The purpose of this paper is to highlight some of the most important areas where one can increase the overall security posture of the VPN Concentrator through hardening common features s
Trang 1Hardening Guidelines for Cisco 3000 Series VPN Concentrators
Expert Reference Series of White Papers
Trang 2Cisco’s 3000 series VPN Concentrators continue to be one of its most popular security product offerings Due
to their reliability, fault tolerance, ease of setup, management, and monitoring, they scale well from small remote sites to large enterprise solutions The default policies shipped with the units allow an administrator to quickly and easily place a unit into production within an hour of unpacking But, like any sophisticated security appliance, one must carefully review the default policies and be prepared to make an informed decision about what features should remain active and which to disable
The purpose of this paper is to highlight some of the most important areas where one can increase the overall security posture of the VPN Concentrator through hardening common features such as Administrative Access, User Access, Network Management Access and Interface Policies This paper assumes the reader has experi-ence configuring the 3000 series concentrators and is familiar with navigating the menu structure in the web-based GUI and the CLI For reference, this paper was written assuming a Cisco 3005 VPN Concentrator running version 4.7 of the VPN OS is used
Securing Administrative Access
The first area of focus is securing console and remote administration access to the concentrator If an intruder can “sniff” your username and password with a protocol analyzer, your network can be easily compromised by the eavesdropper
There are two areas in the configuration tree that concern the control of local and remote access to the
con-centrator: Administration | Access Rights and Configuration | System | Management.
Securing Access Rights
On your concentrator, navigate to Administration | Access Rights as shown in figure 1.
David W Chapman, Jr., Global Knowledge Instructor, CISSP-ISSAP, CCSI, CCNP, CCDP, CCSP
Hardening Guidelines for
Cisco 3000 Series VPN Concentrators
Trang 3Figure 1 – Configure Administrator Access
Click on the Administrators link and you will be presented with a list of default user accounts The only account that should be enabled is “admin” Click on the Modify button to the right of the admin user.
Because attackers have easy access to lists of default usernames and passwords, it is important to change not only the default password, but the username as well Half of the difficulty of remotely cracking a password is knowing a valid username Use this screen to change the default username to a non-obvious value The use of
“admin”, “administrator”, “root”, or “cisco” as usernames is strongly discouraged, as attackers will surely use these The concentrator allows usernames and passwords of up to 31 characters
Note: Unfortunately, the concentrator does not directly support an account lockout threshold This can only
be set if TACACS+ is used to authenticate administrative users To determine if an attacker is targeting the
administrator account, navigate to Monitoring | Filterable Event Log Select the “Auth” Event Class and “Newest to Oldest” in the Direction drop-down menu, and then click the Get Log button A
popup window will show any authentication failures
The following URL will take you to a security site that lists default username/password combinations for popu-lar network equipment, including the 3000 series concentrators:
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
Once you have changed the default username and password, click the apply button to return to
Administration | Access Rights Click the Access Settings link On this page, you will modify the idle
Trang 4trator session after 10 minutes of inactivity If your security policy dictates a smaller value, it can be modified from 1 to 1800 seconds The default session limit of 10 simultaneous administrators is excessive Typically, there should be no need for more than 2 or 3 simultaneous sessions to the administration interface
The Config File Encryption setting determines whether sensitive fields such as passwords and pre-shared
key values are stored in clear text or encrypted The difference between RC4 and DES is that with DES selected, the config file is non-portable between concentrators RC4 encryption allows a config file to be installed into another 3000 series concentrator of the same model In the unlikely event of a hardware failure, it is useful to
be able to quickly configure the replacement unit
Securing Management Protocols
The Cisco 3000 Series VPN Concentrators offer a wide array of protocols to manage, monitor, and maintain your VPN perimeter The defaults are in place to give you the most flexible solution right out of the box However, many of the default management protocols transfer authentication data in clear text over the wire This presents a serious risk to the confidentiality of usernames and passwords used to access the concentrator Table 1 lists the available management protocols and their default settings
Table 1 – 3000 Series Management Protocols
Management
Protocol
Enabled By Default
Encrypted Transport
Transport Protocol
Service Port
Trang 5Once you have successfully made a connection via HTTPS, it is highly recommended you disable all protocols that do not use encryption Cisco has grouped all of the non-encrypted protocols in the same section for easy
access You can access this section by navigating to Configuration | System | Management Protocols in
the GUI interface as shown in figure 2
Figure 2 – Management Protocols
For each protocol you decide to disable, click on its link and de-select the Enable checkbox, then click the
Apply button Be sure to save your configuration by clicking the Save Needed floppy disk icon in the
upper-right corner of the page
Securing Network Management Access
Cisco offers two methods to centrally manage the 3000 Series Concentrators SNMP and XML Although SNMP
is enabled by default, no community strings, such as the ubiquitous “public” and “private” are configured Because SNMP is inherently insecure, if you must run SNMP, the best practice is to send messages over the External interface to an out-of-band network For more information on the design of an out-of-band manage-ment network, please refer to the Managemanage-ment Module of Cisco’s White Paper “SAFE: A Security Blueprint for Enterprise Networks” at: http://www.cisco.com/go/safe
Unless you are using an XML-based network management system, XML management should be disabled There
is a risk that an internal attacker could exploit the XML interface to gain information about its configuration
Trang 6To monitor the normal operation of your concentrator, it is essential that you configure logging services and
define a syslog server Begin by navigating to Configuration | System | Events | General.
