Cisco Systems OL-5650-02 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung Cisco Systems OL-5650-02 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von Cisco Systems OL-5650-02, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung Cisco Systems OL-5650-02 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung Cisco Systems OL-5650-02. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung Cisco Systems OL-5650-02 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts Cisco Systems OL-5650-02
- Den Namen des Produzenten und das Produktionsjahr des Geräts Cisco Systems OL-5650-02
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts Cisco Systems OL-5650-02
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von Cisco Systems OL-5650-02 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von Cisco Systems OL-5650-02 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service Cisco Systems finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von Cisco Systems OL-5650-02 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts Cisco Systems OL-5650-02, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von Cisco Systems OL-5650-02 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Cisco Content S er vices S witc h S ecurity Conf iguration Guide Sof twa re V er sion 7 .50 Marc h 2005 Text Part Number: O L-5650-02[...]

  • Seite 2

    THE SPECIFICA T IONS AND INFORMA TION REGARDING THE PRODUCTS IN THIS MAN U AL ARE SUBJECT TO CHANGE WITHOUT NO TICE. ALL ST A TEMENTS, INFORMA TION, AND RECOMMENDA TION S IN THIS MANUAL ARE BELIEVED T O BE A CCURA TE BUT ARE PRESENTED WITHOUT W ARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST T AKE FULL RESPONSIBILITY FO R THEIR APPLICA TION OF[...]

  • Seite 3

    iii Cisco Content Services Switch Security Configuration Guide OL-5650-02 CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.com xvii Documentation DVD xviii Ordering Documentation xviii Documentation Feedback xviii Cisco Product Security Overview xix [...]

  • Seite 4

    Contents iv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Admi nistrative Access to the CSS 1-10 Enabling Administrativ e Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Cr[...]

  • Seite 5

    v Cisco Content Services Switch Security Configuration Guide OL-5650-02 Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Cl[...]

  • Seite 6

    Contents vi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Global TACACS+ Keepalive Fre quency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Acco unting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 C[...]

  • Seite 7

    vii Cisco Content Services Switch Security Configuration Guide OL-5650-02 FIG UR ES Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled o n the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11[...]

  • Seite 8

    Figures viii Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Seite 9

    ix Cisco Content Services Switch Security Configuration Guide OL-5650-02 TABLES T able 1-1 ACL Configuration Quick Start 1-16 T able 1-2 Clause Command Option s 1-21 T able 1-3 Field Descriptions for the show acl Command Output 1-31 T able 1-4 Field Descriptions for the show nql Command Output 1-38 T able 2-1 Field Descriptions for the show sshd co[...]

  • Seite 10

    Tables x Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Seite 11

    xi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface This guide provides in structions fo r configuring the securi ty features of th e Cisco 11500 Series Co ntent Services Switches (CSS). Information in this guide applies to all CSS models except where noted . The CSS software is a vailable in a Stan dard or optional Enh[...]

  • Seite 12

    Preface Audience xii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Audience This guide is intended for the follo wing trained and qualif ied service personnel who are responsible for conf iguring the CSS: • We b m a s t e r • System adminis trator • System operator How to Use This Guide This guide is or ganized as foll[...]

  • Seite 13

    xiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Related Documentation In addition to thi s guide, the Content Se rvices Switch docume ntation includes the follo wing publications. Document T itle Description Release Note for the Cisco 11500 Series Content Services Switc h This release note pr[...]

  • Seite 14

    Preface Related Do cumentation xiv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Cisco Conte nt Services Switch Adm inistrati on Guide This guide de scribes how to perform adm inistrative tasks on the CSS, including upg rading your CSS software and co nfigu ring the follo wing: • Logging, includi ng displaying log messages[...]

  • Seite 15

    xv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Cisco Conte nt Services Switch Cont ent Load-Balancing Conf iguratio n Guide This guide describes ho w to perform CSS content load-balancing configur ation tasks, in cluding: • Flo w and port mapping • Services • Service, global, and script [...]

