Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) - Configuring the Guard Module [Cisco Services Modules]

Table Of Contents

Configuring the Guard Module

Activating Guard Module Services

Configuring Access Control

Configuring Authentication

Configuring Authentication Methods

Configuring Local Authentication

Configuring Authorization

Configuring TACACS+ Server Connection

Configuring the TACACS+ Server IP Address

Configuring TACACS+ Server Encryption Key

Configuring TACACS+ Search

Configuring TACACS+ Server Connection Timeout

Displaying TACACS+ Server Statistics

Viewing the Guard Module Configuration

Configuring Date and Time

Managing SSH Keys

Adding SSH Keys

Deleting SSH Keys

Changing the Host Name

Enabling SNMP Traps

Configuring SNMP Community Strings

Guard Module Self-Protection

Flex Filter Default Configurations

Configuring the Guard Module

This chapter describes how to configure the Cisco Anomaly Guard Module (Guard module). These configuration procedures lay the foundation for Guard module management and diversion related communication.

This chapter includes the following major sections:

•Activating Guard Module Services

•Configuring Access Control

•Viewing the Guard Module Configuration

•Configuring Date and Time

•Managing SSH Keys

•Changing the Host Name

•Enabling SNMP Traps

•Configuring SNMP Community Strings

•Guard Module Self-Protection

•Flex Filter Default Configurations

Activating Guard Module Services

You can define which Guard module services are active. The service must be enabled and access to the service permitted to enable proper functionality. You can control the activation of the Guard module services and grant or deny permission from a specific IP address and thus limit the IP addresses from which the Guard module is accessed and controlled.

The Guard module services include the following:

•snmp-server—The Simple Network Management Protocol (SNMP) server service. You can access the Guard module using SNMP to retrieve information as defined by the Riverhead Management Information Bases (Riverhead private MIB, MIB2 and UCDavis MIB).

•snmp-trap—The Simple Network Management Protocol (SNMP) trap service. On Activation of the snmp-trap service, the Guard module generates snmp traps. See the "Enabling SNMP Traps" section for further details.

•ssh—The Secured Shell service (see the "Changing the Host Name" section for further details)

•wbm—The web-based management (WBM) service. The Guard module enables you to control it via the web using a web browser.

To activate a Guard module service perform the following steps:

Step 1 Enable the Guard module service. Enter the following command:
service {ntp | snmp-server | snmp-trap | wbm}
By default, all Guard module services, except SSH, are disabled.

Step 2 Grant access to the Guard module service and enable connectivity. Enter the following command:
permit service ip-addr [ip-mask]
Table 4-1 provides the arguments for the permit command.

Table 4-1 Arguments for the permit Command

Parameter

Description

service

The service to be accessed and operated.

ip-addr

The IP address to permit access from. Use * to permit access from all IP addresses.

ip-mask

(Optional) The IP mask. The default subnet mask is 255.255.255.255

Caution For security reasons, we do not recommend that you permit access from all IP addresses (*) after initial configuration.

For example:
admin@GUARD-conf# service ntp
admin@GUARD-conf# permit ntp 192.168.10.35 
Configuring Access Control

Access control is the way you control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication and Authorization network security services provide the primary framework through which you set up access.

•Authentication—The way a user is identified prior to being allowed access to the system and system services.

•Authorization—The process of determining what a user is allowed to perform once access to the system is obtained. This is usually done once the user is authenticated and begins to manipulate the system.

The following sections describe how to configure access control:

•Configuring Authentication

•Configuring Authorization

•Configuring TACACS+ Server Connection

Configuring Authentication

You can configure which authentication method the Guard module uses when a user tries either to log into the Guard module or requests a higher privilege level (using the enable command). The Guard module offers the following authentication options:

•Local Authentication—Local authentication uses locally configured login and enable passwords for authentication. This is the default authentication method. See the "Configuring Local Authentication" section for further details.

•TACACS+ Authentication—TACACS+ authentication authenticates users through a TACACS+ server or a list of TACACS+ servers.

