© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 1
Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 2
Lesson 8 – Module 5 – ‘Cisco Device Hardening’
Securing Management and Reporting Features
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 3
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.
Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.
Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 4
Objectives
At the completion of this eighth lesson, you will be able to:
Describe and demonstrate how to set up syslog reporting for a large network
Demonstrate the importance of secure channels for syslog information
Describe the difference between inband and out-of-band reporting
Read and analyse syslog reports
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 5
Secure Management and Reporting Planning Considerations
Configuring logging for Cisco routers is a straightforward operation when the network contains only a few Cisco routers. However, logging and reading information from hundreds of devices can be a challenging proposition. Too much information can be as bad as too little information and can raise these important questions:
Which are the most important logs?
How are important messages separated from routine notifications?
How do you prevent tampering with logs?
How do you make sure time stamps match?
What log data is needed in criminal investigations?
How do you deal with the volume of log messages?
How do you manage all the devices?
How can you track changes when attacks or network failures occur?
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 6
Secure Management andReporting Architecture
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 7
Information Paths
Information flow between management hosts and the managed devices can take two paths:
In-band: Information flows across the enterprise production network or the Internet (or both)
Out of Band (OOB): Information flows within a network on which no production traffic resides
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 8
Information Paths
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 9
In-Band Management Considerations
Some questions that must be considered when designing an in-band management solution:
Which management protocols does each device support?
Does the management channel need to be active at all times?
Is SNMP necessary?
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 10
Secure Management and Reporting Guidelines
In-band management guidelines:Apply only to devices needing to be managed or monitored.
Use IPsec when possible.
Use SSH or SSL instead of Telnet.
Decide whether the management channel needs to be open at all times.
Keep clocks on hosts and network devices synchronised.
Record changes and archive configurations.
OOB management guidelines:Provide highest level of security and mitigate the risk of passing insecure management protocols over the production network.
Keep clocks on hosts and network devices synchronised.
Record changes and archive configurations.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 11
Configuring an SSH Server for Secure Management and Reporting
Austin2#configure terminalAustin2(config)#ip domain-name cisco.comAustin2(config)#crypto key generate rsa general-keys modulus 1024
Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled
Austin2(config)#ip ssh timeout 120Austin2(config)#ip ssh authentication-retries 4Austin2(config)#line vty 0 4Austin2(config-line)#no transport input telnetAustin2(config-line)#transport input sshAustin2(config-line)#end
1. Configure the IP domain name.
2. Generate the RSA keys.
3. (Optional) Display generated keys.
4. Configure the SSH timeout interval.
5. Configure the SSH retries.
6. Disable vty inbound Telnet sessions.
7. Enable vty inbound SSH sessions.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 12
Implementing Log Messaging for Security
Routers should be configured to send log messages to one or more of these:
Console
Terminal lines
Memory buffer
SNMP traps
Syslog
Syslog logging is a key security policy component
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 13
Syslog Systems
Syslog server: A host that accepts and processes log messages from one or more syslog clients
Syslog client: A host that generates log messages and forwards them to a syslog server
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 14
Cisco Log Severity Levels
Syslog Level and Name Definition Example
0 LOG_EMERG A panic condition normally broadcast to all users
Cisco IOS software could not load
1 LOG_ALERT A condition that should be corrected immediately, such as a corrupted system database
Temperature too high
2 LOG_CRIT Critical conditions; for example, hard device errors
Unable to allocate memory
3 LOG_ERR Errors Invalid memory size
4 LOG_WARNING Warning messages Crypto operation failed
5 LOG_NOTICE Conditions that are not error conditions but should possibly be handled specially
Interface changed state, up or down
6 LOG_INFO Informational messages Packet denied by ACL
7 LOG_DEBUG Messages that contain information that is normally used only when debugging a program
Packet type invalid
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 15
Log Message Format
Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6)
Time Stamp
Log Message Name and Severity
Level
Message Text
Note: The log message name is not the same as a severity level name.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 16
Configuring Syslog Step 1
Parameter Description
host-name The name of the host you want to use as a syslog server
ip-address The IP address of the host you want to use as a syslog server
Router(config)#
logging [host-name | ip-address]
1. Sets the destination logging host
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 17
Configuring Syslog Step 2
Parameter Description
level Limits the logging of messages to the syslog servers to a specified level. You can enter the level number (0 to 7) or level name.
Router(config)#
logging trap level
2. (Optional) Sets the log severity (trap) level
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 18
Configuring Syslog Step 3
Parameter Description
facility-type The syslog facility type (local0 to local7)
Router(config)#
logging facility facility-type
3. (Optional) Sets the syslog facility
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 19
Configuring Syslog Steps 4 and 5
Router(config)#
logging source-interface interface-type interface-number
4. (Optional) Sets the source interface
Parameter Description
interface-type The interface type (for example, Ethernet)
interface-number The interface number (for example, 0/1)
Router(config)#
logging on
5. Enables logging
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 20
Syslog Implementation Example
R3(config)#logging 10.2.2.6R3(config)#logging trap informationalR3(config)#logging source-interface loopback 0R3(config)#logging on
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 21