The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Connected Grid OS software (hereafter referred to as Cisco CG-OS software) on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as Cisco CG-OS router) supports security features that can protect your network against degradation or failure. These features can also protect against data loss or compromise resulting from intentional attacks and from unintended but damaging mistakes by network users.
Authentication, authorization, and accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent, modular manner.
Note You can configure authentication outside of AAA. However, you must configure AAA if you want to use RADIUS or TACACS+, or if you want to configure a backup authentication method.
AAA uses security protocols to administer its security functions. When a router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS or TACACS+ security server.
The chapters in this guide describe how to configure the following security server protocols:
You can use the Secure Shell version 2 (SSHv2) server to enable an SSHv2 client to make a secure, encrypted connection to the Cisco CG-OS router. SSHv2 uses strong encryption for authentication.
The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.
The Public Key Infrastructure (PKI) allows the Cisco CG-OS router to obtain and use digital certificates for secure communication in the network and provides manageability and scalability for applications, such as SSHv2, that support digital certificates.
You can create and manage user accounts and assign roles that limit access to operations on the
Cisco CG-OS router. This definition and assignment process is knows as role-based access control (RBAC).
Internet Key Exchange version 2 (IKEv2) and Cisco IP Security (IPSec) allow configuration of secure communications between a source (Cisco CG-OS router) and destination router over a virtual tunnel.
IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the
Layer 3 header of packets. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When Cisco CG-OS software determines that an IP ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no match, Cisco CG-OS software applies the applicable default rule. Cisco CG-OS software continues processing packets that are permitted and drops packets that are denied.
To prevent the Cisco CG-OS router from Denial of Service (DoS) attacks, the system employs control-plane policing (CoPP or CPP). CoPP increases security on the router by protecting the system from unnecessary or DoS traffic and gives priority to important control-plane and management traffic.