© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 2 Lesson 8 – Module 5 – ‘Cisco Device Hardening’ Securing Management and Reporting Features

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 3 Module Introduction  The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.  Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.  Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 4 Objectives  At the completion of this eighth lesson, you will be able to: Describe and demonstrate how to set up syslog reporting for a large network Demonstrate the importance of secure channels for syslog information Describe the difference between inband and out-of-band reporting Read and analyse syslog reports

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 5 Secure Management and Reporting Planning Considerations  Configuring logging for Cisco routers is a straightforward operation when the network contains only a few Cisco routers. However, logging and reading information from hundreds of devices can be a challenging proposition. Too much information can be as bad as too little information and can raise these important questions: Which are the most important logs? How are important messages separated from routine notifications? How do you prevent tampering with logs? How do you make sure time stamps match? What log data is needed in criminal investigations? How do you deal with the volume of log messages? How do you manage all the devices? How can you track changes when attacks or network failures occur?

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 6 Secure Management and Reporting Architecture

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 7 Information Paths  Information flow between management hosts and the managed devices can take two paths: In-band: Information flows across the enterprise production network or the Internet (or both) Out of Band (OOB): Information flows within a network on which no production traffic resides

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 8 Information Paths

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 9 In-Band Management Considerations  Some questions that must be considered when designing an in-band management solution: Which management protocols does each device support? Does the management channel need to be active at all times? Is SNMP necessary?

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 10 Secure Management and Reporting Guidelines  In-band management guidelines: Apply only to devices needing to be managed or monitored. Use IPsec when possible. Use SSH or SSL instead of Telnet. Decide whether the management channel needs to be open at all times. Keep clocks on hosts and network devices synchronised. Record changes and archive configurations.  OOB management guidelines: Provide highest level of security and mitigate the risk of passing insecure management protocols over the production network. Keep clocks on hosts and network devices synchronised. Record changes and archive configurations.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 11 Configuring an SSH Server for Secure Management and Reporting  Austin2#configure terminal Austin2(config)#ip domain-name cisco.com Austin2(config)#crypto key generate rsa general-keys modulus 1024  Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled  Austin2(config)#ip ssh timeout 120 Austin2(config)#ip ssh authentication-retries 4 Austin2(config)#line vty 0 4 Austin2(config-line)#no transport input telnet Austin2(config-line)#transport input ssh Austin2(config-line)#end 1.Configure the IP domain name. 2.Generate the RSA keys. 3.(Optional) Display generated keys. 4.Configure the SSH timeout interval. 5.Configure the SSH retries. 6.Disable vty inbound Telnet sessions. 7.Enable vty inbound SSH sessions.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 12 Implementing Log Messaging for Security  Routers should be configured to send log messages to one or more of these: Console Terminal lines Memory buffer SNMP traps Syslog  Syslog logging is a key security policy component

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 13 Syslog Systems Syslog server: A host that accepts and processes log messages from one or more syslog clients Syslog client: A host that generates log messages and forwards them to a syslog server

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 14 Cisco Log Severity Levels Syslog Level and NameDefinitionExample 0 LOG_EMERGA panic condition normally broadcast to all users Cisco IOS software could not load 1 LOG_ALERTA condition that should be corrected immediately, such as a corrupted system database Temperature too high 2 LOG_CRITCritical conditions; for example, hard device errors Unable to allocate memory 3 LOG_ERRErrorsInvalid memory size 4 LOG_WARNINGWarning messagesCrypto operation failed 5 LOG_NOTICEConditions that are not error conditions but should possibly be handled specially Interface changed state, up or down 6 LOG_INFOInformational messagesPacket denied by ACL 7 LOG_DEBUGMessages that contain information that is normally used only when debugging a program Packet type invalid

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 15 Log Message Format Oct 29 10:00:01 EST: %SYS-5-CONFIG_I: Configured from console by vty0 ( ) Time Stamp Log Message Name and Severity Level Message Text Note: The log message name is not the same as a severity level name.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 16 Configuring Syslog Step 1 ParameterDescription host-name The name of the host you want to use as a syslog server ip-address The IP address of the host you want to use as a syslog server Router(config)# logging [host-name | ip-address] 1.Sets the destination logging host

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 17 Configuring Syslog Step 2 ParameterDescription level Limits the logging of messages to the syslog servers to a specified level. You can enter the level number (0 to 7) or level name. Router(config)# logging trap level 2.(Optional) Sets the log severity (trap) level

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 18 Configuring Syslog Step 3 ParameterDescription facility-type The syslog facility type (local0 to local7) Router(config)# logging facility facility-type 3.(Optional) Sets the syslog facility

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 19 Configuring Syslog Steps 4 and 5 Router(config)# logging source-interface interface-type interface-number 4.(Optional) Sets the source interface ParameterDescription interface-type The interface type (for example, Ethernet) interface-number The interface number (for example, 0/1) Router(config)# logging on 5.Enables logging

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 20 Syslog Implementation Example R3(config)#logging R3(config)#logging trap informational R3(config)#logging source-interface loopback 0 R3(config)#logging on

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L8 21