cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
0
Helpful
5
Replies

secure devices basic steps

samuel_M9
Level 1
Level 1

Hello Experts

What is the best practise approach to control access for switches, routers, asa. I have been reading posts and mostly it says

  1.   remove telnet
  2. add ssh
  3. configure ACL
  4. add AAA / local accounts
  5. Managment VLAN segment

I want to have flexibility to access devices from home using vpn, office from different floors, different sites

Appreciate some kind feedback

thanks

Samuel

5 Replies 5

m.sir
Level 7
Level 7

All your points are correct

as adition to this i would suggest implement out of band access to devices.. is usually done by connection device to management network to interface dedicated only for managemet.. ASA has mgmt interface on Switches you can use routed interface on Routers spare, unused interface.. Than limit access to this interface only for terminal server what i suggest to deploy

Please consult following link for more details

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap9.html#wp1054536

Sandeep Sharma
Cisco Employee
Cisco Employee

Hi Samuel

Its right that the ways that you have mentioned are right and comes under the best practices for enabling access control of the Network/security devices.

But the most important security and what is your requirement. Below is the explanation for each point why we prefer these as best practice

Remove Telnet and use SSH:- Telnet is not preferred as it is not secure where as SSH is more secure. In telnet your passwords are not encrypted.

Configure ACL/ Management VLAN segments: To control and limit to the authorized personal/ admin by only allowing permit of authorized IP address/Subnet.

Use AAA : AAA means (authentication, authorization and accounting ). Authentication :Who is allowed, Authorization: What is allowed Accounting :what is done.

So the best practice is to use the combination of all three ( SSH + ACL + AAA), in your case (SSH +AAA) can be used easily just the challenge will come with applying ACL as you want to access it from different location and even VPN, no fix IP address so you can either use a jump server where you may login and from their you can access the device.

Thanks & Regards

Sandeep

Tagir Temirgaliyev
Spotlight
Spotlight

6. syslog

and write all telnet and ssh connections atempts in syslog

access-list 10 permit any log

line vty 0 4

access-class 10 in

so all telnet and ssh connections atempts will be logged

and if you do access devices from home using vpn so you dont need to remove telnet access

hobbe
Level 7
Level 7

Hi

If you want to use devices over the Internet i strongly urge you to use another port than 22 for SSH.

There are alot of bots trying that port and you will get a lot of "static interference" in your logs.

.

Things that have not been mentioned before is to keep track of your configurations.

You can get alot of help with that buy fx using an EEM script.

an eem script that sends the configuration to a tftp server everytime you do log out or if you want to everytime you do a command.

Other stuff would be to shutdown all the different services that are running and you do not need.

ie hardening the devices.

There are some whitepapers from cisco that helps you out, but all cisco devices are not the same and do not do things the same way.

do a search for "hardening cisco devices" and you will find some cisco and other papers.

On some modules there are a special port that is used for management only.

One thing that I tend to do is set up what I call a spider net.

That is a separate serial network (usb/rs232) to control the devices "out of band" so even if links are down or swamped/overwhelmed i still can take full control over the devices and shut down offenders.

You can double up links with port channels and flexlinks if something happens to the cabelsystem or ports.

but that is more helping out day to day normal operations.

Thanks all for posting

I put a template for SSH, how to restrict ssh access to management vlan only.

can I initiate ssh session from a router to any swich/router to connect

management vlan

172.16.17.0/24

--------------------------------------------

hostname router

aaa new-model

username 123 password 123

ip domain-name CISCO.COM

crypto key generate ras

ip ssh time-out 60

ip ssh authentication-retries  2

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

---------------------------------------

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: