Cisco Content Services Switch Security Configuration Guide Software Version 7.50 March 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.
Contents Controlling Administrative Access to the CSS 1-10 Enabling Administrative Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Creating an ACL 1-17 Deleting an ACL 1-18 Configuring Clauses 1-19 Adding a Clause When ACLs are Globally Enabled 1-25 Deleting a Clause 1-26 Applying an ACL to a Circuit or DNS Queries 1-27 Removing an ACL from Circuits or DNS Queries 1-
Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Client of a RADIUS Server 3-1 RADIUS Configuration Quick Start 3-3 Configuring a RADIUS Server for Use with the CSS 3-4 Configuring Authentication Settings 3-5 Configuring Authorization Settings 3-5 Specifying a Primary RADIUS Serve
Contents Setting the Global TACACS+ Keepalive Frequency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Accounting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 Configuring Firewall Load Balancing 5-1 Overview of FWLB 5-2 Firewall Synchronization 5-3 Configuring FWLB 5-3 Configuring a Keepalive Timeout for a Firewall 5-4 Configuring an IP Static Route for a Firewall 5-5 Configuring OSPF to Ad
F I G U R E S Figure 1-1 CSS Directory Access Privileges Figure 1-2 ACLs Enabled on the CSS Figure 5-1 Example of FWLB Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 1-5 1-14 5-9 5-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 vii
Figures Cisco Content Services Switch Security Configuration Guide viii OL-5650-02
T A B L E S Table 1-1 ACL Configuration Quick Start Table 1-2 Clause Command Options Table 1-3 Field Descriptions for the show acl Command Output 1-31 Table 1-4 Field Descriptions for the show nql Command Output 1-38 Table 2-1 Field Descriptions for the show sshd config Command 2-6 Table 2-2 Field Descriptions for the show sshd sessions Command 2-8 Table 3-1 RADIUS Configuration Quick Start Table 3-2 Field Descriptions for the show radius config Command Table 3-3 Field Descriptions for
Tables Cisco Content Services Switch Security Configuration Guide x OL-5650-02
Preface This guide provides instructions for configuring the security features of the Cisco 11500 Series Content Services Switches (CSS). Information in this guide applies to all CSS models except where noted. The CSS software is available in a Standard or optional Enhanced feature set. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features.
Preface Audience Audience This guide is intended for the following trained and qualified service personnel who are responsible for configuring the CSS: • Web master • System administrator • System operator How to Use This Guide This guide is organized as follows: Chapter Description Chapter 1, Controlling CSS Access Control access to the CSS including user and network traffic access.
Preface Related Documentation Related Documentation In addition to this guide, the Content Services Switch documentation includes the following publications. Document Title Description Release Note for the Cisco 11500 Series Content Services Switch This release note provides information on operating considerations, caveats, and command line interface (CLI) commands for the Cisco 11500 series CSS.
Preface Related Documentation Document Title Description Cisco Content Services Switch Administration Guide This guide describes how to perform administrative tasks on the CSS, including upgrading your CSS software and configuring the following: Cisco Content Services Switch Routing and Bridging Configuration Guide • Logging, including displaying log messages and interpreting sys.
Preface Related Documentation Document Title Description Cisco Content Services Switch Content Load-Balancing Configuration Guide This guide describes how to perform CSS content load-balancing configuration tasks, including: Cisco Content Services Switch Global Server Load-Balancing Configuration Guide Cisco Content Services Switch Redundancy Configuration Guide • Flow and port mapping • Services • Service, global, and script keepalives • Source groups • Loads for services • Server/Applica
Preface Symbols and Conventions Document Title Description Cisco Content Services Switch SSL Configuration Guide This guide describes how to perform CSS SSL configuration tasks, including: Cisco Content Services Switch Command Reference • SSL certificate and keys • SSL termination • Back-end SSL • SSL initiation This reference provides an alphabetical list of all CLI commands including syntax, options, and related commands.
Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and text you enter in a command line. Italics text indicates the first occurrence of a new term, book title, emphasized text, and variables for which you supply values. 1. A numbered list indicates that the order of the list items is important. a. An alphabetical list indicates that the order of the secondary list items is important.
Preface Documentation Feedback Documentation DVD Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit. Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Preface Cisco Product Security Overview You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.
Preface Obtaining Technical Assistance • Tip Nonemergencies — psirt@cisco.com We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key.
Preface Obtaining Technical Assistance Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service.
Preface Obtaining Additional Publications and Information For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions. Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Preface Obtaining Additional Publications and Information • Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources.
Preface Obtaining Additional Publications and Information Cisco Content Services Switch Security Configuration Guide xxiv OL-5650-02
C H A P T E R 1 Controlling CSS Access This chapter describes how to configure access to the CSS including network traffic. Information in this chapter applies to all models of the CSS, except where noted.
Chapter 1 Controlling CSS Access Changing the Administrative Username and Password Changing the Administrative Username and Password During the initial log in to the CSS you enter the default user name admin and the default password system in lowercase text. For security reasons, you should change the administrative username and password. Security on your CSS can be compromised because the administrative username and password are configured to be the same for every CSS shipped from Cisco Systems.
Chapter 1 Controlling CSS Access Creating Usernames and Passwords Creating Usernames and Passwords Logging into the CSS requires a username and password. The CSS supports a maximum of 32 usernames, including the administrator and technician usernames. You can assign each user with SuperUser or User status. • User - Allows access to a limited set of commands that enable you to monitor and display CSS parameters, but not change them. A User prompt ends with the > symbol.
Chapter 1 Controlling CSS Access Creating Usernames and Passwords • password - Specifies the password is not encrypted. Use this option when you use the CLI to dynamically create users. • password - The password. Enter an unquoted text string with no spaces and a length of 6 to 16 characters. The CSS allows all special characters in a password except for the percent sign (%).
Chapter 1 Controlling CSS Access Creating Usernames and Passwords • access - Specifies directory access privileges for the username. By default, users have both read- and write-access privileges (B) to all seven directories.
Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Controlling Remote User Access to the CSS To control access to the CSS, you can configure the CSS to authenticate remote (virtual) or console users. The CSS can authenticate users by using the local user database, RADIUS server, or TACACS+ server. You can also allow user access without authenticating or disallowing all remote user access to the CSS.
Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Configuring Virtual Authentication Virtual authentication allows remote users to log in to the CSS when they are using FTP, Telnet, SSHD, or the Device Management user interface with or without requiring a username and password. The CSS can also deny access to all remote users. You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server.
Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS To remove users currently logged in to the CSS, use the disconnect command.
Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS • Note secondary - Defines the second authentication method that the CSS uses if the first method fails. The default secondary console authentication method is to disallow all user access. If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local.
Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS Controlling Administrative Access to the CSS CSS access through a console, FTP, SSH, SNMP, and Telnet is enabled by default. The CSS supports a maximum of four FTP sessions and a maximum of four Telnet sessions. Use the restrict and no restrict commands to enable or disable console, FTP, SNMP, SSH, Telnet, user database, secure and unsecure XML, and web management data transfer to the CSS.
Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS Note • no restrict xml - Enables the transfer of XML configuration files to the CSS through unsecure HTTP connections (disabled by default). • no restrict web-mgmt - Enables Device Management user interface access to the CSS (disabled by default). Disable Telnet access when you want to use the Secure Shell Host (SSH) server.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists • restrict secure-xml - Disables the transfer of XML configuration files to the CSS through secure HTTPS SSL connections (disabled by default). • restrict xml - Disables the transfer of XML configuration files to the CSS through unsecure HTTP connections (disabled by default). • restrict web-mgmt - Disables web management access to the CSS (disabled by default).
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists • Logging ACL Activity • ACL Example ACL Overview ACLs configured on the CSS provide a basic level of security for accessing your network. Without ACLs on the CSS, all packets passing through VLAN circuits on the CSS could be allowed onto the entire network. With ACLs, you may want to permit all e-mail traffic on the CSS circuit, but block Telnet traffic.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists For example, Figure 1-2 shows three VLAN circuits on the CSS. Figure 1-2 ACLs Enabled on the CSS CSS with ACLs enabled ACL 1 VLAN1 ACL 2 Incoming traffic VLAN2 Incoming traffic No ACL All traffic denied due to VLAN3 no applied ACL Incoming traffic All incoming traffic to any destination 114997 TCP incoming traffic to VIP 192.32.1.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Enabling ACLs globally affects all traffic on all CSS circuits whether they have ACLs or not. When you enable ACLs, all traffic on a circuit that is not configured in an ACL permit clause is denied. If you do not apply an ACL on each circuit, the CSS denies traffic on that circuit. When the CSS is using ACLs, its hardware implements a maximum of 10 ACLs with simple Layer 3 or Layer 4 clauses.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-1 ACL Configuration Quick Start Task and Command Example 1. Enter global configuration mode. # config (config)# 2. Create an ACL and access ACL mode. Enter an ACL index number from 1 to 99. (config)# acl 7 Create ACL <7>, [y,n]:y (config-acl[7])# 3. Configure clauses in the ACL. The CSS will use the clauses to control traffic on the circuit on which you will apply the ACL (for example, VLAN1).