You can configure a sequential authentication list. The authentication list defines the authentication methods used to authenticate a user. This enables you to designate one or more methods to be used for authentication. Thus, a backup system for authentication is provided, in case the initial method fails.

The Guard module uses the first method listed to authenticate users; if that method does not respond, the Guard module selects the second authentication method. Only if both authentication methods are exhausted, the authentication fails.

You can configure a distributed authentication scheme. The Guard module uses the first TACACS+ server to authenticate users. If the authentication returns a rejection, the Guard module scans the TACACS+ server list and the alternative authentication method (local), if one exists. Only if the list is exhausted, the authentication fails. This option is valid only if you do not configure the first-hit option.

Caution If the user database is distributed between several TACACS+ servers or a TACACS+ server and the local user database, use the no tacacs-server first-hit command.

Configuring Authentication Methods

To configure the authentication method the Guard module uses, perform the following steps:

Step 1 Configure the TACACS+ server connection if TACACS+ authentication is required. See the "Configuring TACACS+ Server Connection" section for further details.

Step 2 Define the authentication method. Enter the following command:
aaa authentication {enable | login} {local | tacacs+}  
[tacacs+ | local]
Table 4-2 provides the arguments for the aaa authentication command.

Table 4-2 Keywords for the aaa authentication Command

Parameter

Description

enable

The Guard module authenticates on entering a higher privilege level.

login

The Guard module authenticates when logging into it.

local

The Guard module uses its local database to authenticate the user.

tacacs+

A TACACS+ server authenticates the user.

tacacs+ | local

(Optional) This sets an alternative authentication method in case the configured method fails.

The following example shows how to configure authentication on entering a higher privilege level. The primary authentication method is configured to TACACS+ and the secondary authentication method is configured to the local user database:
admin@GUARD-conf# aaa authentication enable tacacs+ local
Configuring Local Authentication

The Guard module initially has a preconfigured user name with administration privileges, which enable you to create new users. User definition enables you to divide the Guard module user community into domains, and to assign passwords as required for secure management access.

To enable authentication of CLI users with a TACACS+ server, see the "Configuring Authentication" section.

Note The riverhead user name, grants Dynamic privileges. The Detector uses this user name to remotely activate the Guard module.

Adding a User

To add a user to the Guard module local database, enter the following command:

username username {admin | config | dynamic | show} [password]
Table 4-3 provides the arguments and keywords for the username command.

Table 4-3 Arguments and Keywords for the username Command

Parameter

Description

username

The user name. A case-sensitive alphanumeric string from 1 to 63 characters that starts with a letter. The string cannot contain spaces but can contain underscores.

admin | config | dynamic | show

The user privilege level. See Table 3-1 for further details.

password

(Optional) A password. Enter a case-sensitive, 6 to 24 characters long, string with no spaces. If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD-conf# username Robbin config 1234
Note The running config file displays the username command with the option encrypted:
username Jose config encrypted 840xdMk3

The encrypted keyword indicates that the password is encrypted and saved. The Guard module displays the encrypted password and not the password you enter to log in.

To remove a user from the Guard module user list, enter the following command:

no username username

Tip To view a list of the Guard module users use the show running-config command. To view a list of the users currently logged-into the CLI, use the show users command.

Changing a Password

You can change your own password. Administrators can change their own password and any other user's password.

To change your own password, perform the following steps:

Step 1 Enter the following command:
password
Step 2 Enter your current password. The system prompts for a new password.

Step 3 Enter a new password. The password must be a case-sensitive, 6 to 24 character long, string with no spaces. The system prompts you to confirm the new password by typing it again.

For example:
admin@GUARD# password 
Old Password: <old-password>
New Password: <new-password>
Retype New Password: <new-password>
An administrator can change the password of other users.

To change the password of a user, perform the following steps:

Step 1 Enter the following command in global mode:
password username-password
The username-password argument is the user whose password you are changing.

Step 2 Enter a new password. The password must be a case-sensitive, 6 to 24 character long, string with no spaces. The system prompts you to confirm the new password by typing it again.

