Hardening Server Security
You can enhance server security by eliminating or controlling individual points of security exposure, as explained in the related topics.
Related Topics
Disabling Insecure Services
You should disable non-secure services if you are not using them. For example: TFTP and FTP are not secure protocols. These services are typically used to transfer firmware or software images to and from network devices and Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend that you use secure protocols (such as SFTP or SCP) for such services.
To disable FTP and TFTP services:
Step 1 Log in to Prime Infrastructure with a user ID with administrator privileges.
Step 2 Select Administration > System Settings > Server Settings.
Step 3 Select the Disable buttons for FTP and TFTP.
Disabling Root Access
Administrative users can enable root shell access to the underlying operating system for trouble shooting purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We recommend that you keep this access disabled, and enable it only when required. To disable root access, run the command
root_disable
from the command line (see Connecting Via CLI).
During installation, Prime Infrastructurealso creates a web root user account, prompting the installer for the password to be used for this account. The web root account is needed to enable first-time login to the Prime Infrastructure server and its web user interface. We recommend that you never use this account for normal operations. Instead, use it to create user IDs with appropriate privileges for day-to-day operations and network management, and administrative user IDs for managing Prime Infrastructure itself. Once these user accounts are created, disable the default “web root” account created at install time, and create user accounts using your administrative user IDs thereafter.
To disable the root accounts:
Step 1 Open a CLI session with the Prime Infrastructure server (see Connecting Via CLI). Do not enter “configure terminal” mode.
Step 2 Disable the web root account by entering the following command:
PIServer/admin#
ncs webroot disable
Prime Infrastructure disables the web root account.
Step 3 Disable the root shell account by entering the following command at the prompt:
PIServer/admin#
root_disable
Prime Infrastructure will prompt you for the root shell account password. Enter it to complete disabling of the root shell account.
Using SNMPv3 Instead of SNMPv2
SNMPv3 is a higher-security protocol than SNMPv2. You can enhance the security of communications between your network devices and the Prime Infrastructure server by configuring the managed devices so that management takes place using SNMPv3 instead of SNMPv2.
To specify SNMPv3 when adding a new device:
Step 1 Select Inventory > Device Management > Network Devices, then click Add Device.
Step 2 In the SNMP Parameters area, in Version, select v3.
Step 3 Complete the other fields as appropriate, then click Add.
To specify use of SNMPv3 when importing devices in bulk:
Step 1 Select Inventory > Device Management > Network Devices.
Step 2 Choose Bulk Import and download the sample CSV file from the page displayed.
Step 3 Edit the sample file using any CSV-compatible application. For each row representing a device in the CSV import file:
a. In the snmp version column, enter 3.
b. Enter appropriate values in the snmpv3_user_name, snmpv3_auth_type, snmpv3_auth_password, snmpv3_privacy_type, and snmpv3_privacy_password columns.
c. Complete other columns as appropriate for your devices.
Step 4 Select Inventory > Device Management > Network Devices, then click Bulk Import and import your modified CSV file.
To specify SNMPv3 as part of device discovery:
Step 1 Select Inventory > Device Management > Discovery, then click Discovery Settings.
Step 2 In the SNMP Credentials area, click the + sign and add SNMP v3 credentials.
Step 3 Save the modified discovery settings and use them thereafter.
Authenticating With External AAA
User accounts and password are managed more securely when they are managed centrally, by a dedicated, remote authentication server running a secure authentication protocol such as RADIUS or TACACS+.
You can configure Prime Infrastructure to authenticate users using external AAA servers. You will need to access the Administration > Users, Roles & AAA page to set up external authentication via the Prime Infrastructure graphic user interface (GUI). You can also set up external authentication via the command line interface (CLI).
To set up remote user authentication via the GUI:
Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.
Step 2 Select Administration > Users, Roles & AAA > TACACS+ or Administration > Users, Roles & AAA > RADIUS.
Step 3 Enter the TACACS+ or RADIUS server IP address and shared secret in the appropriate fields.
Step 4 Select Administration > Users, Roles & AAA > AAA Mode Settings.
Step 5 Set the AAA mode as appropriate.
To set up remote user authentication via the CLI:
Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Be sure to enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to setup an external TACACS+ server:
PIServer/admin/terminal#
aaa authentication tacacs+ server
tacacs
-ip key plain
shared-secret
Where:
-
tacacs
-ip is the IP address of an active TACACS+ server.
-
shared-secret
is the plain-text shared secret for the active TACACS+ server.
Step 3 At the prompt, enter the following command to create a user with administrative authority, who will be authenticated by the above AAA server:
PIServer/admin/terminal#
username
username
password
remote role admin email
emailID
Where:
-
username
is the name of the user ID.
-
password
is the plain-text password for the user.
