Cisco IP Solution Center Security User Guide, 3.0
Preparing for Security Provisioning
Downloads: This chapterpdf (PDF - 290.0KB) The complete bookPDF (PDF - 3.65MB) | Feedback

Preparing for Security Provisioning

Table Of Contents

Preparing for Security Provisioning

System Requirements

Security Management Requirements

Feature-Specific Requirements

Site-to-Site VPN System Requirements

Remote Access VPN System Requirements

Network Address Translation System Requirements

Firewall System Requirements

Provisioning Overview

Ensuring IPv4 Connectivity

Configuring SSH Connections

Configuring SSH on Cisco Routers

Configuring SSH on VPN 3000 Concentrators

Configuring SSH on PIX Firewall Devices

Setting Up SNMP

Setting Up SNMPv1 and SNMPv2 on Cisco Routers

Setting SNMPv3 Parameters on Cisco Routers

Manually Enabling SA Agents on Cisco Routers

Enabling Telnet Sessions for Terminal Server Ports


Preparing for Security Provisioning


This chapter contains the following sections:

System Requirements

Provisioning Overview

Ensuring IPv4 Connectivity

Configuring SSH Connections

Setting Up SNMP

Manually Enabling SA Agents on Cisco Routers

Enabling Telnet Sessions for Terminal Server Ports

System Requirements

Before beginning provisioning, check the system requirements in this chapter for the devices and software running in your network. For a complete list of ISC system requirements, please refer to the Cisco IP Solution Center Installation Guide, 3.0 and the Release Notes for Cisco IP Solution Center, 3.0.

Security Management Requirements

The following system requirements apply to all ISC 3.0 security features:

The devices you want to provision, and the software versions they are running, must be supported by ISC. Please refer to the Release Notes for Cisco IP Solution Center, 3.0 and Cisco IP Solution Center Installation Guide, 3.0 for complete listings of system requirements.

IPv4 connectivity must exist among the devices you want to provision and each router must have a routable IP address.

You must have a Netscape 7.0 or Internet Explorer 6.0, or later, version web browser to access the ISC GUI.

You must have sufficient understanding of your network topology and firewall, IPsec, NAT, and VPN technologies to implement network management policies.

You must have Cisco VPN Client 3.0 or later.

Feature-Specific Requirements

The following sections describe the feature-specific platform and software requirements for ISC 3.0 Security Management services.

Site-to-Site VPN System Requirements

The following system requirements are necessary to successfully provision site-to-site VPN services with ISC 3.0:

ISC site-to-site VPN supports:

Cisco IOS devices for pure IPsec, GRE + IPsec, DMVPN, and Easy VPN.

PIX security appliances for pure IPsec and Easy VPN.

VPN 3000 Concentrator for pure IPsec policies only.

ISC site-to-site VPN requires PIX Firewall software version 5.2, 5.3, and 6.2, Cisco IOS Software releases 12.2(1) or later, k8 or k9 images, and VPN 3000 releases 3.5.6, 3.6.5, and 3.6.7A.

DMVPN requires Cisco IOS releases 12.2(15)T or later

The Easy VPN Hardware Client requires PIX Firewall software version 6.3 or Cisco IOS Software 12.2(13)T or later.

Remote Access VPN System Requirements

The following system requirements are necessary to successfully provision remote access VPN services with ISC 3.0:

ISC remote access VPN supports Cisco IOS devices, PIX security appliances, and VPN 3000 Concentrators.

ISC remote access VPN requires PIX Firewall software version 6.2 or higher, or Cisco IOS Software version 12.2(11)T or later, k8 or k9 images, and VPN 3000 releases 3.5.6, 3.6.5, and 3.6.7A.

VPN 3000 release 3.5 or later requires the SSH client that supports the SSH protocol release 1.5 (available on Cisco.com).

IP DSL switches running Cisco IOS Software release 12.2(1)DA or later.

If you are implementing RSA signatures as the IKE authentication method, you must complete certificate enrollment with a Certification Authority.

