Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3137
Views
8
Helpful
9
Replies

Cat9k: HTTP server hardening / ACL

Johannes Luther
Level 4
Level 4

‎05-14-2020 04:10 AM

Hi all,

We want to use RESTCONF in our network (Cat9k / IOS-XE 16.12). However, I want to restrict access by using an ACL.

So, there are two options:

  • ip http access-class ipv4 <ACL-NAME>
  • restconf ipv4 access-list name <ACL-NAME>

Both options are not really an option, because the switch still answers to not allowed IPs with HTTP 403 (ip http access-class) or HTTP 401 (restconf ipv4 access-list). This is not really what I understand under hardending. For the SNMP or VTY ACL functionality, the packet is dropped, before it reaches the corresponding daemon.

 

Open socket means, that the whole HTTP server (nginx) is still attackable.

CoPP is not an option, because user classes are not supported on IOS-XE for Catalyst 9k

MPP is not an option, because it's not implemented on IOS-XE for Catalyst 9k.

 

How to handle this?

6 people had this problem
Labels:
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎05-14-2020 04:36 AM - edited ‎05-14-2020 04:37 AM

Genereally I have used in the Lab enviroment to test - we use these as seperate network for the manging the config, like OOB IP range, so normal user can not have access to that VLAN as part of Security mechanism. you  can completely block with VLAN ACL or do not advertise them in the other routing table.

 

hope you might have looked below config : ( as per your syntax you already looked)

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1611/b_1611_programmability_cg/service_level_ACLs_NETCONF_RESTCONF.html

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Johannes Luther
Level 4
Level 4
In response to balaji.bandi

‎05-14-2020 05:31 AM

Hey BB,

unfortunately the OOB / OBM access doesn't solve this one.

The HTTP server on the switch listens on all IP interfaces. If you have a L3 switch (e.g. core/distribution) layer, you need to somehow limit all IPs...

Infrastructure ACLs (pACL, vACL) are not really an option here. These ACLs also block data plane traffic. You need to be careful how to design those rules.

Thanks for the suggestions though.

Alex Moore
Level 1
Level 1

‎11-19-2020 03:28 PM

I agree that this is a very frustrating limitation. I would have thought it should be fairly basic functionality for it to be possible to specify one or more interfaces on which the various management services listen for incoming connections. In fact I am shocked that has not been implemented.

As it stands, there is no way to enable HTTP(S)-based services in IOS-XE that is sufficiently secure for my needs. To add to the problems with the current options highlighted by Johannes:

  • Even on platforms for which MPP is available (such as the ASR1k), as far as I can tell it only supports IPv4. If any interfaces have IPv6 addresses, the router's management services will be available via those IPv6 addresses regardless of whether or not MPP is supposedly applying restrictions.
  • And regarding the per-interface ACL approach, not only is it a pain if you have a large number of interfaces to deal with, it's also not "secure by default". In other words if someone defines a new interface later on, management services will be available on that interface by default, unless they remember to add an ACL to the new interface that blocks access to them.

Rich R
VIP
VIP

‎03-08-2023 05:34 AM

Just found this discussion - did any of you ever find a satisfactory solution as just looking at the same thing now?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Johannes Luther
Level 4
Level 4
In response to Rich R

‎03-08-2023 07:06 AM

Not really... for RESTCONF I decided to use the HTTP ACL, because of one simple reason. I wanted to reuse an existing ACL, which has minush/dash in the name. Because of bug CSCvy24754, this was not supported (at least not in the former release I was using).

Also I tuned the HTTP services, that no WebUI access is possible etc.

Long story short: No! However I have the feeling nobody cares about it and I'm the only paranoic person around

Rich R
VIP
VIP
In response to Johannes Luther

‎03-08-2023 02:48 PM

Ha ha thanks for the update @Johannes Luther 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

jcohoe
Cisco Employee
Cisco Employee

‎10-20-2023 12:25 PM

Unfortunatley a lot of people care about it now all of a sudden...

"Long story short: No! However I have the feeling nobody cares about it and I'm the only paranoic person around"

0 Helpful

Rich R
VIP
VIP
In response to jcohoe

‎10-21-2023 05:43 AM - edited ‎10-21-2023 05:44 AM

Indeed @jcohoe but the problem we're finding is that most Cisco staff do not seem to understand how 9800 series WLC uses the web server for wireless client web-auth so turning off web services is not an option if you use web-auth, and using ACLs is not a solution to the problem because those clients need to be able to access the web server for captive portal redirects or local web auth!

So will Cisco now be taking IOS-XE web services security a bit more seriously?  CSDL?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

jprobertswork
Level 1
Level 1

‎02-17-2025 12:37 PM

Is there any movement on this? Allowing access on only the management vrf would be sufficient.

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top