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-1 ACL Configuration Quick Start (continued) Task and Command Example 5. You must repeat steps 1 through 4 to create an ACL with at least one permit clause for all other circuits and apply the ACL to them. If a circuit does not have an applied ACL when you enable ACLs on the CSS, the CSS denies traffic on the circuit. 6. Enable all ACLS on the CSS.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Note If a circuit does not have an ACL, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traffic on it. To create an ACL and access ACL mode, use the acl index number command. The index number defines the ACL and can range from 1 to 99. To display a list of existing ACLs, use the acl ? command.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 4. Apply another ACL on the circuit. If you do not apply an ACL on the circuit, the CSS denies traffic on the circuit when you enable ACLs on the CSS. 5. Reenable all ACLs on the CSS. Enter: (config)# acl enable Configuring Clauses The clauses you configure on an ACL determine how the CSS controls traffic on a circuit. When you configure a clause, you must assign a number to it.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists • clause number bypass - Creates a clause in the ACL to permit traffic on a circuit and bypasses (does not process) content rules that apply to the traffic.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-2 provides variables and options for the clause command. Bolded syntax defines keywords that you enter on the command line. Italics define variables where you enter a value such as an IP address or a host name. Table 1-2 Clause Command Options Variables and Options Parameters number The number you want to assign to the clause. Enter a number from 1 to 254. action The action to apply to the clause.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-2 Clause Command Options (continued) Variables and Options source_port destination_info Parameters The source port for the traffic. If you do not designate a source port, this clause allows traffic from any port number. Enter one of the following: • eq port is equal to the port number. • lt port is less than the port number. • gt port is greater than the port number.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-2 Clause Command Options (continued) Variables and Options destination_port Parameters The destination port. Enter one of the following. You may use a port number or port name with the options. • eq port is equal to the port number. • lt port is less than the port number. • gt port is greater than the port number. • neq port is not equal to the port number.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-2 Clause Command Options (continued) Variables and Options Parameters sourcegroup name The source group as the destination for the traffic. Enter the group name. To see a list of source groups, enter: show group ? Note The clause number bypass command does not affect NATing on a source group.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-2 Clause Command Options (continued) Variables and Options prefer service_name Parameters Prefer the specified service as the traffic destination over other services. To define more than one preferred service, separate each service with a comma (,). You can define a maximum of two services.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists For example, you apply ACL 7 to VLAN1 and then globally enable ACLs on the CSS. At a later time, to add a new clause to ACL 7 and to have the clause take effect on the CSS, enter: (config-acl[7])# clause 200 permit any any destination any (config-acl[7])# apply circuit-(VLAN1) Deleting a Clause If you modify an existing clause, you must delete it from the ACL and then readd it.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Note When you remove an applied ACL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traffic on it. If you want the CSS to permit traffic on the circuit when removing the applied ACL from the circuit, globally disable ACLs on the CSS with the global configuration mode acl disable command.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists However, if you configure a CSS with the dns-server command, and the CSS receives a DNS query for a domain name that you configured on the CSS using the host command, the DNS query does not match an ACL that is configured with the apply dns command. After you apply an ACL and ACLs are disabled on the CSS, you must enter the global configuration acl enable command to enable the ACLs on the CSS.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 2. In ACL mode, remove the ACL from the circuit. (config-acl[7])# remove circuit-(VLAN1) 3. Make any changes to the ACL. If you delete an ACL from the circuit, configure another ACL with a permit clause for the circuit, and then apply it to the circuit. Otherwise, when you reenable the ACLs on the CSS, the CSS denies traffic on the circuit. 4. Reapply the ACL on the circuit.