Chapter 1: Network Management
Management Plane Traffic
The management plane is composed of maintenance traffic that hits an intended device so it can be configured for management purposes. In other words, this is the traffic that consists of not only your configurations, but also the messages to and from Cisco devices that maintain and report status.
An example of this type of maintenance traffic is SNMP, or Simple Network Management Protocol. A router and a switch are generally configured with a management IP address for remote configuration. This is due to the fact that most devices are not reachable to be able to physically connect to them with a console cable. A console cable is a blue rollover cable that is supplied by Cisco when you purchase any of their devices. It connects a user’s serial port to the console port on the device. The console port is generally safe from intruder access, unless your data center and the places in which you store your remote switches are located in a facility that is not secured. When an IP address is configured on a device, this allows for management traffic to and from that device. Due to the nature of devices being reachable via network connections, the risk of intrusion is high. Not only is the traffic at risk, but the traffic that is sent for logging and management purposes to other devices, like from SNMP, is also at risk. This risk cannot be avoided. This is due to the fact that IP connectivity to devices is required in order to administer them from a remote location. As a result, some best practices have been developed to help mitigate this risk and lower it to more acceptable risk level.
One of the first and easiest best practices is to use strong, complex passwords. Dictionary words should not be used in creating passwords for your management accounts, as they can be susceptible to dictionary attacks. Dictionary attacks include running down a list of dictionary words that are attempted on a router in an effort to break the password and gain access. This type of attack can be combined with a brute force attack, which occurs when the attacker continuously tries any possible password to force a password break. Usually, combinations of letters, numbers, and symbols can help mitigate this threat. Here’s a good tip — when configuring a password on the router or switch under the username command, use the secret keyword instead of the password keyword. This enables better encryption of the password within the running configuration. Even when you enable the service password encryption command that jumbles the password, the password keyword still has a breakable password. A simple Internet search can bring up options by which to break this password in only minutes. Using the secret keyword allows for a stronger encryption in order to protect the password from being read within the configuration. Minimum password lengths should be enforced on enable secret and line passwords. By doing this, passwords become stronger and more difficult to crack. Administrators are encouraged to change these passwords
Another best practice is being familiar with how to implement user authentication on a router or switch for management traffic. In addition to passwords, usernames should be required for all access to the device. Seeing who is attempting to sign in to a device can be very beneficial, especially if a security breach occurs. Authentication should be considered on all available access portals into a device. This includes all terminal lines, which should be using SSH instead of Telnet to provide a more secure connection of traffic. SSH will encrypt
the traffic, while Telnet will send everything in clear text.
Console and auxiliary lines should also require authentication, just in case the physical security of the device is breached and compromised, and someone is able to access these particular ports physically. AAA is the best option available. It can provide authentication, authorization, and accounting of user logins.
Best practice also deems using an external authentication server as the most secure option, with a local database being a fallback option in case the authentication server cannot be reached. An exec timeout, which sets a time limit when the connection is inactive, should also be used. After the exec timeout expires, the connection is terminated. Cisco ACS provides a platform that can create a centrally managed database for user accounts and groups. It monitors all authentication requests and successes and the authorization of these user accounts, in addition to auditing all user account actions. This can all be done centrally on one device, with configuring only a few lines of AAA configuration and authentication server information on each of the routers you wish to be managed. You will also need to create a few usernames on the routers or switches as well in order to maintain a local database backup on each device. Having a local database as a backup provides a solution, if for some reason, network connectivity to your authentication server goes down. In this event, the backup allows you to maintain the ability to manage and monitor the device.
RBAC and Management Protocols
Another best practice includes instituting role based access control, which limits access to particular roles within administration. Every administrator may not need the same access; therefore, you can lower the access levels for particular users. For example, you can create a group of junior administrators and put specific users in this group. This group would have lower privilege access to devices than the senior administrator group, who has full control over what happens on the devices. This helps to ensure that an inexperienced engineer does not make mistakes on an important network system.
Management protocols should also be manipulated on a network. Telnet and HTTP GUI access should be removed as much as possible, as they provide a threat due to the nature of the traffic not being secure. Telnet traffic sends username and password information back and forth between the user and the device in clear text, enabling a man in the middle attack to be very successful when sniffing the traffic. SSH should be used exclusively for remote access to devices. HTTPS access should be used as well to provide a secure HTTP GUI session to specific devices where required.