1 00:00:06,720 --> 00:00:09,040 - This lesson examines what you can do 2 00:00:09,040 --> 00:00:12,810 to protect the management access and management protocols 3 00:00:12,810 --> 00:00:14,510 used on the network. 4 00:00:14,510 --> 00:00:15,770 As mentioned earlier, 5 00:00:15,770 --> 00:00:19,440 the management plan is covered first in this discussion, 6 00:00:19,440 --> 00:00:22,430 after all, without a configured router 7 00:00:22,430 --> 00:00:24,690 whether configured through the console port 8 00:00:24,690 --> 00:00:29,010 or through an IP address with a secure remote access tool 9 00:00:29,010 --> 00:00:32,770 such as SSH, the network device is not much good 10 00:00:32,770 --> 00:00:34,740 without a working configuration 11 00:00:34,740 --> 00:00:36,030 that either an administrator 12 00:00:36,030 --> 00:00:39,310 or some other type of management system, 13 00:00:39,310 --> 00:00:43,200 such as Cisco DNA center has put in place. 14 00:00:43,200 --> 00:00:46,120 A basic layer two switch with all ports 15 00:00:46,120 --> 00:00:49,280 in the same VLAN would be functional 16 00:00:49,280 --> 00:00:52,590 but this is unlikely to be desired configuration 17 00:00:52,590 --> 00:00:54,710 for that device. 18 00:00:54,710 --> 00:00:56,269 To secure the management plane 19 00:00:56,269 --> 00:00:59,703 you should adhere to these best practices. 20 00:00:59,703 --> 00:01:02,998 First, enforce password policy 21 00:01:02,998 --> 00:01:07,210 including features such as maximum number of login attempts 22 00:01:07,210 --> 00:01:09,603 and minimum password length. 23 00:01:10,470 --> 00:01:14,840 Second implement role-based access control or RBAC. 24 00:01:14,840 --> 00:01:17,760 This concept has been around for a long time 25 00:01:17,760 --> 00:01:19,440 in relation to groups. 26 00:01:19,440 --> 00:01:21,960 By creating a group that has specific rights 27 00:01:21,960 --> 00:01:24,300 and then placing users in that group, 28 00:01:24,300 --> 00:01:27,999 you can more easily manage and allocate administrators. 29 00:01:27,999 --> 00:01:32,240 With RBAC, we can create a role like a group 30 00:01:32,240 --> 00:01:35,510 and assign that role to the users 31 00:01:35,510 --> 00:01:38,510 who will be acting in that role. 32 00:01:38,510 --> 00:01:41,520 With the role comes the permissions and access. 33 00:01:41,520 --> 00:01:45,530 Ways to implement RBAC include using access control server 34 00:01:45,530 --> 00:01:50,530 or ACS and CLI parser views, 35 00:01:50,560 --> 00:01:53,690 which restrict the commands that can be issued 36 00:01:53,690 --> 00:01:56,523 in the specific view of an administrator is in. 37 00:01:57,590 --> 00:02:00,990 Custom privilege level assignments are also an option 38 00:02:00,990 --> 00:02:05,230 to restrict what a specific user may do 39 00:02:05,230 --> 00:02:09,363 while operating at that custom privilege level. 40 00:02:10,270 --> 00:02:14,870 Third, use AAA services and centrally manage those services 41 00:02:14,870 --> 00:02:16,830 on an authentication server, 42 00:02:16,830 --> 00:02:21,830 such as the Cisco identity services engine or ice. 43 00:02:22,970 --> 00:02:26,540 With AAA a network router or a switch can interact 44 00:02:26,540 --> 00:02:30,920 with a centralized server before allowing any ask access, 45 00:02:30,920 --> 00:02:33,240 before allowing any command to be entered 46 00:02:33,240 --> 00:02:37,030 and while keeping an audit trail that identifies 47 00:02:37,030 --> 00:02:39,930 who has logged in and what commands they executed 48 00:02:39,930 --> 00:02:41,770 while they were there. 