ISCW10S05L05安全管理和报告.ppt

Cisco Device Hardening,Securing Management and Reporting Features,Secure Management and Reporting Planning Considerations,Secure Management and Reporting Planning Considerations,Which are the most important logs?How are important messages separated from routine notifications?How do you prevent tampering with logs?How do you make sure time stamps match?What log data is needed in criminal investigations?How do you deal with the volume of log messages?How do you manage all the devices?How can you track changes when attacks or network failures occur?,Secure Management and Reporting Architecture,Secure Management andReporting Architecture,Information Paths,In-Band Management Considerations,Which management protocols does each device support?Does the management channel need to be active at all times?Is SNMP necessary?,Secure Management andReporting Guidelines,In-band management guidelines:Apply only to devices needing to be managed or monitored.Use IPsec when possible.Use SSH or SSL instead of Telnet.Decide whether the management channel needs to be open at all times.Keep clocks on hosts and network devices synchronized.Record changes and archive configurations.OOB management guidelines:Provide highest level of security and mitigate the risk of passing insecure management protocols over the production network.Keep clocks on hosts and network devices synchronized.Record changes and archive configurations.,Configuring an SSH Server for Secure Management and Reporting,Configuring an SSH Server forSecure Management and Reporting,Austin2#configure terminalAustin2(config)#ip domain-name Austin2(config)#crypto key generate rsa general-keys modulus 1024Sept 22 13:20:45:%SSH-5-ENABLED:SSH 1.5 has been enabledAustin2(config)#ip ssh timeout 120Austin2(config)#ip ssh authentication-retries 4Austin2(config)#line vty 0 4Austin2(config-line)#no transport input telnetAustin2(config-line)#transport input sshAustin2(config-line)#end,Configure the IP domain nameGenerate the RSA keysConfigure the SSH timeout intervalConfigure the SSH retriesDisable vty inbound Telnet sessionsEnable vty inbound SSH sessions,Using Syslog Logging for Network Security,Implementing Log Messaging for Security,Routers should be configured to send log messages to one or more of these:ConsoleTerminal linesMemory bufferSNMP trapsSyslogSyslog logging is a key security policy component.,Syslog Systems,Syslog server:A host that accepts and processes log messages from one or more syslog clients.Syslog client:A host that generates log messages and forwards them to a syslog server.,Cisco Log Severity Levels,Log Message Format,Oct 29 10:00:01 EST:%SYS-5-CONFIG_I:Configured from console by vty0(10.2.2.6),Time Stamp,Log Message Name and Severity Level,Message Text,Configuring Syslog Logging,Configuring Syslog,Router(config)#,logging host-name|ip-address,Router(config)#,logging trap level,Router(config)#,logging facility facility-type,Sets the destination logging host,(Optional)Sets the log severity(trap)level,(Optional)Sets the syslog facility,Configuring Syslog(Cont.),Router(config)#,logging source-interface interface-type interface-number,Router(config)#,logging on,(Optional)Sets the source interface,Enables logging,Syslog Implementation Example,R3(config)#logging 10.2.2.6R3(config)#logging trap informationalR3(config)#logging source-interface loopback 0R3(config)#logging on,SNMP Version 3,SNMPv1 and SNMPv2 Architecture,The SNMP NMS asks agents embedded in network devices for information,or tells the agents to do something.,Community Strings,Used to authenticate messages between a management station,and an SNMPv1 or SNMPv2 engine:Read only community strings can get information,but can not set information in an agent.Read-write community strings can get and set information in the agent.Having read-write access is like having the enable password for the device.,SNMP Security Models and Levels,Definitions:Security model is a security strategy used by the SNMP agentSecurity level is the permitted level of security within a security model,SNMPv3 Architecture,SNMPv3 Operational Model,SNMPv3 Features and Benefits,Configuring an SNMP Managed Node,SNMPv3 Configuration Task List,Cisco IOS SNMPv3 server configuration tasks:Configuring the SNMP-server engine IDConfiguring the SNMP-server group namesConfiguring the SNMP-server users Configuring the SNMP-server hosts,Configuring the SNMP-Server Engine ID,snmp-server engineID local engineid-string|remote ip-address udp-port port-number engineid-string,Router(config)#,Configures names for both the local and remote SNMP engine(or copy of SNMP)on the router,PR1(config)#snmp-server engineID local 1234,Configuring the SNMP-Server Group Names,snmp-server group groupname v1|v2c|v3 auth|noauth|priv read readview write writeview notify notifyview access access-list,Router(config)#,Configures a new SNMP group,or a table that maps SNMP users to SNMP views,PR1(config)#snmp-server group johngroup v3 authPR1(config)#snmp-server group billgroup v3 auth priv,Configuring the SNMP-Server Users,snmp-server user username groupname remote ip-address udp-port port v1|v2c|v3 encrypted auth md5|sha auth-password priv des56 priv-password access access-list,Router(config)#,Configures a new user to an SNMP group,PR1(config)#snmp-server user John johngroup v3 auth md5 john2passwd PR1(config)#snmp-server user Bill billgroup v3 auth md5 bill3passwd des56 