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Use the global configuration acl enable command to enable all ACLs on the CSS. To globally enable all ACLs, enter: (config)# acl enable Disabling ACLs on the CSS If you need to add, change, or delete an ACL or delete an ACL clause, we recommend that you disable all ACLs on the CSS before removing the ACL from the circuit.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists • DNS Hits - Packets that match an ACL clause for DNS flows when an ACL clause is applied to DNS queries. The display includes a DNS hit counter, which counts DNS lookups. The total number of ACL hits for each packet received by the CSS can vary depending on the type of flow and whether an ACL match occurred. The CSS performs an ACL check for every packet received until the ACL flow is completely set up.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-3 Field Descriptions for the show acl Command Output (continued) Field Description Router Hits Increments for a packet directly forwarded to the CSS through a Telnet or FTP session or from a non-TCP or UDP packet DNS Hits Increments for a packet that matches an ACL clause for DNS flows Setting the Show ACL Counters to Zero Use the zero counts command to reset the content and DNS hit counters in t
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists To enable logging on an existing ACL clause, use the log enable option for the clause command and enter: (config-acl[7])# clause 1 log enable If ACLs are globally enabled on the CSS, configure logging on an existing ACL clause: 1. In global configuration mode, disable all ACLs on the CSS. (config)# acl disable 2. Enter the ACL mode for which you want to enable logging. (config)# acl 7 (config-acl[7])# 3.
Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 5. Reapply the ACL to the circuit. (config-acl[7])# apply circuit-(VLAN1) 6. In global configuration mode, reenable all ACLs on the CSS. (config)# acl enable To globally disable logging for all ACL clauses, enter: (config)# no logging subsystem acl ACL Example The following ACL provides security for a CSS, Server1, and Server2 on one VLAN (VLAN1). The ACL: • Permits clients from subnet 172.16.107.
Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs !**************************** ACL *************************** acl 1 clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15 clause 30 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.16 clause 40 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.
Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs Creating an NQL Enter the name of the new NQL you want to create or an existing NQL. Enter the name as an unquoted text string with no spaces and a maximum of 31 characters. You can create a maximum of 512 NQLs per CSS. For example, enter: (config)# nql bypass_nql (config-nql[bypass_nql])# To display a list of existing NQLs, use the nql ? command. If no NQLs currently exist, the CSS prompts you to enter a new name.
Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs The variables and options are: • ip_address - The destination network address. Enter the IP address in dotted-decimal notation (for example, 192.168.0.0). • subnet_prefix|subnet_mask - The IP subnet mask prefix length in CIDR bitcount notation (for example, /16). The valid prefix length range is 8 to 32. Do not enter a space to separate the IP address from the prefix length.
Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs Adding an NQL to an ACL Clause To add an NQL to an ACL clause: 1. Create the ACL. For example, enter: (config)# acl 10 2. Define the clause, including the NQL as either a source or destination. This clause example bypasses content rules for any traffic from any source going to the destination networks defined in NQL bypass_nql on port 80.
C H A P T E R 2 Configuring the Secure Shell Daemon Protocol The Secure Shell Daemon (SSHD) protocol provides secure encrypted communications between two hosts communicating over an insecure network. The CSS supports an implementation of OpenSSH to provide this secure communication. SSHD uses the standard CSS login sequence of entering the username and password at the CSS login prompts. SSHD on the CSS supports both the SSH v1 and v2 protocols.
Chapter 2 Configuring the Secure Shell Daemon Protocol Enabling SSH This chapter contains the following major sections: • Enabling SSH • Configuring SSH Access • Configuring SSHD in the CSS • Configuring Telnet Access When Using SSHD • Showing SSHD Configurations Enabling SSH To enable SSH functionality in your CSS, you must purchase the Secure Management software option.
Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSH Access Configuring SSH Access SSH access to the CSS is enabled by default through the no restrict ssh command. You can verify the SSH access selection in the running-config file. To enhance security when using SSHD, disable Telnet access (Telnet access is enabled by default). Use the telnet-access disable command as described in Chapter 1, Controlling CSS Access.
Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Use the sshd keepalive command to enable SSHD keepalive. SSHD keepalive is enabled by default. To enable sending SSHD keepalives to the client, enter: (config)# sshd keepalive To disable sending SSHD keepalives, enter: (config)# no sshd keepalive Configuring SSHD Port The default port number for SSH is 22. To specify the port number to which the server listens for connections from clients, use the sshd port command.
Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Note The valid range for this command is 512 to 1024. However, to maintain backward compatibility with version 5.00, the CSS allows you to enter a value from 512 to 32768. If you enter a value greater than 1024, the CSS changes the value to the default of 768.
Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring Telnet Access When Using SSHD Configuring Telnet Access When Using SSHD By default, Telnet access to the CSS is enabled. When you use SSHD, you can disable nonsecure Telnet access to the CSS. To enhance security when using SSHD, we recommend that you disable Telnet access. Use the global restrict telnet command to disable Telnet access to the CSS.
Chapter 2 Configuring the Secure Shell Daemon Protocol Showing SSHD Configurations Table 2-1 Field Descriptions for the show sshd config Command (continued) Field Description Listen Socket Count The number of sockets that SSHD is currently listening on (not currently configurable, default is 1). Listen Port The port number that SSHD uses to listen for client connections (set by the sshd port command). The default is 22 (the default port for SSH). The port number is 22 or from 512 to 65535.
Chapter 2 Configuring the Secure Shell Daemon Protocol Showing SSHD Configurations Table 2-2 describes the fields in the show sshd sessions command output. Table 2-2 Field Descriptions for the show sshd sessions Command Field Description Session_ID The session ID. Conn_TID The connection task ID of the SSHD server handling the connection (tSshConn). Login_TID The login task ID handling the connection (tSshCli). PTY_FD The file descriptor used by the login task to communicate with the CSS CLI.
C H A P T E R 3 Configuring the CSS as a Client of a RADIUS Server The Remote Authentication Dial-In User Service (RADIUS) protocol is a distributed client/server protocol that protects networks against unauthorized access. RADIUS uses the User Datagram Protocol (UDP) to exchange authentication and configuration information between the CSS authentication client and the active authentication server that contains all user authentication and network service access information.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server In a configuration where both a primary RADIUS server and a secondary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS automatically transmits a keepalive authentication request to query the server(s). The CSS transmits the username “query” and the password “areyouup” to the RADIUS server (encrypted with the RADIUS server’s key) to determine the server’s state.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server RADIUS Configuration Quick Start RADIUS Configuration Quick Start Table 3-1 provides a quick overview of the steps required to configure the RADIUS feature on a CSS. Each step includes the CLI command required to complete the task. For a complete description of each feature and all the options associated with the CLI command, refer to the sections following the table. Table 3-1 RADIUS Configuration Quick Start Task and Command Example 1.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Table 3-1 RADIUS Configuration Quick Start (continued) Task and Command Example 5. Use the virtual authentication command to configure the primary, secondary, and tertiary virtual authentication method. See Chapter 1, Controlling CSS Access. #(config) virtual authentication primary radius 6.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Configuring Authentication Settings To configure the authentication settings on Cisco Secure ACS, go to the Network Configuration section of the Cisco Secure ACS HTML interface, the Add AAA Client page, and complete the following fields: • AAA Client Hostname - Enter a name you want assigned to the CSS.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Primary RADIUS Server To add a user to a group, go to the User Setup section of the Cisco Secure ACS HTML interface: • On the User Setup Select page, specify a username. • On the User Setup Edit page, specify the following: – Password Authentication - Select an applicable authentication type from the list. – Password - Specify and confirm a password.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Secondary RADIUS Server To remove a primary RADIUS server, enter: (config)# no radius-server primary Specifying a Secondary RADIUS Server The CSS directs authentication requests to the secondary RADIUS server when the specified RADIUS primary server is unavailable.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Timeouts Configuring the RADIUS Server Timeouts By default, the CSS waits 10 seconds for the RADIUS server (primary or secondary) to reply to an authentication request before retransmitting requests to the RADIUS server.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Dead-Time To reset the RADIUS server retransmit request to the default of 3 retransmissions, enter: (config)# no radius-server retransmit Configuring the RADIUS Server Dead-Time During the dead-time interval, the CSS sends probe access-request packets to verify that the RADIUS server (primary or secondary) is available and can receive authentication requests.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Information To view the authentication statistics for a RADIUS secondary server, enter: (config)# show radius statistics secondary Table 3-2 describes the fields in the show radius config command output.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Information Table 3-3 describes the fields in the show radius statistics output.
Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Information Cisco Content Services Switch Security Configuration Guide 3-12 OL-5650-02
C H A P T E R 4 Configuring the CSS as a Client of a TACACS+ Server The Terminal Access Controller Access Control System (TACACS+) protocol provides access control for routers, network access servers (NAS), or other devices through one or more daemon servers. TACACS+ encrypts all traffic between the NAS and daemon using TCP communications for reliable delivery.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server TACACS+ Configuration Quick Start TACACS+ Configuration Quick Start Table 4-1 provides a quick overview of the steps required to configure the TACACS+ feature on a CSS. Each step includes the CLI command required to complete the task. For a complete description of each feature and all the options associated with the CLI command, see the sections following the table. Table 4-1 TACACS+ Configuration Quick Start Task and Command Example 1.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User Accounts for Use with the CSS Table 4-1 TACACS+ Configuration Quick Start (continued) Task and Command Example 5. Use the virtual authentication command to configure the primary, secondary, and tertiary virtual authentication method. #(config) virtual authentication primary tacacs 6. (Recommended) Verify your TACACS+ server configuration. See the “Showing TACACS+ Server Configuration Information” section.
Chapter 4 Configuring TACACS+ Server User Accounts for Use with the CSS Configuring the CSS as a Client of a TACACS+ Server • Key - Enter the shared secret that the CSS and Cisco Secure ACS use to authenticate transactions. For correct operation, you must specify the identical shared secret on both the Cisco Secure ACS and the CSS. The key is case-sensitive. • Authenticate Using - Select TACACS+ (Cisco IOS).
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attributes 4. Proceed next to Unmatched Commands, either permit or deny execution of the privilege command: • For a user that has SuperUser privileges on the CSS, click Permit. A SuperUser can issue any CSS command. • For a user that has User privileges on the CSS, click Deny. A user can issue CSS commands that do not change the CSS configuration; for example, show commands. 5.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attributes Note The timeout, encryption key, or keepalive frequency that you define when you configure a TACACS+ server overrides the global attribute (see the “Defining a TACACS+ Server” section). Setting the Global CSS TACACS+ Timeout Period The CSS allows you to define a global TACACS+ timeout period for use with all configured TACACS+ servers.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attributes Defining a Global Encryption Key The CSS allows you to define a global encryption key for communications with all configured TACACS+ servers. To encrypt TACACS+ packet transactions between the CSS and the TACACS+ server, you must define an encryption key. If you do not define an encryption key, packets are not encrypted. The key is a shared secret value that is identical to the one on the TACACS+ server.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server When it sends a keepalive to the TACACS+ server, the CSS attempts to use a persistent connection with the server. If the server is not configured for persistence, the CSS opens a new connection each time it sends a keepalive. To set the global TACACS+ keepalive frequency, use the tacacs-server frequency command in global configuration mode.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Note For general guidelines on the recommended setup of a TACACS+ server (the Cisco Secure Access Control Server in this example), see the “TACACS+ Configuration Quick Start” section. To apply a TACACS+ global attribute, such as the timeout period, keepalive frequency, or shared secret, to a TACACS+ server, you must configure the global attribute before you configure the server.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Defining this option overrides the tacacs-server key command. For more information on defining a global encryption key, see the “Defining a Global Encryption Key” section. Note • primary - (Optional) Assigns the TACACS+ server precedence over the other configured servers. You can specify only one primary server.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Authorization Setting TACACS+ Authorization TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories: Note • Configuration commands that change the CSS running configuration. For example, all commands in global configuration mode.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Sending Full CSS Commands to the TACACS+ Server In releases prior to 7.30.1.05, if you transitioned from one CLI mode to another (for example, from config mode to service mode), and a service already existed regardless of whether TACACS+ authorization was enabled for configuration or nonconfiguration commands, the CSS did not perform authorization on the command.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Accounting To reenable the CSS to send the full command syntax, use the tacacs-server send-full-command command. For example: #(config) tacacs-server send-full-command Setting TACACS+ Accounting TACACS+ accounting allows the TACACS+ server to receive an accounting report for commands that the user can execute.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Information Showing TACACS+ Server Configuration Information Use the show tacacs-server command to display the TACACS+ server configuration information. To view this information, enter: (config)# show tacacs-server Table 4-2 describes the fields in the show tacacs-server command output.