The default logging configuration uses the concentrator-specific logging format, allows logging of event levels 1 – 5
to enter the logging system, and event levels 1 – 5 to the console For ease of reading and consistency with other Cisco syslog messages, change the Syslog Format to Cisco IOS Compatible To reduce the logging load on the con-centrator CPU, disable console logging and send messages to a syslog server instead, as shown in figure 3
Figure 3 – Logging Event Configuration
Next, click on the Apply button to return to Configuration | System | Events | General Select the Syslog
Servers link, click on the Add button and enter the IP address of your syslog server Click on the Add button
to complete the transaction and return to the previous menu Because logging information is sent in clear text,
it is best to send events to a syslog server on an out of band network via the External interface
Securing User Access
We will now turn our attention to the policies that control user access through the concentrator The first step
is to examine the policies in the Base Group The Base Group exists to set global defaults for all groups
cre-ated later Because all new groups automatically inherit the settings of the Base Group, you can save time by
availing yourself of this feature To access the Base Group, navigate to Configuration | User Management
| Base Group Many of the settings in this group will depend on your security policy, so only the most general
will be examined here
Trang 7Although the 3000 Series VPN Concentrators support PPTP, L2TP, L2TP over IPSec, and WebVPN, most compa-nies use only IPSec If this is the case in your organization, then uncheck all of the Tunneling Protocols except IPSec This will effectively disable any tunneling protocols not in use
IKE (Phase I) Policies
Another area of concern is the large number of default IKE Policies Navigate to Configuration | Tunneling
and Security | IPSec | IKE Proposals as illustrated in figure 4.
Figure 4 – Default IKE Policies
Because IKE policies are evaluated in the order they appear in the list, it is probable an IPSec client might negotiate an IKE policy you did not intend There are also policies that are not appropriate in most
environ-ments, such as IKE-DES-MD5 and IKE-3DES-MD5-DH7 The 56-bit DES is no longer considered strong
enough for production use and should be deactivated The DH7 policy refers to Diffie-Hellman group 7 to sup-port Certicom IPSec clients running on PDA’s such as Palm and HP iPaq It is recommended that all IKE policies that are not required to meet the dictates of your security policy be deactivated or deleted altogether
Trang 8IPSec (Phase II) SAs
The default IKE phase II policies are located in Configuration | Policy Management | Traffic
Management | Security Associations as shown in figure 5.
Figure 5 – Default SAs
Just like the IKE policies, Cisco provides a number of default policies to allow administrators to get their sys-tems up and running quickly Once you have selected the appropriate policy or policies for your network,
delete any un-needed SA’s by highlighting the SA and clicking the Delete button.
Securing Interfaces
Many administrators are unaware that the default filters on the Public interface may allow unwanted traffic to
enter their network The filter for the Public interface is accessed through Configuration | Policy
Management | Traffic Management | Filters Highlight the filter Public (default) and click on the Assign Rules to Filter button to display the default protocol filters for the Public interface as shown in
figure 6
Trang 9Figure 6 – Default Public Filters
Once again, Cisco has created defaults to ease initial configuration But now that you are ready to place your concentrator into production, it is important to remove all filters not required by your security policy In many cases, the only filters you will require are IPSec-ESP, IKE, and NAT-T Be certain you understand the function of any filter before you remove it
Conclusion
Hopefully, you now have an increased awareness as to your responsibilities for the secure administration of Cisco 3000 Series Concentrators Every security appliance and software application has defaults, and it is criti-cal to understand how the defaults may impact performance and security posture of your network Although this paper is not a complete reference to all potential risks in your configuration, examining the areas
present-ed will help you secure your perimeter networks
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge Check out the following Global Knowledge courses:
SNPA (Securing Networks with PIX and ASA)
SND (Securing Cisco Network Devices)
SNRS (Securing Networks with Cisco Routers and Switches)
CSVPN (Cisco Secure Virtual Private Networks)
Trang 10For more information or to register, visit www.globalknowledge.comor call 1-800-COURSESto speak with a sales representative
Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs
About the Author
David W Chapman, Jr has more than 15 years of experience in the IT industry He has been designing and building enterprise network infrastructures with Cisco equipment since 1994, and began specializing in Cisco security products in 1999
David teaches CSVPN, CSPFA, CSIDS, SECUR, and CCSP Boot Camp courses for Global Knowledge He holds numerous professional certifications including CISSP-ISSAP, CCSI, CCNP, CCDP, CSSP, and INFOSEC Professional
He is also a Senior Member of the IEEE
David is co-editor/author of the 2002 Cisco Press title, “Cisco Secure PIX Firewalls” and has authored numer-ous white papers for Global Knowledge and InformIT
Email: dchapman@securenetconsulting.com
References
Cisco Systems (2005) VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 Retrieved
3 July 2005, from
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_book09186a00803ec0ac.html Convery, S., Trudel, B., et al (2004) SAFE: A Security Blueprint for Enterprise Networks Retrieved 2 July 2005, from http://www.cisco.com/go/safe
Unknown (2005) Default Logins and Passwords for Networked Devices GovernmentSecurity.org Retrieved 4 July 2005, from
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php