Tài liệu Hardening Guidelines for Cisco 3000 Series VPN Concentrators pptx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (894.67 KB, 10 trang )
Hardening Guidelines
for Cisco 3000 Series
VPN Concentrators
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction
Cisco’s 3000 series VPN Concentrators continue to be one of its most popular security product offerings. Due
to their reliability, fault tolerance, ease of setup, management, and monitoring, they scale well from small
remote sites to large enterprise solutions. The default policies shipped with the units allow an administrator to
quickly and easily place a unit into production within an hour of unpacking. But, like any sophisticated security
appliance, one must carefully review the default policies and be prepared to make an informed decision about
what features should remain active and which to disable.
The purpose of this paper is to highlight some of the most important areas where one can increase the overall
security posture of the VPN Concentrator through hardening common features such as Administrative Access,
User Access, Network Management Access and Interface Policies. This paper assumes the reader has experi-
ence configuring the 3000 series concentrators and is familiar with navigating the menu structure in the web-
based GUI and the CLI. For reference, this paper was written assuming a Cisco 3005 VPN Concentrator running
version 4.7 of the VPN OS is used.
Securing Administrative Access
The first area of focus is securing console and remote administration access to the concentrator. If an intruder
can “sniff” your username and password with a protocol analyzer, your network can be easily compromised by
the eavesdropper.
T
here are two areas in the configuration tree that concern the control of local and remote access to the con
-
centrator:
Administration | Access Rights and Configuration | System | Management.
Securing Access Rights
On your concentrator, navigate to Administration | Access Rights as shown in figure 1.
David W. Chapman, Jr., Global Knowledge Instructor, CISSP-ISSAP, CCSI,
CCNP, CCDP, CCSP
Hardening Guidelines for
Cisco 3000 Series VPN Concentrators
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 2
Figure 1 – Configure Administrator Access
Click on the Administrator
s
link and you will be presented with a list of default user accounts. The only
account that should be enabled is “admin”. Click on the
Modify button to the right of the admin user.
Because attackers have easy access to lists of default usernames and passwords, it is important to change not
only the default password, but the username as well. Half of the difficulty of remotely cracking a password is
knowing a v
alid username. Use this screen to change the default username to a non-obvious value. The use of
“admin”, “administrator”, “root”, or “cisco” as usernames is strongly discouraged, as attackers will surely use
these. The concentrator allows usernames and passwords of up to 31 characters.
Note: Unfortunately, the concentrator does not directly support an account lockout threshold. This can only
be set if TACACS+ is used to authenticate administrative users. To determine if an attacker is targeting the
administrator account, navigate to
Monitoring | Filterable Event Log. Select the “Auth” Event Class
and “Newest to Oldest” in the Direction drop-down menu, and then click the Get Log button. A
popup window will show any authentication failures
.
The following URL will take you to a security site that lists default username/password combinations for popu-
lar network equipment, including the 3000 series concentrators:
http://www
.governmentsecurity
.org/articles/DefaultLoginsandP
asswordsforNetwork
edDevices
.php
Once you have changed the default username and password, click the apply button to return to
Administration | Access Rights. Click the Access Settings link. On this page, you will modify the idle
timeout, max sessions, and configuration file encryption settings. The default idle timer terminates an adminis-
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 3
t
rator session after 10 minutes of inactivity. If your security policy dictates a smaller value, it can be modified
from 1 to 1800 seconds. The default session limit of 10 simultaneous administrators is excessive. Typically,
there should be no need for more than 2 or 3 simultaneous sessions to the administration interface.
The
Config File Encryption setting determines whether sensitive fields such as passwords and pre-shared
key values are stored in clear text or encrypted. The difference between RC4 and DES is that with DES selected,
the config file is non-portable between concentrators. RC4 encryption allows a config file to be installed into
another 3000 series concentrator of the same model. In the unlikely event of a hardware failure, it is useful to
be able to quickly configure the replacement unit.
Securing Management Protocols
The Cisco 3000 Series VPN Concentrators offer a wide array of protocols to manage, monitor, and maintain
your VPN perimeter. The defaults are in place to give you the most flexible solution right out of the box.
However, many of the default management protocols transfer authentication data in clear text over the wire.
This presents a serious risk to the confidentiality of usernames and passwords used to access the concentrator.
T
able 1 lists the available management protocols and their default settings.
Table 1 – 3000 Series Management Protocols
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 4
Management
Protocol
Enabled By
Default
Encrypted
Transport
Transport
Protocol
Service Port
TFTP No No UDP 69
FTP Yes No TCP 21
HTTP Yes No TCP 80
Telnet Yes No TCP 23
SNMP Y
es
No UDP 161
HTTPS Yes Yes TCP 443
SSH Yes Yes TCP 22
O
nce you have successfully made a connection via HTTPS, it is highly recommended you disable all protocols
that do not use encryption. Cisco has grouped all of the non-encrypted protocols in the same section for easy
access. You can access this section by navigating to
Configuration | System | Management Protocols in
the GUI interface as shown in figure 2.
Figure 2 – Management Protocols
For each protocol you decide to disable, click on its link and de-select the Enable checkbox, then click the
Apply button.
Be sure to save your configuration by clicking the
Save Needed floppy disk icon in the upper
-
right corner of the page.
Securing Network Management Access
Cisco offers two methods to centrally manage the 3000 Series Concentrators SNMP and XML. Although SNMP
is enabled by default,
no community strings
,
such as the ubiquitous
“public” and “private” are configured.
Because SNMP is inherently insecure, if you must run SNMP, the best practice is to send messages over the
External interface to an out-of-band network. For more information on the design of an out-of-band manage-
ment network, please refer to the Management Module of Cisco’s White Paper “SAFE: A Security Blueprint for
Enterprise Networks” at: />Unless you are using an XML-based network management system,
XML management should be disabled. There
is a risk that an internal attacker could exploit the XML interface to gain information about its configuration.
Copyright ©2005 Global Knowledge Network, Inc. All rights reserved.
Page 5