In this example, the administrator changes the password of the user John.
admin@GUARD# password Jose 
New Password: <new-password>
Retype New Password: <new-password>
Configuring Authorization

You can limit the services available to a user. When authorization is enabled, the Guard module verifies the user profile to verify the user access rights. The user is granted access to the requested service only if the information in the user profile allows it. The authorization database is stored locally. It uses configured user profiles for command group access control. Authorization is defined for all commands at the specified privilege level.

Access to Guard services depends on the user privilege level. You can limit the services available to a user. The Guard module checks the user profile to verify the user access rights. Once authorized, the user is granted access to the requested service only if the information in the user profile allows it. See Table 3-1 for information on user privilege levels.

Assigning Privilege Levels with Passwords

An administrator can set passwords that restrict access to user privilege levels.

To set a local password to control access to a privilege level, enter the following command:

enable password [level level] [password]
Table 4-4 provides the arguments for the enable password command.

Table 4-4 Arguments for the enable password Command

Parameter

Description

level

(Optional) The required privilege level. This can be one of the following: admin, config, dynamic, show. See Table 3-1 for further details. The default level is admin.

password

(Optional) The password for the privilege level. Enter a case-sensitive, 6 to 24 characters long, string with no spaces. If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD-conf# enable password level admin <password>
Moving between User Privilege Levels

Authorized users can move between user privilege levels. To move between user privilege levels, perform the following steps:

Step 1 Enter the following command:
enable [level]
The level argument specifies the required privilege level. This can be one of the following: admin, config, dynamic. The default level is admin. See Table 3-1 for further details.

Step 2 Enter the privilege level password.

For example:
admin@GUARD> enable admin 
Enter enable admin Password: <password>
To switch back to the lower privilege level (show) use the disable command.

Configuring TACACS+ Server Connection

The TACACS+ server configuration includes the following:

•Server address (or addresses)—See the "Configuring the TACACS+ Server IP Address" section

•Server encryption key—See the "Configuring TACACS+ Server Encryption Key" section

•Search—(Optional) See the "Configuring TACACS+ Search" section

•Server access timeout—(Optional) See the "Configuring TACACS+ Server Connection Timeout" section

Caution You must configure the TACACS+ server parameters prior to applying the TACACS+ authentication method or you may not be able to access the Guard module.

The Guard module user privilege levels relate to the TACACS+ privilege numeration as follows:

•admin = 15

•config = 10

•dynamic = 5

•show = 0

Configuring the TACACS+ Server IP Address

You can configure the Guard module to use a sequential list of TACACS+ servers for authentication. The Guard module uses the TACACS+ server listed to authenticate users; if that server does not respond, the Guard module selects the second server. Only if all servers listed are exhausted, authentication fails.

Alternatively, you can configure the Guard module to use only the first TACACS+ server on the list to authenticate users (see the "Configuring TACACS+ Search" section for further details).

You must define the IP address of each TACACS+ server on the list. You can define up to nine TACACS+ servers.

To add a TACACS+ server to the list and assign its IP address, enter the following command:

tacacs-server host ip-address
The ip-address argument specifies the IP address of the TACACS+ server.

The TACACS+ servers are added to the list in the order in which you enter them. You can add up to nine servers to the list.

For example:
admin@GUARD-conf# tacacs-server host 192.168.33.45
Configuring TACACS+ Server Encryption Key

You must configure the encryption key to access a TACACS+ server. The key entered as part of the command must match the key on the TACACS+ servers. The key can not contain spaces.

To configure the server encryption access key, enter the following command:

tacacs-server key tacacs-key
The argument tacacs-key is an alphanumeric string.

Note You can only define one encryption key. When using several TACACS+ servers, the Guard module uses the same key to encrypt communication with all TACACS+ servers.

The following example shows how to set the TACACS+ server encryption key to TacacsKey.
admin@GUARD-conf# tacacs-server key <TacacsKey>
Configuring TACACS+ Search

You can configure the Guard module to regard an authentication rejection as final and stop further search with other TACACS+ servers or the local authentication method. The Guard module, in this case, does not fall back to the local authentication method, and does not move on to the next configured TACACS+ server (if one exists).