  • Seite 16

    Preface Symbols and Conventions xvi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Symbols and Conventions This guide u ses the fol lowing symbols and conv entions to identify d if ferent ty pes of informatio n. Caution A caution means that a specific action you take co uld cause a loss of data or adversely impact use of the [...]

  • Seite 17

    xvii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and te xt you enter in a command line. Italics text indicates the first occurrence of a ne w term, book title, emphasize[...]

  • Seite 18

    Preface Documentation Feedba ck xviii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Documentation DVD Cisco documentation and additi onal litera ture are a vailable in a Documentation D VD package, which m ay hav e shipped w ith your produc t. The Document ation D VD is updated regularly an d may be more current than pri nte[...]

  • Seite 19

    xix Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Cisco Product Security O verview Y ou can submit comments by using th e response card (if present) behind the front cov e r of your document or b y writing to the follo wing address: Cisco Systems Attn: Customer Document Or dering 170 W est T asman Driv e San Jose, CA[...]

  • Seite 20

    Preface Obtaining Technical Assistance xx Cisco Content Services Switch Security Configuration Guide OL-5650-02 • Nonemergencies — psirt@cisco.com Ti p W e encourage you to use Pretty Good Pri vac y (PGP) or a compatible produ ct to encrypt any sensiti ve information that you send to Cisco. PSIR T can work from encrypted information that is com[...]

  • Seite 21

    xxi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Techn ical Assistance Access to all tools on the Cisco T echni cal Support W ebsite requires a Cisco.com user ID and password. If you hav e a valid service contract b ut do not hav e a user ID or password, you can re gister at this URL: http://tools.cisco.co[...]

  • Seite 22

    Preface Obtaining Additional Publ ications and Information xxii Cisco Content Services Switch Security Configuration Guide OL-5650-02 For a complete list of Cisco T A C contacts, go to this URL: http://www .cisco.com/t echsupport/contacts Definitions of Service Request Severity T o ensure that all service req uests are reported in a standard format[...]

  • Seite 23

    xxiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Additional Public ations and Information • Pa c k e t magazine is the C isco System s technical user magazine for maximizing Internet and netw orking in vestments. Each quarter , Packet deli vers co verage of the latest industry trends, tech nology break[...]

  • Seite 24

    Preface Obtaining Additional Publ ications and Information xxiv Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Seite 25

    CH A P T E R 1-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 1 Controlling CSS Access This chapter describes how to config ure access to the CSS including network traf fic. Information in this chapter applie s to all models of the CSS, except where noted. This chapter contains t he follo wing major sections: • Changing t[...]

  • Seite 26

    Chapter 1 Controlling CSS Access Changing the Administra tive Username and Pa ssword 1-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Changing the Administrative Username and Password During the initial log in to the CSS you enter the def ault user name admin and the default passw ord system in lo wercase text. F or securit[...]

  • Seite 27

    1-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds Creating Usernames and Passwords Logging into the CSS requ ires a username and passw ord. The CSS supports a maximum of 32 usernames, inclu ding the administrator and tech nician usernames. Y ou can assign eac[...]

  • Seite 28

    Chapter 1 Controlling CSS Access Creating Usernames and Passwords 1-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • password - Specif ies the password is not en crypted. Use this option when you use the CLI to dynamically create use rs. • password - The p assword. Enter an unquoted te xt string with no spaces and a len[...]

  • Seite 29

    1-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds • access - Specifies directory access privileg es for the username. By default, users hav e both read- and write-acces s pr i vileges (B) to all se ven directories. Enter , in order , one of the followi ng a[...]

  • Seite 30

    Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Remote User Access to the CSS T o control access to th e CSS, you can config ure the CSS to authenti cate remote (virtual) or console users. The CSS can a u thenticate users by using the lo[...]

  • Seite 31

    1-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Configuring Virtual Authentication V irtual authentication allo ws remote users to log in to the CSS when they are using FTP , T elnet, SSHD, or the Device Management user interface wi th or without re[...]

  • Seite 32

    Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o remov e users currently logged in to th e CSS, use the disconnect command. T o define th e T A CA CS+ server as the p rimary virtual authentication method, enter: #(config) virtual authentication p[...]

