Table Of Contents

Cisco ANA System Security

Communication Security

Device Communication Security: SSH and SNMPv3

Registry Security

User Authentication and Authorization

Cisco ANA System Security

---

These topics describe the major security features of Cisco ANA and their configurable points:

•Communication Security

•Device Communication Security: SSH and SNMPv3

•Registry Security

•User Authentication and Authorization

Communication Security

Figure 10-1 illustrates the different forms of secure communication that are implemented between the Cisco ANA gateway server, units, clients, and database.

Figure 10-1 Communication Security in Cisco ANA

A socket factory service that runs on the gateway server implements SSL sockets between:

•The gateway and all units

•The gateway and all clients

With SSL version 3.0, keys are created when you install Cisco ANA on the gateway server. All secured connections use the same private key and certificate for SSL authentication. After installation, these keys are distributed by the gateway to the clients and other units. SSL keys can be recreated (as described in the Cisco Active Network Abstraction Integration Developer Guide).

Whenever a socket cannot be opened, a System event is generated and is displayed in Cisco ANA EventVision.

If you upgrade your version of Cisco ANA, be sure to upgrade all components—gateway server, units, and clients—to avoid problems with connections.

Gateway Server and Unit Communication Security

Communication between the gateway server and units is called transport communication. Transport connections are encrypted when the unit and gateway are on different machines, but are not encrypted when both are local to the same machine. Similarly, AVMs use transport communication, and communication between AVMs is encrypted when the AVMs are on different machines. There is no option to change this behavior in the GUI clients.

Cisco ANA uses the SSH protocol is used for internal administrative messages (such as scp) between the gateway and units. A random certificate (that is privately signed) is generated on the gateway at installation time. When Cisco ANA is installed on any unit, the keys are copied from the gateway to the unit (and whenever the unit is restarted).

Gateway Server and Client (Including BQL) Communication Security

For gateway and client communication, Cisco ANA uses a proprietary protocol called PTP (Point to Point communication). This is encrypted using SSL. The SSL keys are downloaded to Cisco ANA clients using the JNLP (WebStart) protocol.

For BQL clients, the gateway server allows secured and unsecured connections from the local BQL clients (on port 9002), but only secured connections from other machines. By default, port 9002 only allows unsecured connections. Information on how to change this behavior is described in the BQL documentation in the Cisco Active Network Abstraction Integration Developer Guide.

For a client to communicate with the Cisco ANA gateway using Perl, a certificate in .pem format is required. This can be generated from the .cer format using the two-stage process described in the Cisco Active Network Abstraction Integration Developer Guide.

If a client trusts all servers, the public key is automatically imported as part of the SSL handshake. However, for a client to validate a server's public key, the .truststore file must be manually copied from the server.

For more information on SSL sockets and BQL, such as the architecture and negotiation process, see the Cisco Active Network Abstraction Integration Developer Guide.

Database Connections

Cisco ANA is connected to the database using an Oracle encryption feature. Connections between the client and database are always encrypted; connections between the server and database are not encrypted, by default, although you can change this (and choose an encryption type) at installation time. After installation, this can be changed by editing the registry.

Device Communication Security: SSH and SNMPv3

In Cisco ANA, protocol collectors are the components responsible for actively polling devices and transporting information between devices and the Cisco ANA gateway. Protocols collectors are part of the instrumentation layer of Cisco ANA VNEs. A device has a collector for each protocol it supports, such as one collector for SSH and another collector for SNMP. Each collector contains the necessary logic for its specific protocol.

The security of device communication is maintained by specifying SSH and SNMPv3 authentication and encryption methods when you create the VNE. Table 10-1 summarizes the security methods that are supported by each protocol.

Table 10-1 Device Communication Security Features in SSHv1, SSHv2, and SNMPv3 

Protocol	Supported Security Feature for Device Communication
SSHv1	Encryption ciphers: DES, 3DES, Blowfish
SSHv2	Client Authentication: password, public keys (fingerprint or public) Server Authentication: save-first-auth, preconfigured (fingerprint or public keys) Key exchange: DH-group1-sha1, DH-group1-exchange-sha1 MAC algorithm: SHA1, MD5, SHA1-96, MD5-96 Ciphers: 3DES, AES-128, AES-192, AES-256 Host Key Algorithm: DSA, RSA
SNMPv3	Authentication settings:NoAuthPriv (authentication without encryption), AuthPriv (authentication and encryption) Ciphers: DES, AES128, AES192, AES256 Encryption algorithms: MD5, SHA

Registry Security

The Golden Source registry is the master registry responsible for maintaining, distributing, and updating registry configuration files to all Cisco ANA units and the Cisco ANA gateway. The master copy of the Golden Source files is centrally located on the gateway server at:

ANAHOME/Main/registry/ConfigurationFiles

Credentials data is encrypted. This includes the SNMP, Telnet, and SSH credentials for VNEs, and the database password. Sections that are encrypted are marked with an ENCRYPTED_ENTRY_AES prefix.

User Authentication and Authorization

Cisco ANA uses a combination of methods to manage user authentication and authorization:

•User authentication can be managed locally by Cisco ANA or externally by an LDAP application. Either method can be used to validate user accounts and passwords, thus controlling who can log in to Cisco ANA. If you use Cisco ANA, user information and passwords are stored in the Cisco ANA database. If you use an external LDAP application, passwords are stored on the external LDAP server. See Overview of User Authentication and Authorization, page 9-1.

•User authorization is managed through a combination of user access roles and scopes:

–User access roles control the actions a user can perform in the Cisco ANA GUI clients. When a user's account is created, the user is assigned an access role that determines the user's default permissions. For more information, see User Access Roles and Default Permissions, page 9-2.

–Scopes are groups of network elements that are created by administrators. Once a scope is created, you can assign it to users. A user's default permissions determine the actions the user can perform on the NEs in the scope. These actions are referred to as the user's security level on that scope. If desired, you can assign the user a more strict user access role for a scope. For more information, see Scopes, page 9-3.

When creating a user account, the password has to meet stringent rules. These rules can be set globally and are documented in Setting Global Password Rules, page 6-16. That topic also describes how administrators can specify how many login attempts are allowed, after which a user account is disabled. Administrators can also configure a period after which inactive accounts are disabled; see Automatically Disabling Accounts for Inactive Users, page 6-17.

Administrators can set up a daily message that is displayed when a user logs in. The message must be acknowledged to get to the login screen. For information, see Customizing a Message of the Day, page 6-3.