So let's have a look at how we go about securing campus network devices. These campus devices include routers, the switches, the wireless access points and the servers which means virtual machines and their physical hosts all need to have management access secured so that only the campus I.T. staff can access these device management interfaces. Device security is implemented in two places: protecting the control plane and provisioning dedicated management VLANs for securing the routers. We want to restrict access to the console and the auxiliary ports. Campus routers or the core and border router are usually in locked equipment cabinets in the campus core data center. Data center access is restricted to I.T. staff. Physical access security best practices apply here. We need to also restrict login access over the network. Turn off telnet-- that's still enabled by default on far too many devices. Telnet is long obsolete and completely insecure. Passwords and all traffic is sent in the clear. Set up secure shell, use version 2 only. Version 1 has been compromised. Protect the device control pin login ports with strict filters. We're going to show you a router access filter example. We're going to protect login access to the router control plane over the network And so create filters which allow access from the campus NOC address space only. And we're going to create filters to allow access from other campus device management interfaces as well. This allows device-device connections for troubleshooting. If we block this it makes troubleshooting really really tough as we can only access these devices from the campus NOC address space itself. We're going to set up user authentication authorization and accounting. Each user must have an account, no role accounts at all. Role accounts are extremely bad practice and sadly far too common on network infrastructure today. We're going to use a centralized aaa system such as TACACS+. Some operators use Radius but my personal preference is for TACACS+ authorization allows for different classes of users, standard for monitoring users or monitoring systems. None of these need configuration access so they don't need that privilege and then administrator authorization to be able to modify configurations. The slide shows a Cisco IOS example. The first section defines aaa. This is a working example from a campus network. We have defined what the TACACS server is. There's a single example there just for the sake of space but this actual campus has two operating TACACS servers so should one disappear the other one provides the backup. And then we have to find an access list called v4vty which defines which address space is allowed access to the vty ports on this router. So we've allowed the NOC address space in as a slash 24 and we've allowed the management VLAN address space in as well. Everything else we've denied. A note log option that means every other access attempt is logged and that will give us some idea of who is attempting to access our devices. And then we apply this vty and the aaa setup to the vtys. In this case the router's got five vty ports. We've applied the access list and then we've defined the transports that are allowed. Only secure shell in and secure shell out. If you're aware of Cisco devices, Cisco by default supports a considerable range of transports to access and use the virtual terminal interfaces.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.