Enhancing Management Security

This chapter discusses methods of enhancing security in CiscoSecure management operations.

Considerations for a Total Security Solution

The security of your network can be compromised in many ways beyond the data exchange between the NAS and the CiscoSecure ACS. This section identifies areas that are potential security hazards and gives you advice on what you can do to protect these key areas, or security holes, against potential intruders.

Enabling SSL on the Web Server

To protect data transfers (which can include passwords) between the CiscoSecure ACS graphical user interface (GUI) and your web browser, enable the Secure Socket Layer (SSL) protocol. SSL is a security protocol created by Netscape Communications Corporation. This protocol ensures that data is encrypted before being transferred over the network.

CiscoSecure ACS software provides security for remote access, and SSL provides security for data transfer between the Netscape FastTrack web server and browser.

The CiscoSecure ACS GUI communicates with the Netscape FastTrack web server, and the web server in turn communicates with the CiscoSecure ACS database. By employing CiscoSecure ACS and enabling SSL, you can provide secure data transfer into and within your network.

SSL works by requiring Netscape Navigator to authenticate only a server that has a key signed by either Netscape or VeriSign. VeriSign will sign your keys for a fee, provided you comply with certain requirements.

Caution

Enabling SSL on the FastTrack web server significantly slows communications with the web browser. Before enabling SSL, consider the relative importance of browser performance versus browser security as applied to your situation.

Step 1

http://name of your FastTrack server:64000

user name: admin

Password: <password>

Step 4

From the command buttons at the top of the window, click Encryption.

Step 9

Request a certificate from a Certification Authority (such as VeriSign at www.verisign.com) and obtain a signed key.

Step 10

When you receive the server certificate, click Install Certificate from the Server Manager window.

Step 11

Complete the online form, then click OK to install the server certificate.

Physical Security of the CiscoSecure ACS

Keep your CiscoSecure server and NASes in a locked room. Restrict access to that room and the servers within it.

Unless physically protected, intruders can attack your network at several points. Perhaps most damaging is the possibility that an intruder can approach a security server and remove its disk drive for later analysis. Additionally, when security servers are physically accessible, intruders can potentially boot the server from a CD or floppy disk, then mount the hard disk from the system, and finally change the root password. With a new root password known only to the intruder, the potential for damage is limitless.

In other cases, the intruder might disrupt service by turning off the server or disconnecting it from the network. A "denial of service" attack might even involve destroying the security server or its disk; this is another scenario where keeping good backups can reduce downtime.

Physical Security of Access Server Clients

If at all possible, keep the local telephone closet locked. When the telephone lines going into a NAS are adequately secured, wire-tapping of telephone lines or monitoring of keystrokes becomes difficult (although not impossible).

Securing Firewall Configurations

Keep remote access to security servers as restricted as possible. Even with security servers physically locked down, attacks can be launched remotely by intruders if they can access the servers through the network. Many software bugs have eventually turned out to be security holes. For this reason, you should avoid using any unnecessary services on the security server that might potentially have as-yet-unknown security holes.

Securing the Local Network Access

Most networks have large numbers of unencrypted passwords and other data flowing over them. As such, local users are able to "snoop," or easily extract, data flowing over broadcast technology networks such as Ethernet. At the very least, consider using secure methods of logging in and manipulating security configurations (for example, use Kerberized and encrypted rlogin access, SSL browsers, or dedicated and physically secured serial lines).

Do not allow local users to access security servers, even if the local users lack any privileges to change the configurations. This helps prevent exploitation of potential security holes that might exist but are generally not known.

Choosing a Password

Construct passwords that are fairly long (at least 8 characters) and consist of letters (uppercase and lowercase) and numbers. Confirm that the password cannot be easily guessed by people with familiarity with the local organization or personnel. Password-guessing attacks are the easiest and most common type of network intrusion. The easier a password is to guess, the faster an attacker can gain access to protected data.

Transmitting Passwords

Even well-chosen passwords are easily captured if sent in cleartext over broadcast media (such as Ethernet). Normally, protocols such as Telnet and rlogin do not encrypt passwords that are sent over the network although the destination system might encrypt those passwords upon arrival.

Use different passwords for the security servers and other systems, especially ones that can be accessed through unencrypted protocols. Some protocols, such as Kerberized Telnet, do not send the password over the network in cleartext, but subsequent data is still unencrypted. Consequently, while these protocols limit exposure, they do not entirely restrict exposure.

Note Xterminals send unencrypted data over the network, so even if you send your password to a local secure system, the password will still be exposed for capture between the Xterminal and the system hosting the displayed sessions.

Installing CiscoSecure ACS

Confirm that your installation of CiscoSecure ACS is conducted in one session. Do not interrupt the installation. Similarly, do not leave your server unattended if you are conducting subsequent configurations, such as adding new users or support for a new one-time password card. An intruder can potentially gain sensitive information during configurations and use the information later.

Do not install CiscoSecure ACS over an unsecure network; instead, install CiscoSecure ACS at the system console.

Passing Configuration Information

When providing configuration information to anyone (even technical support personnel), remove sensitive information such as passwords. Replace sensitive information such as password strings with "XXXXXX."

Protecting Your Web Server

Do not use the Netscape FastTrack Server software (which came bundled with CiscoSecure ACS) to serve any web pages that are not part of CiscoSecure ACS.

Use SSL for encrypted connections to the Netscape FastTrack Server. This provides a high degree of security. Users can use their own web browsers to connect to the CiscoSecure ACS database to change their own passwords. As such, all of the data traffic is vulnerable and should be encrypted.

Security Precautions Using the Microsoft Internet Explorer Browser

As a security precaution, administrators who use the Microsoft Internet Explorer (IE) browser to access CiscoSecure ACS Administrator web pages should avoid saving any HTML bookmarks in their browser that might include clear text password strings to those pages.

This precaution is not necessary for administrators who use the Netscape Navigator or Netscape Communicator browser, for which the secure post method of HTML form processing and page retrieval has been enabled.

If necessary, the post method of HTML form processing and web page retrieval can also be activated for Microsoft IE browsers by running the IESecure UNIX script from the CiscoSecure $BASEDIR/utils/bin directory following successful CiscoSecure ACS installation:

Step 1

./IESecure

Caution

Enabling the post method causes the CiscoSecure ACS Administrator web pages to hang within the Microsoft IE browser after a period of inactivity (around 5 minutes). In this situation, restart the Microsoft IE browser and log in to the web pages again.

Table Of Contents