  • Seite 33

    1-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS • secondary - Defines the seco nd authentication method that the CSS u ses if the fi rst method fails. The d efault secondar y console authenticatio n method is to disallow all user access. Note If y[...]

  • Seite 34

    Chapter 1 Controlling CSS Access Controlling Administra tive Access to the CSS 1-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Administrati ve Access to the CSS CSS access through a console, FTP , SSH, SNMP , and T elnet is enabled by default. The CSS su pports a maximum of four FTP sessions and a max imum of [...]

  • Seite 35

    1-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS • no restrict xml - Enables t he transfer of XML conf iguration f iles to the CSS through unsecu re HTTP connection s (disabled by default). • no restrict web-mgmt - Enables De vice M anagement[...]

  • Seite 36

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • re strict se cure -xml - Disables the transfer of XML configuration f iles to the CSS through secure HTTPS SSL conn ections (d isabled by default). • re strict xml - Disabl e[...]

  • Seite 37

    1-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • Logging A CL Acti vity • A CL Example ACL Overview A CLs configured on the CSS provide a ba sic le vel of security for accessing your network. W ithout A CLs on the CSS, al[...]

  • Seite 38

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, Figure 1-2 shows three VLAN circui ts on the CSS. Figure 1 -2 ACLs Enabled on the CSS For VLAN1, if you w ant to allow any TC P traf fic to the destination V IP addre[...]

  • Seite 39

    1-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Enabling A CLs globally af fects all traf fic on all CSS circui ts whether they h av e A CLs or not. When you enable A CLs, all tr aff ic on a c ircuit that is not conf igured in[...]

  • Seite 40

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T able 1 -1 ACL Confi guration Quic k Start T ask and Command Example 1. Enter global conf iguration mode. # config (config)# 2. Create an A CL and access A C L mode. Enter an A CL[...]

  • Seite 41

    1-17 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists The follo w ing running-conf ig example sho ws the result of entering the commands in Ta b l e 1 - 1 . !**************************** ACL **************************** acl 7 clause[...]

  • Seite 42

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-18 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note If a circuit does not have an A CL, the CSS applies an implicit “deny all” clause to this circuit causing th e CSS to deny all traf fic on it. T o create an A CL and acces[...]

  • Seite 43

    1-19 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 4. Apply another A CL on the circuit. I f you do not apply an A CL on the circuit, the CSS denies traff ic on the circu it when you enable A CLs on the CSS. 5. Reenable all A CLs[...]

  • Seite 44

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-20 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • clause numbe r bypass - Creates a clause in the A CL to permit traffic on a circuit and bypasses (d oes not process) c ontent rules that apply to the traff ic. The syntax for c[...]

  • Seite 45

    1-21 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Ta b l e 1 - 2 provides v ariables and options for the clause command. Bolded sy ntax defines keyw ords that you e nter on the comm and line. Italics de fine v ariab les where yo[...]

  • Seite 46

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-22 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sour ce_port The source port for the traf fic. If yo u do not designate a source port, this clause allo ws traff ic from any port number . E nter one of the follo wing: • eq port[...]

  • Seite 47

    1-23 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists destination_port The desti nation port. Enter one of the follo wing. Y ou may use a port number or port name with th e options. • eq port is equal to the port n umber . • lt [...]

  • Seite 48

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-24 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sourcegroup name The source group a s the destina t ion for the traf fic. Enter the group name. T o see a list of source grou ps, enter: show group ? Note The clause number bypass [...]

  • Seite 49

    1-25 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists After you create clauses for an ACL, you ca n apply the A CL to a circuit. For more informatio n, see the “ A pplying an A CL to a Circuit or DNS Queries” section. Adding a C[...]

  • Seite 50

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-26 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, you apply A CL 7 to VLAN1 and then globally enable A CLs on the CSS. At a later time, to add a new clause to A CL 7 and to hav e the clause take effect on the CSS, en[...]

