Table Of Contents
Security
5.1 Users IDs and Security Levels
5.2 User Privileges and Policies
5.2.1 User Privileges by CTC Action
5.2.2 Security Policies
5.3 Audit Trail
5.3.1 Audit Trail Log Entries
5.3.2 Audit Trail Capacities
5.4 RADIUS Security
5.4.1 RADIUS Authentication
5.4.2 Shared Secrets
Security
This chapter provides information about Cisco ONS 15310-CL user security. To provision security, refer to the Cisco ONS 15310-CL Procedure Guide.
Chapter topics include:
•Users IDs and Security Levels
•User Privileges and Policies
•Audit Trail
•RADIUS Security
5.1 Users IDs and Security Levels
The CISCO15 user ID is provided with the ONS 15310-CL for initial login, but Cisco Transport Controller (CTC) does not display this user ID when you log in. Use this ID to set up other ONS 15310-CL user IDs. (For instructions, see the "Turn Up Node" chapter in the Cisco ONS 15310-CL Procedure Guide.)
An ONS 15310-CL node can support up to 500 user IDs. Each CTC or Transaction Language 1 (TL1) user ID can be assigned one of the following security levels:
•Retrieve—Users can retrieve and view CTC information but cannot set or modify parameters.
•Maintenance—Users can access only the ONS 15310-CL maintenance options.
•Provisioning—Users can access provisioning and maintenance options.
•Superuser—Users can perform all of the functions of the other security levels as well as set names, passwords, and security levels for other users.
By default, multiple concurrent user ID sessions are permitted on the node; that is, multiple users can log into a node using the same user ID. However, you can provision the node to allow only a single login per user ID and prevent concurrent logins for all users.
See Table 5-3 for idle user timeout information for each security level.
5.2 User Privileges and Policies
This section lists user privileges for each CTC action and describes the security policies available to Superusers for provisioning.
5.2.1 User Privileges by CTC Action
Table 5-1 shows the actions that each user privilege level can perform in node view.
Table 5-1 ONS 15310-CL Security Levels—Node View
CTC Tab
|
Subtab
|
[Subtab]: Actions
|
Retrieve
|
Maintenance
|
Provisioning
|
Superuser
|
Alarms
|
—
|
Synchronize/Filter/Delete Cleared Alarms
|
X
|
X
|
X
|
X
|
Conditions
|
—
|
Retrieve/Filter
|
X
|
X
|
X
|
X
|
History
|
Session
|
Filter
|
X
|
X
|
X
|
X
|
Node
|
Retrieve/Filter
|
X
|
X
|
X
|
X
|
Circuits
|
—
|
Create/Edit/Delete
|
—
|
—
|
X
|
X
|
Filter/Search
|
X
|
X
|
X
|
X
|
Provisioning
|
General
|
Edit
|
—
|
—
|
Partial1
|
X
|
Network
|
General: All
|
—
|
—
|
—
|
X
|
Static Routing: Create/Edit/ Delete
|
—
|
—
|
X
|
X
|
OSPF: Create/Edit/Delete
|
—
|
—
|
X
|
X
|
RIP: Create/Edit/Delete
|
—
|
—
|
X
|
X
|
Proxy: Create/Edit/Delete
|
—
|
—
|
—
|
X
|
Firewall: Create/Edit/Delete
|
—
|
—
|
—
|
X
|
OSI
|
Main Setup
|
—
|
—
|
X
|
X
|
TARP: Config
|
—
|
—
|
X
|
X
|
TARP: Static TDC
|
—
|
—
|
X
|
X
|
TARP: MAT
|
—
|
—
|
X
|
X
|
Routers: Setup
|
—
|
—
|
X
|
X
|
Routers: Subnets
|
—
|
—
|
X
|
X
|
Tunnels
|
—
|
—
|
X
|
X
|
Protection
|
Create/Delete/Edit
|
—
|
—
|
X
|
X
|
View
|
X
|
X
|
X
|
X
|
Security
|
Users: Create/Delete/Clear Security Intrusion
|
—
|
—
|
—
|
X
|
Users: Change
|
Same user
|
Same user
|
Same user
|
All users
|
Active Logins: Logout
|
—
|
—
|
—
|
X
|
RADIUS Server
|
—
|
—
|
—
|
X
|
Policy/Access/Legal Disclaimer: Edit
|
—
|
—
|
—
|
X
|
SNMP
|
Trap Destinations/Selected Destination: Create/Delete/Edit
|
—
|
—
|
X
|
X
|
View
|
X
|
X
|
X
|
X
|
Comm Channels
|
SDCC/LDCC/PPC: Create/Edit/Delete
|
—
|
—
|
X
|
X
|
Timing
|
General/BITS Facilities: Edit
|
—
|
—
|
X
|
X
|
Alarm Profiles
|
Alarm Behavior: Edit
|
—
|
—
|
X
|
X