-
emailID
is the email address of the user (optional).
Enabling NTP Update Authentication
Network Time Protocol (NTP) version 4, which authenticates server date and time updates, is an important way to harden server security. Note that you can configure a maximum of three NTP servers with Prime Infrastructure.
To set up authenticated NTP updates:
Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI.Be sure to enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to setup an external NTPv4 server:
PIServer/admin/terminal# ntp server serverIP userID plain password
Where:
-
serverIP is the IP address of the authenticating NTPv4 server you want to use.
-
userID is the md5 key id of the NTPv4 server.
-
password is the corresponding plain-text md5 password for the NTPv4 server.
For example:
ntp server 10.81.254.131 20 plain MyPassword
Step 3 To ensure that NTP authentication is working correctly, test it by executing the following commands:
-
To check the NTP update details: sh run
-
To check NTP sync details: sh ntp
Enabling Certificate-Based Authentication for Web Clients
You can further enhance the security of Prime Infrastructure’s interaction with its web clients by setting up certificate-based client authentication.
With this form of authentication, Prime Infrastructure validates the client’s associated certificate (to ensure that the issuing authority has not revoked it) before permitting the user to access the login page. Prime Infrastructure implements this feature using the Online Certificate Status Protocol (OCSP). OCSP performs a real time certificate status check making it more reliable and faster.
Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to enable client certificate authentication:
PIServer/admin#
ncs run client-auth enable
Step 3 At the command line, enter the following command:
PIServer/admin#
ncs key importcacert
aliasname
CACertFile
repository
reponame
Where:
-
aliasname
is the short name supplied for this CA certificate (for example, aolrootca1).
-
CACertFile
is the name of the CA certificate file.
-
reponame
is the location of the Prime Infrastructure repository where the certificate file is hosted.
Step 4 After entering this command, enter the
ncs stop
and
ncs start
commands to restart the Prime Infrastructure server and apply the changes, as follows:
ncs stop
ncs start
Enabling OCSP Settings on the Prime Infrastructure Server
Online Certificate Status Protocol (OCSP) enables certificate-based authentication for web clients using OCSP responders. Typically, the OCSP responder’s URL is read from the certificate’s Authority Information Access (AIA). As a failover mechanism, you can configure the same URL on the Prime Infrastructure server as well.
To set up a custom URL of an OCSP responder, follow the steps below.
Step 1 Log in to the Prime Infrastructure server using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to enable client certificate authentication:
PIServer/admin#
ocsp responder custom enable
Step 3 At the prompt, enter the following command to set the custom OCSP responder URL:
PIServer/admin#
ocsp responder set url
Responder#URL
Where:
-
Responder#
is the number of the OCSP responder you want to define (e.g., 1 or 2).
-
URL
is the URL of the OCSP responder, as taken from the client CA certificate.
Note that there should be no space between the
Responder#
and
URL
values
.
Step 4 To delete an existing custom OCSP responder defined on the Prime Infrastructure server, use the following command:
PIServer/admin#
ocsp responder clear url
Responder#
If you do not already know the number of the OCSP responder you want to delete, use the
show security-status
command to view the OCSP responders currently configured on the server. For details, see
Checking On Server Security Status
.
Setting Up Local Password Policies
If you are authenticating users locally, using Prime Infrastructure’s own internal authentication, you can enhance your system’s security by enforcing rules for strong password selection.
Note that these policies affect only the passwords for local Prime Infrastructure user IDs. If you are authenticating Prime Infrastructure users via a centralized or remote AAA server, you can enforce similar protections using the functions of the AAA server.
To enforce local password policies:
Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.
Step 2 Select Administration > Users, Roles & AAA > Local Password Policy.
Step 3 Select the check boxes next to the password policies you want to enforce, including:
-
The minimum number of characters passwords must contain.
-
No use of the username or “cisco” as a password (or common permutations of these).
-
No use of “public” in root passwords.
-
No more than three consecutive repetitions of any password character.
-
Passwords must contain at least one character from three of the following character classes: upper case, lower case, digit, and special character.
-
Whether the password must contain only ASCII characters.
-
Minimum elapsed number of days before a password can be reused.
-
Password expiration period.
-
Advance warnings for password expirations.
If you enable any of the following password policies, you can also specify:
-
The minimum password length, in number of characters.
-
The minimum elapsed time between password re-uses.
-
The password expiry period.
-
The number of days in advance to start warning users about future password expiration.
Step 4 Click Save.
Disabling Individual TCP/UDP Ports
The following table lists the TCP and UDP ports Prime Infrastructure uses, the names of the services communicating over these ports, and the product’s purpose in using them. The “Safe” column indicates whether you can disable a port and service without affecting Prime Infrastructure functionality.