49 00:02:41,770 --> 00:02:44,920 Your policies about who can do what 50 00:02:44,920 --> 00:02:47,800 can be configured on that central server. 51 00:02:47,800 --> 00:02:51,080 And then you can configure the routers and switches 52 00:02:51,080 --> 00:02:54,720 to act as clients to the server as they make their request 53 00:02:54,720 --> 00:02:59,120 asking whether it's okay for a specific user to log in 54 00:02:59,120 --> 00:03:01,390 or if it's okay for a specific user 55 00:03:01,390 --> 00:03:03,723 to issue a specific command. 56 00:03:04,570 --> 00:03:08,360 Fourth, keep accurate time across all network devices 57 00:03:08,360 --> 00:03:13,100 using secure network time protocol or NTP. 58 00:03:13,100 --> 00:03:17,890 Fifth use encrypted and authenticated versions of SNMP 59 00:03:17,890 --> 00:03:19,880 which includes version three 60 00:03:19,880 --> 00:03:23,120 and some features from version two. 61 00:03:23,120 --> 00:03:27,260 Six, control which IP addresses 62 00:03:27,260 --> 00:03:31,320 are allowed to initiate management sessions 63 00:03:31,320 --> 00:03:33,254 with the network device. 64 00:03:33,254 --> 00:03:37,380 Seven, on the infrastructure of your network, 65 00:03:37,380 --> 00:03:39,680 only permit this type of traffic 66 00:03:39,680 --> 00:03:42,910 between the network device IP addresses 67 00:03:42,910 --> 00:03:44,980 and the destinations that the network device 68 00:03:44,980 --> 00:03:48,370 is configured to send syslog messages to. 69 00:03:48,370 --> 00:03:51,440 In practice, not too many people are going to encrypt 70 00:03:51,440 --> 00:03:54,560 syslog data, although it is better to do so. 71 00:03:54,560 --> 00:03:56,290 Short of doing encryption, 72 00:03:56,290 --> 00:03:59,230 we could use an out of band method 73 00:03:59,230 --> 00:04:01,460 to communicate management traffic 74 00:04:01,460 --> 00:04:05,440 between our network devices and the management stations. 75 00:04:05,440 --> 00:04:07,250 An example is a separate VLAN 76 00:04:07,250 --> 00:04:09,850 that user traffic never goes on to. 77 00:04:09,850 --> 00:04:12,560 And using that separate VLAN 78 00:04:12,560 --> 00:04:14,600 just for the management traffic. 79 00:04:14,600 --> 00:04:17,020 If management traffic is sent in band, 80 00:04:17,020 --> 00:04:18,980 which means the management traffic 81 00:04:18,980 --> 00:04:23,980 is using the same networks, same VLANs, for instance, 82 00:04:24,120 --> 00:04:27,090 all management traffic needs to have encryption 83 00:04:27,090 --> 00:04:30,610 either built in or have it protected by encryption, 84 00:04:30,610 --> 00:04:33,670 such as using IP SEG. 85 00:04:33,670 --> 00:04:37,970 Finally disable any unnecessary services 86 00:04:37,970 --> 00:04:42,970 especially those that use user datagram protocol or UDP. 87 00:04:43,656 --> 00:04:48,260 These are infrequently used for legitimate purposes 88 00:04:48,260 --> 00:04:52,304 but can be used to launch denial of service attacks. 89 00:04:52,304 --> 00:04:55,590 The following are some services that should be disabled 90 00:04:55,590 --> 00:04:57,176 if they're not needed. 91 00:04:57,176 --> 00:05:01,320 TCP and UDP small services, 92 00:05:01,320 --> 00:05:05,380 finger, BOOTP, DHCP, 93 00:05:05,380 --> 00:05:09,530 maintenance operation protocol or MOP, DNS, 94 00:05:09,530 --> 00:05:12,911 packet assembler/disassembler or PAD, 95 00:05:12,911 --> 00:05:14,561 HDP server and secure HDP server, 96 00:05:17,568 --> 00:05:18,735 CDP, and LLDP.