|
Alarm Profiles Editor: Store/Delete2
|
—
|
—
|
X
|
X
|
Alarm Profiles Editor: New/Load/Compare/Available/Usage
|
X
|
X
|
X
|
X
|
Defaults
|
Edit/Import
|
—
|
—
|
—
|
X
|
Export
|
X
|
X
|
X
|
X
|
Inventory
|
—
|
Delete
|
—
|
—
|
X
|
X
|
Hard Reset/Soft Reset
|
—
|
X
|
X
|
X
|
Maintenance
|
Database
|
Backup
|
—
|
X
|
X
|
X
|
Restore
|
—
|
—
|
—
|
X
|
OSI
|
IS-IS RIB
|
—
|
—
|
—
|
X
|
ES-IS RIB
|
—
|
—
|
—
|
X
|
TDC
|
—
|
—
|
—
|
X
|
Software
|
Download/Cancel
|
—
|
X
|
X
|
X
|
Activate/Revert
|
—
|
—
|
—
|
X
|
Cross-Connect
|
Resource Usage: Delete
|
—
|
—
|
X
|
X
|
Resource Usage: Refresh
|
X
|
X
|
X
|
X
|
Overhead XConnect
|
View
|
X
|
X
|
X
|
X
|
Diagnostic
|
Retrieve/Lamp Test
|
—
|
X
|
X
|
X
|
Timing
|
Source: Edit
|
—
|
X
|
X
|
X
|
Report: View/Refresh
|
X
|
X
|
X
|
X
|
Audit
|
Retrieve
|
—
|
—
|
—
|
X
|
Archive
|
—
|
—
|
X
|
X
|
RIP Routing Table
|
Retrieve
|
X
|
X
|
X
|
X
|
Routing Table
|
Retrieve
|
X
|
X
|
X
|
X
|
Table 5-2 shows the actions that each user privilege level can perform in network view.
Table 5-2 ONS 15310-CL Security Levels—Network View
CTC Tab
|
Subtab
|
[Subtab]: Actions
|
Retrieve
|
Maintenance
|
Provisioning
|
Superuser
|
Alarms
|
—
|
Synchronize/Filter/Delete cleared alarms
|
X
|
X
|
X
|
X
|
Conditions
|
—
|
Retrieve/Filter
|
X
|
X
|
X
|
X
|
History
|
—
|
Filter
|
X
|
X
|
X
|
X
|
Circuits
|
—
|
Create/Edit/Delete
|
—
|
—
|
X
|
X
|
Filter/Search
|
X
|
X
|
X
|
X
|
Provisioning
|
Security
|
Users: Create/Delete/Clear Security Intrusion Alarm
|
—
|
—
|
—
|
X
|
Users: Change
|
Same User
|
Same User
|
Same User
|
All Users
|
Active logins: Logout
|
—
|
—
|
—
|
X
|
Policy: Change
|
—
|
—
|
—
|
X
|
Alarm Profiles
|
Store/Delete1
|
—
|
—
|
X
|
X
|
New/Load/Compare/Available/Usage
|
X
|
X
|
X
|
X
|
BLSR
|
Create/Delete/Edit/Upgrade
|
—
|
—
|
X
|
X
|
Overhead Circuits
|
Create/Delete/Edit/Merge
|
—
|
—
|
X
|
X
|
Search
|
X
|
X
|
X
|
X
|
Provisionable Patchcords (PPC)
|
Create/Edit/Delete
|
—
|
—
|
X
|
X
|
Maintenance
|
Software
|
Download/Cancel
|
—
|
X
|
X
|
X
|
5.2.2 Security Policies
Users with the Superuser security privilege can provision security policies on the ONS 15310-CL. These security policies include idle user timeouts, password changes, password aging, and user lockout parameters. In addition, a Superuser can access the ONS 15310-CL through the LAN port on the front of the node.
5.2.2.1 Idle User Timeout
Each ONS 15310-CL CTC or TL1 user can be idle during his or her login session for a specified amount of time before the CTC window is locked. The lockouts prevent unauthorized users from making changes. Higher-level users have shorter default idle periods and lower-level users have longer or unlimited default idle periods, as shown in Table 5-3. The user idle period can be modified by a Superuser; refer to the "Change Node Settings" chapter in the Cisco ONS 15310-CL Procedure Guide for instructions.
Table 5-3 ONS 15310-CL Default User Idle Times
Security Level
|
Idle Time
|
Superuser
|
15 minutes
|
Provisioning
|
30 minutes
|
Maintenance
|
60 minutes
|
Retrieve
|
Unlimited
|
5.2.2.2 User Password, Login, and Access Policies
Superusers can view real-time lists of users who are logged in via CTC or TL1 by node. Superusers can also provision the following password, login, and node access policies:
•Password expirations and reuse—Superusers can specify when users must change their passwords and how frequently passwords can be reused.
•Login attempts and locking out users—Superusers can specify the maximum number of times that a user can unsuccessfully attempt to log in before being locked out of CTC. Superusers can also provision the length of time before the lockout is removed.
