|
Table Of Contents
Considerations for a Total Security Solution
Enabling SSL on the Web Server
Physical Security of the CiscoSecure ACS
Physical Security of Access Server Clients
Securing Firewall Configurations
Securing the Local Network Access
Passing Configuration Information
Security Precautions Using the Microsoft Internet Explorer Browser
Enhancing Management Security
This chapter discusses methods of enhancing security in CiscoSecure management operations.
Considerations for a Total Security Solution
The security of your network can be compromised in many ways beyond the data exchange between the NAS and the CiscoSecure ACS. This section identifies areas that are potential security hazards and gives you advice on what you can do to protect these key areas, or security holes, against potential intruders.
• Enabling SSL on the Web Server
• Physical Security of the CiscoSecure ACS
• Physical Security of Access Server Clients
• Securing Firewall Configurations
• Securing the Local Network Access
• Passing Configuration Information
Enabling SSL on the Web Server
To protect data transfers (which can include passwords) between the CiscoSecure ACS graphical user interface (GUI) and your web browser, enable the Secure Socket Layer (SSL) protocol. SSL is a security protocol created by Netscape Communications Corporation. This protocol ensures that data is encrypted before being transferred over the network.
CiscoSecure ACS software provides security for remote access, and SSL provides security for data transfer between the Netscape FastTrack web server and browser.
The CiscoSecure ACS GUI communicates with the Netscape FastTrack web server, and the web server in turn communicates with the CiscoSecure ACS database. By employing CiscoSecure ACS and enabling SSL, you can provide secure data transfer into and within your network.
SSL works by requiring Netscape Navigator to authenticate only a server that has a key signed by either Netscape or VeriSign. VeriSign will sign your keys for a fee, provided you comply with certain requirements.
Caution Enabling SSL on the FastTrack web server significantly slows communications with the web browser. Before enabling SSL, consider the relative importance of browser performance versus browser security as applied to your situation.
To enable SSL on your web server, follow these steps:
Step 1 Log in to the FastTrack Server as the administrator (root privileges). Enter:
http://name of your FastTrack server:64000
You are prompted for a username and password.
Step 2 Enter the username and password, for example:
user name: admin
Password: <password>
The Netscape Server Selector window opens.
Step 3 Click the name of your Netscape FastTrack Server.
Step 4 From the command buttons at the top of the window, click Encryption.
Step 5 On the left side of the window, click Generate Key.
A help window called Generating a key pair opens.
Step 6 Follow the online instructions to generate a server key pair.
Step 7 Click Request Certificate.
The online form called Request a Server Certificate opens.
Step 8 Complete the online form, then click OK.
Step 9 Request a certificate from a Certification Authority (such as VeriSign at www.verisign.com) and obtain a signed key.
Step 10 When you receive the server certificate, click Install Certificate from the Server Manager window.
The online form called Install a Server Certificate opens.
Step 11 Complete the online form, then click OK to install the server certificate.
Step 12 On the left side of the window, click On/Off to enable encryption.
Physical Security of the CiscoSecure ACS
Keep your CiscoSecure server and NASes in a locked room. Restrict access to that room and the servers within it.
Unless physically protected, intruders can attack your network at several points. Perhaps most damaging is the possibility that an intruder can approach a security server and remove its disk drive for later analysis. Additionally, when security servers are physically accessible, intruders can potentially boot the server from a CD or floppy disk, then mount the hard disk from the system, and finally change the root password. With a new root password known only to the intruder, the potential for damage is limitless.
In other cases, the intruder might disrupt service by turning off the server or disconnecting it from the network. A "denial of service" attack might even involve destroying the security server or its disk; this is another scenario where keeping good backups can reduce downtime.
Physical Security of Access Server Clients
If at all possible, keep the local telephone closet locked. When the telephone lines going into a NAS are adequately secured, wire-tapping of telephone lines or monitoring of keystrokes becomes difficult (although not impossible).