Table B-1 Prime Infrastructure TCP/UDP Ports
|
|
|
|
21/tcp
|
FTP
|
File transfer between devices and server
|
Y
|
22/tcp
|
SSHD
|
Used by SCP, SFTP, and SSH connections to and from the system
|
N
|
69/udp
|
TFTP
|
File transfer between devices and the server
|
Y
|
162/udp
|
SNMP-TRAP
|
To receive SNMP Traps
|
N
|
443/tcp
|
HTTPS
|
Primary Web Interface to the product
|
N
|
514/udp
|
SYSLOG
|
To receive Syslog messages
|
N
|
1522/tcp
|
Oracle
|
Oracle/JDBC Database connections: These include both internal server connections and for connections with the High Availability peer server.
|
N
|
8082/tcp
|
HTTPS
|
Health Monitoring
|
N
|
8087/tcp
|
HTTPS
|
Software updates on HA Secondary Systems
|
N
|
9991/udp
|
NETFLOW
|
To receive Netflow streams (enabled if Assurance license installed)
|
N
|
61617/tcp
|
JMS (over SSL)
|
For interaction with remote Plug&Play Gateway server
|
Y
|
Checking On Server Security Status
Prime Infrastructure administrators can connect to the server via CLI and use the
show security-status
command to display the server’s currently open TCP/UDP ports, the status of other services the system is using, and other security-related configuration information. For example:
Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.
Step 2 Enter the following command at the prompt:
PIServer/admin#
show security-status
Depending on your settings, you will see output like the following:
Open TCP Ports : 22 443 1522 8082
Open UDP Ports : 162 514 9991
FIPS Mode : enabled
TFTP Service : disabled
FTP Service : disabled
JMS port (61617) : disabled
Root Access : disabled
Client Auth : enabled
OCSP Responder1 : http://10.77.167.65/ocsp
OCSP Responder2 : http://10.104.178.99/ocsp
Configuring Prime Infrastructure in FIPS Mode
Federal Information Processing Standards (FIPS) are U.S. government computer-security standards. The FIPS-140 series of standards specifies requirements for cryptography modules. For a more complete description, see
http://www.nist.gov/itl/fips.cfm
.
Prime Infrastructure’s FIPS mode is intended for customers who have requirements to use products which are compliant with the FIPS-140 standards referenced above. Installing Prime Infrastructure in FIPS mode disables use of certain capabilities in order to comply with the cryptographic security requirements of FIPS-140. For more information, see Prime Infrastructure FIPS Mode Details
Please note:
-
Only the wireless management functionality in Prime Infrastructure is certified for FIPS compliance. Prime Infrastructure users who manage combinations of both wireless and wired or other non-wireless devices should not install the product in FIPS mode.
-
Once installed in FIPS mode, there is no way to switch the product to non-FIPs mode, and vice versa. A fresh installation of the product is required to switch to FIPS mode from non-FIPS mode and vice versa.
-
Verify that the Prime Infrastructure server that will host the Operations Center is not operating in FIPS mode. Operations Center does not support FIPS mode.
For the steps to install Prime Infrastructure in FIPS mode, see the section
Installing the Server
in the
Cisco Prime Infrastructure 2.2 Quick Start Guide
.
FIPS 140-2 Cryptographic Security Details
Starting with release 2.2, Prime Infrastructure integrates the following FIPS 140-2 approved cryptographic modules:
1. CiscoSSL FIPS Object Module (FOM) – Cert. #2100
2. Cisco Common Cryptographic Module (C3M) – Cert. #1643
In the Prime Infrastructure implementation:
1. Each of the integrated cryptographic modules mentioned above are initialized in a manner that is compliant with their individual security policies.
2. All cryptographic algorithms used for SSL 3.1, TLS 1.0, and IPSEC used for session establishment, are offloaded to CiscoSSL FIPS Object Module (FOM) – Cert. #2100.
3. All cryptographic algorithms used for SSHv2 secure connection uses the Cisco Common Cryptographic Module (C3M) – Cert. #1643.
Prime Infrastructure FIPS Mode Details
When you install Prime Infrastructure 2.2 or later, the installation script will prompt you to decide if you want to install the product in FIPS mode. When in FIPS mode, the following Prime Infrastructure server configuration changes are in effect:
-
Access to the “root” shell account is disabled. The commands
root
,
root_enable
, and
root_disable
are not available when you connect to the server using CLI. If you need to regain access to this account, contact Cisco TAC.
-
Insecure protocols —such as FTP, JMS and TFTP — are disabled by default. If necessary, users with administrative privileges can re-enable these protocols using the Prime Infrastructure Administration > System Settings > Server Settings page.
-
Plug and Play (PnP) services (including the PnP Gateway Server) that make use of insecure protocols are disabled. To restore access to PnP services, you must re-install the product.