•Disabling users— Superusers can provision the length of time before inactive user IDs are disabled.
•Node access and user sessions—Superusers can limit the number of CTC sessions one user can have, and they can prohibit access to the ONS 15310-CL using the LAN connection.
In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning > Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It provides authentication and secure communication over channels that are not secure. Port 22 is the default port and cannot be changed.
5.3 Audit Trail
The ONS 15310-CL maintains a Telcordia GR-839-CORE-compliant audit trail log that resides on the 15310-CL-CTX card. Audit trails are useful for maintaining security, recovering lost transactions, and enforcing accountability. Accountability is the ability to trace user activities and is done by associating a process or action with a specific user. The audit trail log shows who has accessed the node and what operations were performed during a given period of time. The log includes authorized Cisco support logins and logouts using the operating system command line interface (CLI), CTC, and TL1; the log also includes FTP actions, circuit creation/deletion, and user/system generated actions.
Event monitoring is also recorded in the audit log. An event is defined as the change in status of an element within the network. External events, internal events, attribute changes, and software upload/download activities are recorded in the audit trail.
To view the audit trail log, refer to the Cisco ONS 15310-CL Procedure Guide. Users can access the audit trail logs from any management interface (CTC, CTM, TL1).
The audit trail is stored in persistent memory and is not corrupted by processor switches, or upgrades.
Note 15310-CL does not support a real time clock with battery backup. Hence, when you reset 15310-CL-CTX card, the audit log is reset to 1970 until you set the date and time again.
5.3.1 Audit Trail Log Entries
Audit trail records capture various types of activities. Individual audit entries contain a varying subset of the activities in the following list:
•User—Name of the user performing the action
•Host—Host from where the activity is logged
•Device ID—IP address of the device involved in the activity
•Application—Name of the application involved in the activity
•Task—Name of the task involved in the activity (view a dialog, apply configuration and so on)
•Connection Mode—The service used to connect to the node (for example, telnet, console, or SNMP)
•Category—Type of change: Hardware, Software, Configuration
•Status—Status of the user action: Read, Initial, Successful, Timeout, Failed
•Time—Time of change
•Message Type—Denotes if the event is Success/Failure type
•Message Details—A description of the change
5.3.2 Audit Trail Capacities
The ONS 15310-CL is able to store 640 log entries.When this limit is reached, the oldest entries are overwritten with new events. When the log server is 80 percent full, an AUD-LOG-LOW condition is raised and logged.
When the log server reaches the maximum capacity of 640 entries and begins overwriting records that were not archived, an AUD-LOG-LOSS condition is raised and logged. This event indicates that audit trail records have been lost. Until you off-load the file, this event will not occur a second time regardless of the amount of entries that are overwritten by incoming data. To export the audit trail log, refer to the Cisco ONS 15310-CL Procedure Guide.
5.4 RADIUS Security
Users with Superuser security privileges can configure nodes to use Remote Authentication Dial In User Service (RADIUS) authentication. Cisco Systems uses a strategy known as authentication, authorization, and accounting (AAA) for verifying the identity of, granting access to, and tracking the actions of remote users.
5.4.1 RADIUS Authentication
RADIUS is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components:
•A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP
•A server
•A client
The server runs on a central computer, typically at a customer site, while the clients reside in the dial-up access servers and can be distributed throughout the network.
An ONS 15310 node operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. Transactions between the RADIUS client and server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This eliminates the possibility that someone monitoring an unsecured network could determine a user's password. Refer to the Cisco ONS 15310-CL Procedure Guide to implement RADIUS authentication.
5.4.2 Shared Secrets
A shared secret is a text string that serves as a password between:
•A RADIUS client and RADIUS server
•A RADIUS client and a RADIUS proxy
•A RADIUS proxy and a RADIUS server
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit (message integrity). The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.
When creating and using a shared secret:
•Use the same case-sensitive shared secret on both RADIUS devices.
•Use a different shared secret for each RADIUS server-RADIUS client pair.
•To ensure a random shared secret, generate a random sequence at least 16 characters long.
•You can use any standard alphanumeric and special characters.
•You can use a shared secret of up to 16 characters in length. To protect your server and your RADIUS clients from brute force attacks, use long shared secrets.
•Make the shared secret a random sequence of letters, numbers, and punctuation and change it often to protect your server and your RADIUS clients from dictionary attacks. Shared secrets should contain characters from each of the three groups listed in Table 5-4.
Table 5-4 Shared Secret Character Groups
Group
|
Examples
|
Letters (uppercase and lowercase)
|
A, B, C, D and a, b, c, d
|
Numerals
|
0, 1, 2, 3
|
Symbols (all characters not defined as letters or numerals)
|
Exclamation point (!), asterisk (*), colon (:)
|
The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with it. An example of a strong shared secret is 8d#>9fq4bV)H7%a3.