password2PR1(config)#snmp-server group johngroup v3 auth PR1(config)#snmp-server group billgroup v3 auth priv,Configuring the SNMP-Server Hosts,snmp-server host host-address traps|informs version 1|2c|3 auth|noauth|priv community-string udp-port port notification-type,Router(config)#,Configures the recipient of an SNMP trap operation.,PR1(config)#snmp-server engineID remote 10.1.1.1 1234PR1(config)#snmp-server user bill billgroup remote 10.1.1.1 v3PR1(config)#snmp-server group billgroup v3 noauthPR1(config)#snmp-server enable traps PR1(config)#snmp-server host 10.1.1.1 inform version 3 noauth billPR1(config)#snmp-server manager,SNMPv3 Configuration Example,Trap_sender(config)#snmp-server group snmpgroup v3 auth Trap_sender(config)#snmp-server group snmpgroup v3 privTrap_sender(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encryptpassword Trap_sender(config)#snmp-server enable traps cpu Trap_sender(config)#snmp-server enable traps configTrap_sender(config)#snmp-server enable traps snmpTrap_sender(config)#snmp-server host 11.11.11.11 traps version 3 priv snmpuserTrap_sender(config)#snmp-server source-interface traps loopback 0,Walked_device(config)#snmp-server group snmpgroup v3 auth Walked_device(config)#snmp-server group snmpgroup v3 privWalked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword priv des56 encrypt password,Configuring NTP Client,Understanding NTP,NTP is used to synchronize the clocks in the entire network.System clock is set by the battery system calendar during bootup.System clock can then be modified manually or via NTP.NTP runs over UDP port 123;current version is 4.Only NTP up to version 3 has been documented in RFCs.Stratum describes how many“NTP hops”away a machine is from authoritative time source.NTP establishes associations to synchronize time.,Configuring NTP Authentication,ntp authenticate,Router(config)#,Enables the authentication feature,R1(config)#ntp authenticationR1(config)#ntp authentication-key 1 md5 NeVeRgUeSsR1(config)#ntp trusted-key 1,ntp authentication-key number md5 value,Defines the authentication keysUsed for both peer and server associations,ntp trusted-key key-number,Defines the trusted authentication keys Required to synchronize to a system(server association),Router(config)#,Router(config)#,Configuring NTP Associations,ntp server ip-address|hostname version number key keyid source interface prefer,Router(config)#,R1(config)#ntp server 10.1.1.1 key 1 R1(config)#ntp server 10.2.2.2 key 2 preferR1(config)#interface Fastethernet 0/1R1(config-if)#ntp broadcast client,Forms a server association with another system,ntp broadcast client,Receives NTP broadcast packets,Router(config-if)#,Configuring Additional NTP Options,ntp access-group query-only|serve-only|serve|peer access-list-number,Router(config)#,R1(config)#R1(config)#ntp access-group peer 1 R1(config)#ntp source loopack 0,Controls NTP message exchange,ntp source interface,Modifies the source IP address of NTP packets,Router(config)#,Configuring NTP Server,Implementing NTP Server,Cisco IOS routers work as an NTP server by default.As soon as a router is synchronized to an authoritative time source,it will allow peers with lower stratum to synchronize to that router:Requires a peer associationYou can make a router an authoritative NTP server,even if the system is not synchronized to an outside time source.Two options to establish a peer association:UnicastBroadcastSame exchange control methods as with client:Packet authenticationAccess group filtering,Configuring NTP Server,ntp master stratum,R2(config)#ntp peer 10.1.1.1 key 1R2(config)#ntp master 3R2(config)#interface Fastethernet0/0 R2(config-int)#ntp broadcast,Makes the system an authoritative NTP server,ntp broadcast version numberdestination addresskey keyid,Configures an interface to send NTP broadcast packets,Router(config-int)#,ntp peer ip-address normal-syncversion number key keyid source interface prefer,Router(config)#,Forms a peer association with another system,Router(config)#,NTP Configuration Example,Source(config)#ntp master 5Source(config)#ntp authentication-key 1 md5 secretsourceSource(config)#ntp peer 172.16.0.2 key 1Source(config)#ntp source loopback 0,Intermediate(config)#ntp authentication-key 1 md5 secretsourceIntermediate(config)#ntp authentication-key 2 md5 secretclientIntermediate(config)#ntp trusted-key 1Intermediate(config)#ntp server 172.16.0.1 Intermediate(config)#ntp source loopback 0Intermediate(config)#interface Fastethernet0/0Intermediate(config-int)#ntp broadcast,Client(config)#ntp authentication-key 1 md5 secretclientClient(config)#ntp trusted-key 1Client(config)#interface Fastethernet0/1Client(config-int)#ntp broadcast client,Summary,Since OOB management provides higher levels of security and performance than in-band,the decision to use an in-band solution must be considered carefully.Management communications should use SSH rather than Telnet.Implementing a router logging facility is an important part of any network security policy.Syslog is implemented on your Cisco router using syslog router commands.Network management will be greatly enhanced by implementing the security features of SNMPv3 rather than earlier versions.Cisco IOS SNMPv3 server configuration tasks include configuring SNMP-server engine ID,group names,users,and hosts.Cisco routers can be configured as NTP servers or clients.Packet authentication and filtering should be used to protect NTP exchange.,