and from DNAC is encrypted.
Enforce HTTPS for the DNAC web interface and SSH for CLI access.
Disable weaker encryption protocols (like HTTP or Telnet) to reduce exposure.
3. Certificate Management:
Use valid SSL certificates for the DNAC GUI.
Consider integrating DNAC with a Certificate Authority (CA) for automatic certificate provisioning and renewal.
4. Segmentation of Management Traffic:
Ensure that the management traffic (e.g., between DNAC and the network devices) is isolated using VLANs or dedicated management networks.
Restrict access to the DNAC management interface from untrusted networks.
5. IP Whitelisting and ACLs:
Configure Access Control Lists (ACLs) on upstream network devices to allow only specific IP addresses to communicate with DNAC.
Restrict access to DNAC based on IP address, ensuring only approved devices and administrators can reach it.
6. Two-Factor Authentication (2FA):
Integrate 2FA/Multi-factor authentication (MFA) for DNAC login to enhance security for user accounts.
7. Software and Patch Management:
Regularly check for and apply software updates and security patches for DNAC and the underlying infrastructure.
Automate patch management if possible to avoid gaps in security.
8. Audit Logs and Monitoring:
Review audit logs regularly for suspicious activities. Enable full logging capabilities (e.g., login attempts, configuration changes).
Integrate DNAC logs with a SIEM (Security Information and Event Management) system to monitor and analyze security events.
9. Disable Unused Services and Ports:
Identify and disable any unused services or unnecessary ports on DNAC to reduce the attack surface.
Verify that the only essential ports are open (e.g., for TACACS+, syslog, SSH, HTTPS).
10. API Security:
If using the DNAC APIs, ensure that they are secured with proper authentication and access controls.
Apply rate-limiting to prevent API abuse.
11. DNAC Identity and Trust Settings:
Securely configure DNAC trust settings for device onboarding, such as using secure protocols and ensuring that devices are authenticated before accessing the network.
12. Encrypted Data at Rest:
Ensure that any sensitive data stored on DNAC is encrypted at rest.
Consider disk encryption for physical and virtual deployments.
13. Password Policy Enforcement:
Enforce a strong password policy for DNAC users and ensure periodic password changes.
Implement account lockout policies for repeated failed login attempts to prevent brute-force attacks.
14. Device Hardening and Compliance Checks:
Use DNAC’s compliance features to ensure that network devices are hardened and meet security standards.
Regularly check compliance for outdated device configurations, weak passwords, or open security vulnerabilities.
Implementing these measures will significantly improve the security posture of your Cisco DNAC deployment in SD-Access environments.

akhil kamalakaran · ‎10-07-2024

Thank you sir, for share the information.