Re: Cat9k: HTTP server hardening / ACL

Johannes Luther · ‎05-14-2020

Hi all,

We want to use RESTCONF in our network (Cat9k / IOS-XE 16.12). However, I want to restrict access by using an ACL.

So, there are two options:

ip http access-class ipv4 <ACL-NAME>
restconf ipv4 access-list name <ACL-NAME>

Both options are not really an option, because the switch still answers to not allowed IPs with HTTP 403 (ip http access-class) or HTTP 401 (restconf ipv4 access-list). This is not really what I understand under hardending. For the SNMP or VTY ACL functionality, the packet is dropped, before it reaches the corresponding daemon.

Open socket means, that the whole HTTP server (nginx) is still attackable.

CoPP is not an option, because user classes are not supported on IOS-XE for Catalyst 9k

MPP is not an option, because it's not implemented on IOS-XE for Catalyst 9k.

How to handle this?

balaji.bandi · ‎05-14-2020

Genereally I have used in the Lab enviroment to test - we use these as seperate network for the manging the config, like OOB IP range, so normal user can not have access to that VLAN as part of Security mechanism. you can completely block with VLAN ACL or do not advertise them in the other routing table.

hope you might have looked below config : ( as per your syntax you already looked)

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1611/b_1611_programmability_cg/service_level_ACLs_NETCONF_RESTCONF.html

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Johannes Luther · ‎05-14-2020

Hey BB,

unfortunately the OOB / OBM access doesn't solve this one.

The HTTP server on the switch listens on all IP interfaces. If you have a L3 switch (e.g. core/distribution) layer, you need to somehow limit all IPs...

Infrastructure ACLs (pACL, vACL) are not really an option here. These ACLs also block data plane traffic. You need to be careful how to design those rules.

Thanks for the suggestions though.

Alex Moore · ‎11-19-2020

I agree that this is a very frustrating limitation. I would have thought it should be fairly basic functionality for it to be possible to specify one or more interfaces on which the various management services listen for incoming connections. In fact I am shocked that has not been implemented.

As it stands, there is no way to enable HTTP(S)-based services in IOS-XE that is sufficiently secure for my needs. To add to the problems with the current options highlighted by Johannes:

Even on platforms for which MPP is available (such as the ASR1k), as far as I can tell it only supports IPv4. If any interfaces have IPv6 addresses, the router's management services will be available via those IPv6 addresses regardless of whether or not MPP is supposedly applying restrictions.
And regarding the per-interface ACL approach, not only is it a pain if you have a large number of interfaces to deal with, it's also not "secure by default". In other words if someone defines a new interface later on, management services will be available on that interface by default, unless they remember to add an ACL to the new interface that blocks access to them.

Rich R · ‎03-08-2023

Just found this discussion - did any of you ever find a satisfactory solution as just looking at the same thing now?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Johannes Luther · ‎03-08-2023

Not really... for RESTCONF I decided to use the HTTP ACL, because of one simple reason. I wanted to reuse an existing ACL, which has minush/dash in the name. Because of bug CSCvy24754, this was not supported (at least not in the former release I was using).

Also I tuned the HTTP services, that no WebUI access is possible etc.

Long story short: No! However I have the feeling nobody cares about it and I'm the only paranoic person around 😄

Rich R · ‎03-08-2023

Ha ha thanks for the update @Johannes Luther

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jcohoe · ‎10-20-2023

Unfortunatley a lot of people care about it now all of a sudden...

"Long story short: No! However I have the feeling nobody cares about it and I'm the only paranoic person around"

Rich R · ‎10-21-2023

Indeed @jcohoe but the problem we're finding is that most Cisco staff do not seem to understand how 9800 series WLC uses the web server for wireless client web-auth so turning off web services is not an option if you use web-auth, and using ACLs is not a solution to the problem because those clients need to be able to access the web server for captive portal redirects or local web auth!

So will Cisco now be taking IOS-XE web services security a bit more seriously? CSDL?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jprobertswork · ‎02-17-2025

Is there any movement on this? Allowing access on only the management vrf would be sufficient.