If you do not configure the TACACS+ search method to first-hit, the Guard module, by default, tries all TACACS+ servers in its list to authenticate a user.

Note TACACS+ search method is applicable only for authentication.

To configure the Guard module to use only the first TACACS+ server on the list to authenticate users, enter the following command:

tacacs-server first-hit
For example:
admin@GUARD-conf# tacacs-server first-hit
Configuring TACACS+ Server Connection Timeout

You can configure the timeout for the Guard module to wait for a reply from the TACACS+ server. When the timeout ends, the Guard module either attempts to establish a connection with the next TACACS+ server (if such a server was configured) or falls back to local authentication (if such fallback was configured). Authentication fails if no fallback method is configured.

Note The same server timeout is used for communication with all TACACS+ servers.

To configure the TACACS+ server connection timeout enter the following command:

tacacs-server timeout timeout
The timeout argument specifies the timeout in seconds.

For example:
admin@GUARD-conf# tacacs-server timeout 600
Tip You can increase the timeout value if you have network problems or if TACACS+ servers are slow to respond, causing persistent timeouts when a lower timeout value is used.

Displaying TACACS+ Server Statistics

You can display statistical information related to the TACACS+ servers. Statistical data is provided for each server.

To display TACACS+ related statistics, use the show tacacs statistics command.

To clear the TACACS+ statistics, use the clear tacacs statistics command.

For example:
admin@GUARD-conf# show tacacs statistics
        Server 10.56.36.63:
                        PASS    FAIL    ERROR
        Authentication  11      5       0
        Authorization   0       0       0
        Accounting      11      N/A     0
        Server 10.56.36.64:
                        PASS    FAIL    ERROR
        Authentication  0       5       0
        Authorization   0       0       0
        Accounting      0       N/A     0
Table 4-5 Field Descriptions in the show tacacs statistics command output

Field

Description

PASS

The number of times the service accessed the TACACS+ server successfully and was granted access

FAIL

The number of times the service accessed the TACACS+ server successfully and was denied access

ERROR

The number of times the service could not access the TACACS+ server

Table 4-5 displays the fields in the show tacacs statistics command output.

Viewing the Guard Module Configuration

You can display the Guard module configuration file. This file includes information relating to the Guard module configuration such as interface IP addresses, default Gateway address and configured zones.

To display the Guard module configuration file, enter the following command:

show running-config [all | Guard module | interfaces interface-name | self-protection | zones]]
Table 4-6 provides the keywords for the show running-config command.

Table 4-6 Keywords for the show running-config Command

Parameter

Description

all

Displays configuration files of all Guard module modules (Guard module, zones, interfaces, and self-protection)

Guard module

Displays Guard module configuration file

interfaces

Displays the configuration file of the Guard module interfaces. Enter the interface name.

self-protection

Displays Guard module self-protection configuration

zones

Displays the configuration files of all zones

For example:
admin@GUARD# show running-config guard
The configuration file consists of the commands that are executed to configure the Guard module with the current settings. You can export the Guard module configuration file to a remote FTP server for backup purposes, or to enable implementing the Guard module configuration parameters on another Guard module. See the "Copying Guard Module Configuration" section for further details.

Configuring Date and Time

To set the time and the date, enter the following command:

date MMDDhhmm[[CC]YY][.ss]
Table 4-7 provides the arguments and keywords for the date command.

Table 4-7 Arguments for the date Command

Parameter

Description

MM

The month in numeric figures.

DD

The day of the month.

hh

The hour in a 24 hour clock.

mm

The minutes.

CC

(Optional) The first two digits of the year (for example, 2005).

YY

(Optional) The last two digits of the year (for example, 2005).