Network Address Translation System Requirements

The following system requirements are necessary to successfully provision NAT with ISC 3.0:

NAT supports Cisco IOS devices and PIX security appliances.

NAT requires PIX Firewall software version 5.2, 5.3, 6.2 or later, or Cisco IOS Software IOS 12.0 or later.

Firewall System Requirements

The following system requirements are necessary to successfully provision firewall services with ISC 3.0:

The ISC firewall service supports Cisco IOS devices and PIX security appliances.

The ISC firewall service requires PIX Firewall software version 6.2 or later, or Cisco IOS Software version 12.2(13)T or later.

Provisioning Overview

Use the information in this section to get an overview of the steps involved in provisioning network services with ISC. Refer to the Cisco IP Solution Center, 3.0: Infrastructure Guide, 3.0 for details on Steps 1 through 5 and to this guide for Steps 6 through 11.

To provision network services with ISC you must perform the following steps:


Step 1 Perform initial set up of ISC, including populating your device inventory. You can do this on a per-device basis through Service Inventory > Inventory and Connection Manager > Devices and click Create, or on a bulk basis through Service Inventory > Inventory and Connection Manager > Inventory Manager (which launches ISC Inventory Manager).

Step 2 Create customers. Click Service Inventory > Inventory and Connection Manager > Customers to access the Customers page. Click Create to add a new customer.

Step 3 Create customer sites. Click Service Inventory > Inventory and Connection Manager > Customers > Customer Sites to access the Customer Sites page. Click Create to add a new customer site. You must first have created at least one customer because every customer site must be associated with a customer.

Step 4 Create CPE devices. Click Service Inventory > Inventory and Connection Manager > Customers > CPE Devices to access the CPE devices page. Click Create to designate a device in your ISC repository as a CPE device (which is then assigned to a customer site). You must first have created at least one customer site because every CPE device must be associated with a customer site.

Step 5 During CPE device creation, mark the interfaces for each CPE device.

Step 6 Create a VPN for site-to-site and remote access VPN services by clicking Service Inventory > Inventory and Connection Manager > VPNs to access the VPNs page.

Step 7 Add a AAA server device to your ISC repository for firewall (required) and remote access (optional) services by clicking Service Inventory > Inventory and Connection Manager > AAA Servers to access the AAA Servers page.

Step 8 Create the service policy by clicking Service Design > Policy Manager to access the Policies page.

Step 9 Create the service request by clicking Service Inventory > Inventory and Connection Manager > Service Requests to access the Service Requests page.

Step 10 Deploy the service request by clicking Service Inventory > Inventory and Connection Manager > Service Requests to access the Service Requests page.

Step 11 (Optional) Audit the service request by clicking Home > Monitoring > Task Manager > Tasks to access the Tasks page.


Ensuring IPv4 Connectivity

To provision services with ISC, you must have IPv4 connectivity among the devices in your network. To check for IPv4 connectivity, test the following:

1. All devices in the VPN must be able to ping each other.

2. If the VPN tunnel endpoints are loopback interfaces, the loopback interfaces must have a public, routable IP addresses.

3. If more than one public (outside) interface is defined on a CPE device, then one of the public interfaces should be a loopback interface. For more information on marking CPE device interfaces, refer to IP Solution Center, 3.0: Infrastructure Reference Guide, 3.0.

4. If the tunnel endpoints are loopback interfaces, then you should be able to ping the loopback IP address of each device from the loopback IP address of every other device in the network.

5. If the VPN tunnel endpoints are public (outside) interfaces, the public (outside) interfaces on each router must have a public, routable IP addresses.

6. You should be able to ping the public (outside) interface IP address of each device from the public (outside) interface IP address of every other device in the network.

7. (Optional) One or more loopback interfaces can be defined using IP addresses in the customer site address space. These interfaces can also be used by routing protocols, such as OSPF, RIP, and EIGRP and to un-number GRE tunnel interfaces.

8. Cisco recommends that the outside tunnel endpoint interface and the management interface for that device should be configured on the same interface. The outside tunnel endpoint can be the public (outside) interface or the loopback interface on the CPE device.


