Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Secure Management and Reporting Planning
There are a number of different things which must be considered when planning for both secure
management and reporting on a network. Obviously, the larger the network, the more complex this
structure becomes. Also, the larger the network, the more information which can be potentially logged or
reported. The following are the Cisco recommendations for designing the best secure management and
reporting infrastructure:
Collection feedback from both network and security team members to determine the best
information to be collected.
Make sure to select an appropriate level of syslog to limit the amount of extra information.
Secure the transmission and storage of logging information.
Make use of the Network Time Protocol (NTP) to ensure timestamp synchronization.
Ensure that all information is logged which may be required by law.
Allocate sufficient logging storage.
Identify and implement an enterprise storage system to manage all devices.
Develop a complete change management solution to track configuration changes.
Secure Management Architecture
There are two main methods of secure management design:
In-Band Management – Management traffic is routed through the main production network.
Out-of-Band Management – Management traffic is routed through an external network
designed for management.
Secure Shell
One of the easiest ways to improve security on a Cisco device is through the replacement of telnet
sessions with Secure Shell (SSH). An SSH session is very similar in interaction to a telnet session, with
encryption of traffic being the primary difference. There are two versions of SSH which differ in a couple of
different ways, including support for different integrity options and key exchange. SSH version 2 requires
IOS version 12.3(4)T in order for it to be supported.
Configuring Secure Shell
The following steps need to be followed in order to correctly configure SSH on a Cisco device.
First, create a username and password combination that you will use to login to the router.
router(config)#username username password password
Second, enable local login authentication on the vty lines.
router(config-line)#login local
Third, configure a domain name on the device
router(config)#ip domain-name name
Fourth, generate security keys which are used to encrypt traffic
router(config)#crypto key generate rsa
When issuing this command a prompt will ask for a key size; it is recommended that this key be at
least 1024 bits.
Fifth, specify the use of SSH on the terminal lines.
router(config)#transport input ssh
There are also a number of parameters which can be set to change the behavior of SSH:
The SSH terminal timeout can be configured from its default of 10 minutes; the timeout is
entered in seconds:
router(config)#ip ssh timeout timeout
The number of authentication retries can be changed from its default of 3.
router(config)#ip ssh authentication-retries number
Configuring SSH with SDM
The process for configuring SSH with SDM is similar to CLI; the following figures will show
the various steps:
Figure 15 - Create an SSH username/password
Figure 16 - Goto the Router Properties Screen
Syslog
One of the available options for logging support is through the use of a syslog server for historical
logging and alerting purposes. A syslog client is configuring to send out logging information to the
server and to format it as a syslog message. Syslog offers a number of different severity levels which
are used to separate out routine actions from more serious conditions. The following is a list of the
syslog severity levels:
Level Name
0 Emergency
1 Alerts
2 Critical
3 Errors
4 Warnings
5 Notifications
6 Informational
7 Debugging
SDM can also be used to display the syslog messages coming from a device as shown in the
following screen capture:
Figure 21
Configuring Syslog
Syslog is easy to configure; it simply requires the following:
First, configure the device to log to a specific syslog server; the server parameter can be an IP
address or hostname.
router(config)#logging host server
Second, set the severity of syslog messages to log.
router(config)#logging alert severity- level
Configuring Syslog with SDM
The process for configuring syslog with SDM is similar to CLI; the following figures will show
the various steps:
Simple Network Management Protocol (SNMP)
SNMP is the standard network management protocol. Its main purpose is to manage network nodes.
There are three versions of SNMP; version 1, version 2c and version 3. Versions 1 and 2c are very similar in
security features as neither use encryption or authorization. Version 3 offers both the ability to encrypt the
management traffic and authorization.
SNMP Components
SNMP version 1 and 2c have three main components:
SNMP Manager – This is a role which is taken by the Network Management Server (NMS);
it manages the devices and receives any trap information from the devices.
SNMP Agent – The SNMP agent runs on the device and allows the manager to manage the
device and sends trap messages to the server, if set up.
Management Information Base (MIB) – A series of objects which hold the information
collected for SNMP.
SNMP Message Types
SNMP sends messages between the manager and the agent; the three main message types are:
GET – A message used to retrieve information.
SET – A message used to set a variable on a managed device.
Trap – An unsolicited message which is sent from the Agent to the Manager which tells of a
significant device event.
SNMP Security Levels
There are three security levels which are defined for SNMP:
noAuthNoPriv – No authorization or privacy is provided.
authNoPriv – Authorization is provided but privacy is not.
authPriv – Both authorization and privacy are provided.
Configuring SNMP
SNMP version 1 and 2c configuration only requires that the communities be set for SNMP and
set trap information.
First, set the SNMP community information.
This command will set the read-only community:
router(config)#snmp-server community community RO
This command will set the read-write community:
router(config)#snmp-server community community RW
Second, enable traps on the device.
router(config)#snmp-server enable traps
Third, set the host to send traps or informs to.
router(config)#snmp-server host ip-address/hostname community
Network Time Protocol (NTP)
NTP is used to synchronize the clocks of the devices on a network so that all network devices have the
exact same time. This is very useful for troubleshooting as the logging information from the various
devices will be easily correlated to a specific event.
Configuring NTP
Typical NTP configuration is very easy as it simply requires a command which specifies the server address,
and a command to tell the device to synchronize the device.
First, set up the NTP servers which will be used to synchronize time.
router(config)#ntp server ip-address/hostname
Second, set the device to synchronize with the server.
router(config)#ntp update-calendar
No comments:
Post a Comment