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Information Table 4-2 Field Descriptions for the show tacacs-server Command (continued) Field Description Authorize Config Indicates whether configuration commands receive Commands authorization Authorize Non-Config Indicates whether nonconfiguration commands receive authorization Account Config Commands Indicates whether the CSS sends accounting reports to TACACS+ servers for all commands that change
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Information Cisco Content Services Switch Security Configuration Guide 4-16 OL-5650-02
C H A P T E R 5 Configuring Firewall Load Balancing This chapter describes how to configure the CSS Firewall Load Balancing (FWLB) feature. Information in this chapter applies to all CSS models, except where noted.
Chapter 5 Configuring Firewall Load Balancing Overview of FWLB Overview of FWLB FWLB enables you to configure a maximum of 15 firewalls per CSS. Configuring multiple firewalls can overcome performance limitations and remove the single point of failure when all traffic is forced through a single firewall. The FWLB feature ensures that the CSS will forward all packets with the same source and destination IP addresses through the same firewall.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB Firewall Synchronization Firewall solutions providing Stateful Inspection, such as Check Point™ FireWall-1®, create and maintain virtual state for all connections through their devices, even for stateless protocols such as UDP and RPC. This state information, including details on Network Address Translation (NAT), is updated according to the data transferred.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB You must define firewall parameters for each path through the firewalls on both local and remote CSSs. Use the ip firewall command to define firewall parameters. The syntax for this global configuration mode command is: ip firewall index local_firewall_address remote_firewall_address remote_switch_address The variables are: Note Enter all IP addresses in dotted-decimal notation (for example, 192.168.11.1).
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB Use the ip firewall timeout number command to specify the number of seconds the CSS will wait to receive a keepalive message from the remote CSS before declaring the firewall unreachable.The timeout range is 3 to 16 seconds. The default is 3 seconds. Note The amount of time required for a firewall path to become available is unaffected by this command; it remains at three seconds.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB Note • index - An existing index number for the firewall route. For information on configuring a firewall index, see the ip firewall command. • distance - The optional administrative distance. Enter an integer from 1 to 254. A smaller number is preferable. The default value is 1.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB To stop advertising firewall routes, enter: (config)# no ospf redistribute firewall Configuring RIP to Advertise Firewall Routes To advertise firewall routes from other protocols through RIP, use the rip redistribute firewall command. You may also include an optional metric that the CSS uses when advertising this route. Enter a number from 1 to 15. The default is 1.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB To configure CSS-A (the client side of the network configuration) as shown in Figure 5-1: 1. Use the ip firewall command to define firewall 1. For example: (config)# ip firewall 1 192.168.28.1 192.168.27.1 192.168.27.3 2. Use the ip route command to define the static route for firewall 1. For example: (config)# ip route 192.168.2.0/24 firewall 1 3. Use the ip firewall command to define firewall 2.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB Figure 5-1 illustrates the configuration defined in the firewall commands. Figure 5-1 Example of FWLB Client Client Client Router Internet VLAN2 - 192.168.1.153 CSS-A VLAN1 192.168.28.3 192.168.28.1 Firewall 1 192.168.28.2 Firewall 2 Firewall synchronization link 192.168.27.1 VLAN1 192.168.27.3 192.168.27.2 CSS-B Server1 Server2 Server3 49649 VLAN2 - 192.168.2.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundancy Configuring FWLB with VIP and Virtual Interface Redundancy Configure FWLB with VIP and virtual interface redundancy to provide the following benefits: Note • Very fast failover (typically 1 to 3 seconds) • No single point of failure • All CSSs forward traffic (active-backup configuration) For details on configuring VIP and virtual interface Redundancy, refer to the Cisco Content Services Switc
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundancy In Figure 5-2, odd-numbered firewalls are connected to the Layer 2 switches servicing the CSS-OUT-L and CSS-IN-L CSSs. Even-numbered firewalls are connected to the Layer 2 switches servicing the CSS-OUT-R and CSS-IN-R CSSs. Figure 5-2 FWLB with VIP/Interface Redundancy Configuration Redundant interface CSS-OUT-L CSS-OUT-R 10.2.1.254 10.2.1.253 Layer 2 switch Layer 2 switch 10.2.200.1 10.2.200.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundancy If the firewall supports it, you can use multinetting by configuring multiple addresses on the firewall. If the firewall does not support multiple addresses per physical interface, use the ap-kal-fwlb-multinet script to simulate multiple addresses for the firewall. The script takes arguments of “realAddress secondaryAddress”. The script creates a static ARP entry for each firewall interface.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundancy Example of Firewall and Route Configurations The following ip firewall and ip route example configurations are valid for Figure 5-2 with four active firewalls. CSS-OUT-L Configuration ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip firewall 1 10.2.200.1 10.3.200.1 10.3.1.224 firewall 2 10.2.200.2 10.3.200.2 10.3.1.224 firewall 3 10.2.200.3 10.3.200.3 10.3.1.224 firewall 4 10.2.200.4 10.3.200.4 10.3.