Note ISC has a ping utility located at Monitoring > Ping. Refer to the Cisco IP Solution Center, 3.0: Infrastructure Guide, 3.0 for details on how to use this utility.


Configuring SSH Connections

ISC needs a mechanism to securely access and deploy configuration files on CPE devices, which include routers, Cisco VPN 3000 concentrators, and Cisco PIX Firewalls. And, to send configlets that contain preshared keys and other IPsec information to the CPE devices in the network, each CPE device must include SSH configuration as part of its initial configuration file. Once SSH is configured, ISC can upload and download configuration information through the Telnet Gateway Server, which uses the SSH channel to transport the data. In other words, the CPE device functions as the SSH server and ISC as the SSH client.

Before configuring SSH connectivity, the basic requirements for secure device management are as follows:

The CPE devices and Cisco IP Solution Center (ISC) must be able to authenticate each other.

An encrypted channel for uploading and downloading router configuration information must be in place.

The following sections describe how to configure SSH connectivity to CPE devices.

Configuring SSH on Cisco Routers

This Cisco router configuration procedure assumes that the router's authentication database is stored locally on the router and not on a TACACS or RADIUS server.

The procedure for configuring SSH on a Cisco router is as follows:

 
Command
Description

Step 1 

Router# configure terminal

Enters global configuration mode.

Step 2 

Router(config)# ip domain-name domain_name

Specifies the IP domain name.

Step 3 

Router(config)# username username password password

Configures the user ID and password. Enter your ISC username and password. For example:

username admin password iscpwd

Step 4 

Router(config)# crypto key generate rsa

Generates keys for the SSH session.

Step 5 

You will see the following prompt:

Choose the size of the key modulus in the range of 360 to 2048 for your general purpose keys. How many bits in the modulus (nnn):


Press Enter to accept the default number of bits.

Sets the number of bits.

Step 6 

Router(config)# line vty 0 4

Enables SSH as part of the vty login transport.

Step 7 

Router(config-line)# login local

The login local command indicates that the router stores the authentication information locally.

Step 8 

Router(config-line)# transport input telnet ssh

Enables SSH transport.

Step 9 

Router(config-line)# Ctrl+Z

Returns to Privileged Exec mode.

Step 10 

Router# copy running startup

Saves the configuration changes to NVRAM.

Configuring SSH on VPN 3000 Concentrators

The procedure for configuring SSH on a VPN 3000 concentrator is as follows:


Step 1 Telnet to the VPN 3000 device through the console port. The command line appears.

Step 2 Select Administration > Certificate Management > SSL Certificate.

Step 3 Click Generate. The system uses parameters set on the Configuration > System > Management Protocols > SSL window and generates the certificate. The new certificate replaces any existing SSL certificate.

Step 4 If you need to modify the SSH In and SSH Out Rules, select Configuration > Policy Management > Traffic Management > Rules. Select the rule you want to modify, and then click Modify.

Step 5 For SSH In and/or SSH Out, make any modifications that you require. Click Apply when you are finished making changes to a rule.

Step 6 Select Configuration > Policy Management > Traffic Management > Filters. You must assign the SSH In and SSH Out rules to the Public interface.

Step 7 Select Public from the Filter List.

Step 8 Click Assign Rules to Filter. The Configuration > Policy Management > Traffic Management > Assign Rules to Filter window appears.

Step 9 Select SSH In from the Available Filters list and then click << Add.

Step 10 Select SSH Out from the Available Filters list and then click << Add.

Step 11 Click Done.

Step 12 Go back to the main menu and then click Logout.


Configuring SSH on PIX Firewall Devices

ISC needs a mechanism to securely deploy configuration files to PIX Firewall devices in the network.


Note SSH permits up to 100 characters in a username, and up to 50 characters in a password.


To configure SSH on a PIX Firewall device, perform the following steps:

 
Command
Description

Step 1 

Pix# configure terminal

Enters global configuration mode.

Step 2 

Pix(config)# domain-name domain_name

Specifies the IP domain name.

