CCNPv5 Module 5 Lesson 8

Download Report

Transcript CCNPv5 Module 5 Lesson 8

Implementing Secure
Converged Wide
Area Networks
(ISCW)
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
1
Securing
Management and
Reporting Features
Lesson 8 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this eighth lesson, you will be able
to:
Describe and demonstrate how to set up syslog reporting for
a large network
Demonstrate the importance of secure channels for syslog
information
Describe the difference between inband and out-of-band
reporting
Read and analyse syslog reports
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
4
Secure Management and Reporting Planning
Considerations
 Configuring logging for Cisco routers is a straightforward
operation when the network contains only a few Cisco
routers. However, logging and reading information from
hundreds of devices can be a challenging proposition. Too
much information can be as bad as too little information and
can raise these important questions:
Which are the most important logs?
How are important messages separated from routine
notifications?
How do you prevent tampering with logs?
How do you make sure time stamps match?
What log data is needed in criminal investigations?
How do you deal with the volume of log messages?
How do you manage all the devices?
How can you track changes when attacks or network failures
occur?
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
5
Secure Management and
Reporting Architecture
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
6
Information Paths
 Information flow between management hosts and the
managed devices can take two paths:
In-band: Information flows across the enterprise production
network or the Internet (or both)
Out of Band (OOB): Information flows within a network on
which no production traffic resides
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
7
Information Paths
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
8
In-Band Management Considerations
 Some questions that must be considered when
designing an in-band management solution:
Which management protocols does each device support?
Does the management channel need to be active at all times?
Is SNMP necessary?
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
9
Secure Management and Reporting
Guidelines
 In-band management guidelines:
Apply only to devices needing to be managed or monitored.
Use IPsec when possible.
Use SSH or SSL instead of Telnet.
Decide whether the management channel needs to be open at all
times.
Keep clocks on hosts and network devices synchronised.
Record changes and archive configurations.
 OOB management guidelines:
Provide highest level of security and mitigate the risk of passing
insecure management protocols over the production network.
Keep clocks on hosts and network devices synchronised.
Record changes and archive configurations.
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
10
Configuring an SSH Server for Secure
Management and Reporting
 Austin2#configure terminal
Austin2(config)#ip domain-name cisco.com
Austin2(config)#crypto key generate rsa general-keys modulus 1024
 Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled
 Austin2(config)#ip ssh timeout 120
Austin2(config)#ip ssh authentication-retries 4
Austin2(config)#line vty 0 4
Austin2(config-line)#no transport input telnet
Austin2(config-line)#transport input ssh
Austin2(config-line)#end
1. Configure the IP domain name.
2. Generate the RSA keys.
3. (Optional) Display generated keys.
4. Configure the SSH timeout interval.
5. Configure the SSH retries.
6. Disable vty inbound Telnet sessions.
7. Enable vty inbound SSH sessions.
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
11
Implementing Log Messaging for Security
 Routers should be configured to send log messages
to one or more of these:
Console
Terminal lines
Memory buffer
SNMP traps
Syslog
 Syslog logging is a key security policy component
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
12
Syslog Systems
Syslog server: A host that accepts and processes log messages from one or
more syslog clients
Syslog client: A host that generates log messages and forwards them to a
syslog server
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
13
Cisco Log Severity Levels
ISCW-Mod5_L8
Syslog Level and Name
Definition
Example
0 LOG_EMERG
A panic condition normally
broadcast to all users
Cisco IOS software could
not load
1 LOG_ALERT
A condition that should be corrected
immediately, such as a corrupted
system database
Temperature too high
2 LOG_CRIT
Critical conditions; for example, hard
device errors
Unable to allocate memory
3 LOG_ERR
Errors
Invalid memory size
4 LOG_WARNING
Warning messages
Crypto operation failed
5 LOG_NOTICE
Conditions that are not error
conditions but should possibly be
handled specially
Interface changed state, up
or down
6 LOG_INFO
Informational messages
Packet denied by ACL
7 LOG_DEBUG
Messages that contain information
that is normally used only when
debugging a program
Packet type invalid
© 2007 Cisco Systems, Inc. All rights reserved.
14
Log Message Format
Time Stamp
Message Text
Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6)
Log Message
Name and Severity
Level
Note: The log message name is not the same as a severity level name.
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
15
Configuring Syslog Step 1
Router(config)#
logging [host-name | ip-address]
1.
Sets the destination logging host
Parameter
Description
host-name
The name of the host you want to use as a
syslog server
ip-address
The IP address of the host you want to use as
a syslog server
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
16
Configuring Syslog Step 2
Router(config)#
logging trap level
2. (Optional) Sets the log severity (trap) level
Parameter
Description
level
Limits the logging of messages to the syslog
servers to a specified level. You can enter the
level number (0 to 7) or level name.
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
17
Configuring Syslog Step 3
Router(config)#
logging facility facility-type
3. (Optional) Sets the syslog facility
Parameter
Description
facility-type
The syslog facility type (local0 to local7)
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
18
Configuring Syslog Steps 4 and 5
Router(config)#
logging source-interface interface-type interface-number
4. (Optional) Sets the source interface
Parameter
Description
interface-type
The interface type (for example, Ethernet)
interface-number
The interface number (for example, 0/1)
Router(config)#
logging on
5. Enables logging
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
19
Syslog Implementation Example
R3(config)#logging
R3(config)#logging
R3(config)#logging
R3(config)#logging
ISCW-Mod5_L8
10.2.2.6
trap informational
source-interface loopback 0
on
© 2007 Cisco Systems, Inc. All rights reserved.
20
ISCW-Mod5_L8
© 2007 Cisco Systems, Inc. All rights reserved.
21