.ss

(Optional) The seconds. The period must be present.
The following example shows how to configure the date to October 8 of the year 
2003, and the time to 5:10 pm (1710) and 17 seconds.
admin@GUARD-conf# date 1008171003.17
Wed Oct  8 17:10:17 EDT 2003
Managing SSH Keys

The following sections describe how you can manipulate the Guard module SSH key list:

•Adding SSH Keys

•Deleting SSH Keys

Adding SSH Keys

To enable SSH connection without the need to enter a login and password, add the remote connection SSH public key to the Guard module SSH key list.

Enter the following command:

key add [user-name] {ssh-dsa | ssh-rsa} key-string comment
Table 4-8 provides the arguments and keywords for the key add command.

Table 4-8 Arguments and Keywords for the key add Command

Parameter

Description

user-name

(Optional) Add the SSH key for the specified user. Only an administrator can add an SSH key for other users.

The default is to add the SSH key for the current user.

ssh-dsa

SSH2-DSA key type.

ssh-rsa

SSH2-RSA key type.

key-string

The Public SSH key that was created on the Detector or remote terminal. The key string is limited to 8192 bits.

You must copy the complete key excluding the key type identification (ssh-rsa or ssh-dsa).

comment

The device description. The comment format is usually in the format of user@hostname for the user and machine used to generate the key. For example, the default comment used for the SSH public keys that the Detector generates is root@DETECTOR.

For example:
admin@GUARD-conf# key add ssh-rsa 14513797528175730. . .user@Guard 
module.com
Deleting SSH Keys

You can remove an SSH key from the list. If you remove the SSH key, you will have to authenticate the next time you establish an SSH session with the Guard module.

To remove an SSH key from the Guard module, enter the following command:

key remove [user-name] key-string
Table 4-9 provides the arguments for the key remove command.

Table 4-9 Arguments for the key remove Command

Parameter

Description

user-name

(Optional) Remove SSH keys for the specific user.

Only an administrator can delete an SSH key for other users. The default is to delete the SSH key for the current user.

key-string

The Public SSH key to delete.

Paste the SSH public key onto the prompt. Paste only the key, without the identification field (ssh-rsa or ssh-dsa).

For example:
admin@GUARD-conf# show keys Lilac
ssh-rsa 2352345234523456... user@Guard module.com
admin@GUARD-conf# key remove Lilac ssh-rsa 2352345234523456...
Changing the Host Name

You can change the Guard module host name. This change takes effect immediately, and the new host name is automatically integrated into the CLI prompt string.

To change the Guard module host name, enter the following command:

hostname name
The name argument specifies the new host name.

For example:
admin@GUARD-conf# hostname CiscoGuard
admin@CiscoGuard-conf# 
Enabling SNMP Traps

You can configure the Guard module to send SNMP traps and notify the manager of significant events that occur on the Guard module. You can configure the Guard module SNMP trap generator and define the trap information scope.

A trap is logged in the Guard module event log and displayed in the event monitor when a trap condition occurs, regardless of whether the SNMP agent sends the trap.

To configure the Guard module to send SNMP traps, perform the following steps:

Step 1 Enable the SNMP trap generator service. Enter the following command in configuration mode:
service snmp-trap
Step 2 Configure the SNMP trap generator parameters—The trap destination IP address and the trap information scope. Enter the following command:
snmp trap-dest ip-address [community-string [min-severity]]
Table 4-10 provides the arguments for the snmp trap-dest command.

Table 4-10 Arguments for the snmp trap-dest Command

Parameter

Description

ip-address

The destination host IP address.

community-string

(Optional) The community string that is sent with the trap. This string must match the community string defined for the destination host. The default community string is public. Enter an alphanumeric string from 1 to 15 characters long. The string cannot contain spaces.

min-severity

(Optional) The trap information scope. Define the scope by stating the minimum severity level coverage. The trap then displays all specified severity level events and above. For example, if you specify severity level Warnings, the trap displays all severity level events from Warnings to Emergencies. The following list states the severity level options:

•Emergencies—System is unusable (severity=0)

•Alerts—Immediate action needed (severity=1)

•Critical—Critical conditions (severity=2)

•Errors—Error conditions (severity=3)

•Warnings—Warning conditions (severity=4)

•Notifications—Normal but significant conditions (severity=5)

•Informational—Informational messages (severity=6)

•Debugging—Debugging messages (severity=7)

By default the report displays all severity level events.