Step 3 

Pix(config)# ca generate rsa key 1024

Generates the RSA key pair for the SSH session. A modulus size of 1,024 bits is recommended for use with the Cisco IOS Software. Key generation could take several minutes.

Step 4 

Pix(config)# ca save all

Saves the RSA key pair to Flash memory.

Step 5 

Pix(config)# ssh ip_address subnet_mask interface

You can grant permission to one or more hosts to start an SSH session to the PIX Firewall through the specified interface (usually outside or inside). For example, with

ssh 128.107.128.108 255.255.255.255 outside

Also, you can permit all hosts in the specified subnet to establish an SSH session with the PIX Firewall through the specified interface. For example,

ssh 128.107.0.0 255.255.0.0 outside

Step 6 

Pix(config)# aaa-server server_name (inside) host ip_address MySecure

Defines the AAA server, either RADIUS, TACACS, or LOCAL.

To gain access to the PIX Firewall console through SSH without using an AAA server, you must enter the username as pix at the SSH client, and then enter the Telnet console port password. You can set the Telnet console port password with the passwd command. The default console port password is cisco.

Step 7 

Pix(config)# aaa-server server_name protocol protocol_name

Configures the protocol used by the AAA server to do the authentication (RADIUS or TACACS+).

If you selected LOCAL, you do not need to add this command to your configuration.

Step 8 

Pix(config)# aaa authenticate ssh console server_name

Configures the PIX Firewall to perform user authentication for SSH using the AAA server.

Step 9 

Pix(config)# write mem

Saves the configuration changes.

When starting an SSH session, a dot ( . ) appears on the PIX Firewall console before the SSH user authentication prompt appears. For example:

pixfirewall(config)# .

The dot does not affect SSH functionality. The dot appears at the PIX Firewall console before authentication occurs when generating a server key or decrypting a message that uses private keys during an SSH exchange. These tasks can take up to two minutes or so. The dot is a progress indicator that verifies that the PIX Firewall is busy and not frozen.

Setting Up SNMP

To work with ISC, SNMP must be configured on each CPE device in the customer network.

Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Table 2-1 identifies the combinations of security models and levels.

Table 2-1 SNMP Security Models and Levels 

Model
Level
Authentication
Encryption
Description

v1

noAuthNoPriv

Community String

No

Uses a community string match for authentication.

v2c

noAuthNoPriv

Community String

No

Uses a community string match for authentication.

v3

noAuthNoPriv

Username

No

Uses a username match for authentication.

v3

authNoPriv

MD5 or SHA

No

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.

v3

authPriv

MD5 or SHA

DES

Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms, and provides DES 56-bit encryption in addition to authentica- tion based on the CBC-DES (DES-56) standard.


SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the group in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.

The security features provided in SNMPv3 are as follows:

Message integrity—Ensures that a packet has not been tampered with in-transit.

Authentication—Determines the message is from a valid source.

Encryption—Encoding the contents of a packet to prevent it from being read by an unauthorized source.

SNMPv3objects have the following characteristics:

Each user belongs to a group.

The group defines the access policy for a set of users and determines the list of notifications its users can receive. The group also defines the security model and security level for its users.

The access policy defines which SNMP objects can be accessed for reading, writing, or creation.

Setting Up SNMPv1 and SNMPv2 on Cisco Routers

To determine whether SNMP is enabled, and set the SNMP community strings on a Cisco router, perform the following steps for each router:

 
Command
Description

Step 1 

> telnet router_name

Telnets to the router you want to configure.

Step 2 

Router> enable

Router> enable_password

Enters enable mode, and then enters the enable password.

Step 3 

Router# show snmp

Check the output of the show snmp command to see whether the following statement is present: "SNMP agent not enabled." If SNMP is not enabled, complete the steps in this procedure.

Step 4 

Router# configure terminal

Enters global configuration mode.

Step 5 

Router(config)# snmp-server community userstring RO

Sets the community read-only string.

Step 6 

Router(config)# snmp-server community userstring RW

Sets the community read-write string.

Step 7 

Router(config)# Ctrl+Z

Returns to Privileged Exec mode.