Chapter 5 Configuring Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundancy CSS-IN-L Configuration ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip firewall 1 10.3.200.1 10.2.200.1 10.2.1.254 firewall 2 10.3.200.2 10.2.200.2 10.2.1.254 firewall 3 10.3.200.3 10.2.200.3 10.2.1.254 firewall 4 10.3.200.4 10.2.200.4 10.2.1.254 firewall 11 10.3.200.11 10.2.200.11 10.2.1.253 firewall 12 10.3.200.12 10.2.200.12 10.2.1.253 firewall 13 10.3.200.13 10.2.200.13 10.2.1.253 firewall 14 10.
Chapter 5 Configuring Firewall Load Balancing Displaying Firewall Flow Summaries Displaying Firewall Flow Summaries Use the show flows command to display the flow summary for a source IP address, or for a specific source address and its destination IP address on a Switch Processor (SP) in a CSS. You can display up to 4096 flows per SP.
Chapter 5 Configuring Firewall Load Balancing Displaying Firewall IP Routes Table 5-1 describes the fields in the show flows output.
Chapter 5 Configuring Firewall Load Balancing Displaying Firewall IP Information Displaying Firewall IP Information Use the show ip firewall command to display the configured values of the IP firewall keepalive timeout and the state of each firewall path configured on the CSS. For example: (config)# show ip firewall Table 5-3 describes the fields in the show ip routes output.
Chapter 5 Configuring Firewall Load Balancing Displaying Firewall IP Information Cisco Content Services Switch Security Configuration Guide 5-18 OL-5650-02
INDEX specifying a source group 1-24 A Access Control Lists.
Index configuration example documentation ACL 1-34 audience xii firewall load balancing 5-7 chapter contents xii configuration quick start set xiii ACL 1-15 symbols and conventions xvi configuring ACL 1-12 CSS as RADIUS client 3-1 CSS as TACACS+ client 4-8 E example source group in an ACL 1-24 static route for firewall load balancing 5-7 static proximity in ACL clause 1-25 user name and password 1-3 F console authentication, configuring 1-8 firewall enabling access 1-10 caution when dele
Index FTP N enabling access 1-10 NAT 5-2, 5-3 restricting access to the CSS 1-11 Network Qualifier List.
Index R S RADIUS Secure Management license key 2-2 Cisco Secure Access Control Server (ACS) 3-4 console authentication 1-8 CSS as RADIUS client, configuring 3-1 displaying configuration information 3-9 overview 3-1 Secure Shell Daemon.
Index displaying 1-5 T removing 1-5 TACACS+ user password accounting, setting 4-13 changing 1-5 authentication, setting 4-11 configuring 1-3 Cisco Secure Access Control Server (ACS) 4-3 V console authentication 1-8 CSS as client, configuring 4-8 displaying configuration information 4-14 virtual authentication, configuring 1-7 global encryption key 4-7 W global keepalive frequency 4-7 global timeout period 4-6 web management overview 4-1 enabling access 1-11 server, configuring 4-3 restri
Index Cisco Content Services Switch Security Configuration Guide IN-6 OL-5650-02