To delete SNMP trap generator parameters use the no snmp trap-dest command. Use * to remove all SNMP trap destination parameters.

The following example shows that traps with a severity level equal to or higher than errors are sent to the destination IP address 192.168.100.52 with the SNMP community string of tempo.
admin@GUARD-conf# snmp trap-dest 192.168.100.52 tempo errors 
Configuring SNMP Community Strings

You may access the Guard module SNMP server and retrieve information as defined by the Management Information Base 2 (MIB2) and the Riverhead proprietary MIB. The community string acts like a password and permits read access from the Guard module SNMP agent. You can configure the Guard module SNMP community string and thus enable access to the SNMP agent from clients in different organizational units and with different community strings.

To add an SNMP community string, enter the following command:

snmp community community-string
The community-string argument specifies the desired Guard module community string. The string can have a maximum length of 15 alphanumeric characters and cannot contain spaces. The Guard module default community string is riverhead. You can specify as many community names as you wish. To delete a community string, use the no cummunity string command.

For example:
admin@GUARD-conf# snmp community tempo
Guard Module Self-Protection

The Guard module, as a network element having an independent IP address, is exposed to potential DDoS attacks. The default configuration provides protection against such attacks. You can access the self-defense protection configuration and modify it.

Caution We strongly advise against changing the Guard module self-defense protection default configurations. Unnecessary configurations may result in seriously compromising the Guard module self-protection ability!

To change the Guard module self-defense protection configuration, you must enter self-protection configuration mode.

To enter self-protection configuration mode, enter the following command in configuration mode:

self-protection
The set of commands available for the Guard module self-defense protection is identical to that of an ordinary zone. See "Configuring Zones", "Configuring Zone Filters", "Configuring Policy Templates and Policies" and "Interactive Protect Mode" for further details on zone configuration.

To display the Guard module self-protection configuration file, use the show running-config command. See "Viewing the Guard Module Configuration" for further details.

Flex Filter Default Configurations

The Guard module Flex filter is configured, by default, to block (drop) all traffic flows, unless explicitly specified. Table 4-11 displays the Flex filter default configuration to enable communication required for proper Guard module functionality.

Table 4-11 Flex Filter Default Configuration

SERVICE

IP-PROTO

SRC-PORT

DST-PORT

ALLOW-SYN

bgp

6

179

*

no

telnet

6

23

*

no

ftp-control

6

21

*

no

ftp-data

6

20

*

yes

tacacs

6

49

*

yes

ssh

6

22

*

no

ssh

6

*

22

yes

https

6

*

443

yes

icmp

1

*

*

—

snmp

17

*

161

—

ntp

17

*

123

—

ntp

17

123

*

—

ospf

89

*

*

—

rip

17

520

*

—

rip

17

*

520

—

gre

47

*

*

—

The Flex filter default configuration consists the following:

•Enable BGP communication, initiated by the Guard module, on port 179, but block incoming SYN packets with source port 179. This enables BGP connection initiated by the Guard module to the router the traffic is being diverted from.

•Enable telnet communication, initiated by the Guard module, on port 23, but block incoming SYN packets with source port 23. This enables telnet connections initiated by the Guard module to the router the traffic is being diverted from.

•Enable FTP communication, initiated by the Guard module, with an FTP server, but block incoming FTP control SYN packets with source port 21.

•Enable TACACS communication with a TACACS+ server, but block incoming SYN packets from source port 49. This enables communication with TACACS+ servers for authentication, authorization and accounting.

•Enable incoming and outgoing SSH communication.

•Enable incoming HTTPS communication.

•Enable ICMP communication.

•Enable SNMP communication.

•Enable NTP communication.

•Enable OSPF communication.

•Enable RIP communication.

•Enable GRE communication.