Step 8 

Router# copy running startup

Saves the configuration changes to NVRAM.


Tip The SNMP strings defined in ISC for each target device must be identical to those configured for the corresponding CPE devices in the customer network.


Setting SNMPv3 Parameters on Cisco Routers

This section describes how to set the SNMPv3 parameters on Cisco routers. To complete the SNMP configuration, you must also set the SNMP parameters in ISC, and the SNMPv3 parameters you set on CPE devices must match the SNMPv3 parameters you specify in ISC.

To check the existing SNMP configuration, use these commands in the router terminal session:

show snmp group

show snmp user

Use the SNMP Set command to encrypt packets that change the router configuration.

To set the SNMPv3 server group and user parameters on a Cisco router, perform the following steps:

 
Command
Description

Step 1 

> telnet router_name

Telnets to the router you want to configure.

Step 2 

Router> enable
Router> enable_password

Enters enable mode, then enter the enable password.

Step 3 

Router# configure terminal

Enters global configuration mode.

Step 4 

Router(config)# snmp-server group [groupname 
{v1 | v2c | v3 {auth | noauth | priv}}] 
[read readview] [write writeview] [notify 
notifyview] [access access-list]

The snmp-server group command configures a new SNMP group or a table that maps SNMP users to SNMP views. Each group belongs to a specific security level.

Example: snmp-server group v3auth v3 auth read v1default write v1default

Step 5 

Router(config)# snmp-server user username 
[groupname remote ip-address [udp-port port] 
{v1 | v2c | v3 [encrypted] [auth {md5 | sha} 
auth-password [priv des56 priv-password]] 
[access access-list]

The snmp-server user command configures a new user to an SNMP group.

Example: snmp-server user user1 v3auth v3 auth md5 user1Pass

Step 6 

Router(config)# Ctrl+Z

Returns to Privileged Exec mode.

Step 7 

Router# copy running startup

Saves the configuration changes to NVRAM.

Manually Enabling SA Agents on Cisco Routers

ISC automates SLA probe provisioning. By default, when an CPE device is set as a Managed Device with SA Agent Enabled ISC automatically configures a set of user-specified SLA probe types between the devices specified in the service request. Enabling this option makes it easier (and less error prone) to set up the standard set of probe types that you need to collect SLA data.

These settings are applied per device; you can have SLA probes automatically configured on none, some, or all of the edge devices in a service request. However, to collect SLA data from the CPE devices in your network, you must enable (or disable) the SA Agent on each device.


Note This procedure assumes that you have already enabled SNMP and set the SNMP parameters on the CPE devices.


To manually enable SA Agent on an Cisco router, execute the following steps:

 
Command
Description

Step 1 

> telnet router_name

Telnets to the router you want to configure.

Step 2 

Router> enable
Router> enable_password

Enters enable mode, and then enters the enable password.

Step 3 

Router# configure terminal

Enters the global configuration mode.

Step 4 

Router(config)# rtr responder

Enables the SA responder on the target router of SA Agent operations.

Step 5 

Router(config)# Ctrl+Z

Returns to Privileged Exec mode.

Step 6 

Router# copy running startup

Saves the configuration changes to NVRAM.

Enabling Telnet Sessions for Terminal Server Ports

You must enable at least as many Telnet sessions on the terminal server as there are terminal server ports. Otherwise, concurrent access to all the routers through the terminal server may fail.

To enable the appropriate number of Telnet sessions for terminal server access, perform the following steps:

 
Command
Description

Step 1 

> telnet terminal_server_name

Telnets to the terminal server.

Step 2 

Terminalserver> enable
Terminalserver> enable_password

Enters enable mode, and then enters the enable password.

Step 3 

Terminalserver# configure terminal

Enters global configuration mode.

Step 4 

Terminalserver(config)# line vty 0 31

Sets the number of Telnet sessions to the number of available ports on the terminal server. This example sets 32 Telnet sessions.

Step 5 

Terminalserver(config)# Ctrl+Z

Returns to Privileged Exec mode.

Step 6 

Terminalserver# copy running startup

Saves the configuration changes to NVRAM.