-
Only FIPS-compliant cipher suites are enabled for all incoming or outgoing SSH and SSL connections with Prime Infrastructure servers. The product uses the strongSwan IPSec implementation, and
supports the IKEv1 cipher suites listed on the strongSwan web site
(with the exception of SHA256, which is not supported due to the fact that the Prime Infrastructure Linux kernel is earlier than version 2.6.33).
-
In High Availability configurations, the primary and secondary servers will be configured to communicate over an IPSec tunnel.
Using IPSec Tunneling to Wireless Devices With FIPS Mode
If you have installed the product in FIPS mode, we recommend that you use IPSec tunneling to secure wireless management traffic between your network devices and Prime Infrastructure servers. Using IPSec between the management system and the managed devices provides an additional layer of security.
Prime Infrastructure can communicate with any type of device via IPSec, when properly configured. Prime Infrastructure IPSec communications have been tested with Cisco Wireless LAN Controllers and Cisco Next Generation Wiring Closet (NGWC) devices. The Cisco TAC support note,
IKEv1/IKEv2 Between Cisco IOS and strongSwan Configuration Example,
provides examples on how to configure devices properly for IPSec communication.
Please note that only certificate-based authentication is supported for IPSec in Prime Infrastructure. To set this up properly, see the topic .
Prime Infrastructure supports SNMP traps via IPSec. IPSec is supported only with device having amur image(03.06.00).
Using IPSec Certificate-Based Authentication With FIPS Mode
For enhanced security, Prime Infrastructure supports IPSec certificate-based authentication only. This authentication takes place during the IKE/ISAKMP tunnel-establishment negotiation between Prime Infrastructure and the devices it manages. The certificates installed on each device and on Prime Infrastructure should be signed by a common Certificate Authority (CA).
To set up certificate-based authentication between Prime Infrastructure and the devices it manages, you must perform the following tasks:
1. Generate a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA) for verification.
2. Import the returned CA certificate to the Prime Infrastructure server (both primary and secondary, if using High Availability features).
3. Import the same CA certificate to the devices Prime Infrastructure will manage.
Instructions on how to perform each of these actions are given in the Related Topics.
Related Topics
Generating the Certificate
To generate a CSR, get it signed by a Certificate Authority (CA), and ready it for import:
Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to generate the CSR:
ncs key genkey -newdn -csr test.csr repository defaultRepo
This will generate the CSR file “test.csr” in the Prime Infrastructure server’s default repository.
Step 3 Copy test.csr to a file storage resource to which you have all access rights. For example:
copy disk:/defaultRepo/test.csr ftp\://your.ftp.server.
Step 4 Submit the test.csr file to the third-party Certificate Authority for verification and signing. Depending on the CA, you may need to email the file, or paste its contents into a web form.
Step 5 You will receive the server and CA certificates from the CA. For example:
-
CN
.cer
- The server certificate. CN is replaced with the common name of the CA (e.g., “MyCompany CA”).
-
CA
.cer
- The CA certificate from the signing authority. You may receive more than one of these files, with various names.
Step 6 Copy all the certificate files from your file resource back to the default repository. For example:
copy ftp\://your.ftp.server/CN.cer disk:defaultRepo
copy ftp\://your.ftp.server/CA.cer disk:defaultRepo
You are now ready to import the certificates into the Prime Infrastructure server, as explained in
Importing the Certificate to Prime Infrastructure
Importing the Certificate to Prime Infrastructure
Once you have received and prepared the signed CA certificate (as explained in
Generating the Certificate
), you must import it to the Prime Infrastructure server. If you are using Prime Infrastructure’s High Availability (HA) features, you will need to import it into both the primary and secondary servers.
Step 1 If you have not already done so, log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.
Step 2 At the prompt, enter the following command to import the CA certificate file:
ncs key importcacert CA-Alias CA.cer repository defaultRepo
If you have more than one CA certificate file: Repeat this step for each CA cert file.
Step 3 Finally, import the
CN
.cer file into the server:
ncs key importsignedcert CN.cer repository defaultRepo
Step 4 Restart the Prime Infrastructure server to apply the changes:
ncs stop
ncs start
Using High Availability With FIPS Mode
For details on running Prime Infrastructure in FIPS mode with high availability functionality, see Setting Up HA in FIPS Mode.
Using Operations Center With FIPS Mode
Use of Operations Center is not supported with any Prime Infrastructure server installed in FIPS mode.
Using Backup and Restore With FIPS Mode
Backup and restore of a Prime Infrastructure server installed in FIPS mode works the same way as with servers not installed in FIPS mode. Note, however, that you cannot restore data backed up from a server not installed in FIPS mode to a server installed in FIPS mode. Similarly, data backed up from a server installed in FIPS mode cannot be restored to a server not installed in FIPS mode.