Securing Firewall Configurations
Keep remote access to security servers as restricted as possible. Even with security servers physically locked down, attacks can be launched remotely by intruders if they can access the servers through the network. Many software bugs have eventually turned out to be security holes. For this reason, you should avoid using any unnecessary services on the security server that might potentially have as-yet-unknown security holes.
Securing the Local Network Access
Most networks have large numbers of unencrypted passwords and other data flowing over them. As such, local users are able to "snoop," or easily extract, data flowing over broadcast technology networks such as Ethernet. At the very least, consider using secure methods of logging in and manipulating security configurations (for example, use Kerberized and encrypted rlogin access, SSL browsers, or dedicated and physically secured serial lines).
Do not allow local users to access security servers, even if the local users lack any privileges to change the configurations. This helps prevent exploitation of potential security holes that might exist but are generally not known.
Choosing a Password
Construct passwords that are fairly long (at least 8 characters) and consist of letters (uppercase and lowercase) and numbers. Confirm that the password cannot be easily guessed by people with familiarity with the local organization or personnel. Password-guessing attacks are the easiest and most common type of network intrusion. The easier a password is to guess, the faster an attacker can gain access to protected data.
Transmitting Passwords
Even well-chosen passwords are easily captured if sent in cleartext over broadcast media (such as Ethernet). Normally, protocols such as Telnet and rlogin do not encrypt passwords that are sent over the network although the destination system might encrypt those passwords upon arrival.
Use different passwords for the security servers and other systems, especially ones that can be accessed through unencrypted protocols. Some protocols, such as Kerberized Telnet, do not send the password over the network in cleartext, but subsequent data is still unencrypted. Consequently, while these protocols limit exposure, they do not entirely restrict exposure.
Note Xterminals send unencrypted data over the network, so even if you send your password to a local secure system, the password will still be exposed for capture between the Xterminal and the system hosting the displayed sessions.
Installing CiscoSecure ACS
Confirm that your installation of CiscoSecure ACS is conducted in one session. Do not interrupt the installation. Similarly, do not leave your server unattended if you are conducting subsequent configurations, such as adding new users or support for a new one-time password card. An intruder can potentially gain sensitive information during configurations and use the information later.
Do not install CiscoSecure ACS over an unsecure network; instead, install CiscoSecure ACS at the system console.
Passing Configuration Information
When providing configuration information to anyone (even technical support personnel), remove sensitive information such as passwords. Replace sensitive information such as password strings with "XXXXXX."
Protecting Your Web Server
Do not use the Netscape FastTrack Server software (which came bundled with CiscoSecure ACS) to serve any web pages that are not part of CiscoSecure ACS.
Use SSL for encrypted connections to the Netscape FastTrack Server. This provides a high degree of security. Users can use their own web browsers to connect to the CiscoSecure ACS database to change their own passwords. As such, all of the data traffic is vulnerable and should be encrypted.
Security Precautions Using the Microsoft Internet Explorer Browser
As a security precaution, administrators who use the Microsoft Internet Explorer (IE) browser to access CiscoSecure ACS Administrator web pages should avoid saving any HTML bookmarks in their browser that might include clear text password strings to those pages.
This precaution is not necessary for administrators who use the Netscape Navigator or Netscape Communicator browser, for which the secure post method of HTML form processing and page retrieval has been enabled.
If necessary, the post method of HTML form processing and web page retrieval can also be activated for Microsoft IE browsers by running the IESecure UNIX script from the CiscoSecure $BASEDIR/utils/bin directory following successful CiscoSecure ACS installation:
Step 1 Log in as [root] to the machine on which the CiscoSecure ACS is installed.
Step 2 Change to the $BASEDIR/utils/bin directory, and enter:
./IESecure
Caution Enabling the post method causes the CiscoSecure ACS Administrator web pages to hang within the Microsoft IE browser after a period of inactivity (around 5 minutes). In this situation, restart the Microsoft IE browser and log in to the web pages again.
Posted: Wed Feb 16 10:10:10 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.