  • Seite 51

    1-27 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Note When you remov e an applied A CL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traf fic on it. If you want [...]

  • Seite 52

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-28 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ho wev er , if you conf igure a CSS with the d ns-ser ver command, and the CSS recei ves a DNS query fo r a domain name that you conf igured on the CSS using the host command, the [...]

  • Seite 53

    1-29 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 2. In A CL mode, remove the A CL from the circuit. (config-acl[7])# remove circuit-(VLAN1) 3. Make any changes to the A CL. If you delete an A CL from the circuit, conf igure ano[...]

  • Seite 54

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-30 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the global configuration acl enable command to enable all A CLs on the CSS. T o globally enable all A CLs, enter: (config)# acl enable Disabling ACLs on the CSS If you need to [...]

  • Seite 55

    1-31 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • DNS Hits - Pack ets that match an A CL clause for DNS f lo ws when an A CL clause is applied to DNS queries. Th e display includes a DNS hit counter , which counts DNS look u[...]

  • Seite 56

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-32 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Show ACL Counters to Zero Use the zero counts com mand to reset the content and DNS hit coun ters in the show acl command screen to zero for a specif ic ACL. Y ou mu st[...]

  • Seite 57

    1-33 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists T o enable logging on an existing A CL clause, us e the log en able option for th e clause command and enter: (config-acl[7])# clause 1 log enable If A CLs are globally enabled o[...]

  • Seite 58

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-34 Cisco Content Services Switch Security Configuration Guide OL-5650-02 5. Reapply the A CL to the circuit. (config-acl[7])# apply circuit-(VLAN1) 6. In global configuration m ode, reenable a ll A CLs on the CSS. (config)# acl enable T o globally disab[...]

  • Seite 59

    1-35 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs !**************************** ACL *************************** acl 1 clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15 clause 30 permit any 172.16.107.0 255.255.255.0 destina[...]

  • Seite 60

    Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-36 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Creating an NQL Enter the name of the ne w NQL you want to create or an e xisting NQL. Enter the name as an unquoted te xt string with no spaces and a maximum of 31 characters. Y ou can create a m[...]

  • Seite 61

    1-37 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs The v ariables and options are: • ip_addr ess - The destination network addr ess. Enter the IP address in dotted-decimal notation (for e x ample, 192.168.0.0) . • subnet_pref ix | subnet_mask -[...]

  • Seite 62

    Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-38 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Adding an NQL to an ACL Clause T o add an NQL to an A CL clause: 1. Create the A CL. For example, enter: (config)# acl 10 2. Define the clause, incl uding the NQ L as either a source or destinatio[...]

  • Seite 63

    CH A P T E R 2-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 2 Configuring the Secure Shell Daemon Protocol The Secure Shell Daemon (SSHD) prot ocol provide s secure encr ypted communications between two hosts communicating o ver an insecure network. The CSS supports an implemen tation of OpenSSH to pr ovide this secure co[...]

  • Seite 64

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Enabling SSH 2-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 This chapter contains t he follo wing major sections: • Enabling SSH • Config uring SSH Access • Config uring SSHD in the CSS • Config uring T elnet Access When Using SSHD • Showing SSHD Configurat[...]

  • Seite 65

    2-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuri ng SSH Access Configuring SSH Access SSH access to the CSS is enabled by default through the no restrict ssh command. Y ou can verify the SSH access se lection in the running-config f ile. T o enhance security w[...]

  • Seite 66

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring SSHD in the CSS 2-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the sshd keepalive command to enable SSHD keepaliv e. SSHD keepali ve is enabled by default. T o enable sending SSHD keepali ves to the client, enter: (config)# sshd keepalive T o disable [...]

  • Seite 67

    2-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Note The valid range for this comma nd is 512 to 1024. Howe ver , to m aintain backward compatibility wi th version 5.00, the CSS allo ws you to enter a value from 512 to 32768. If you enter a [...]

  • Seite 68

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring Telnet Acc ess When Using SSHD 2-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring Telnet Access When Using SSHD By default, T elnet access to the CSS is enabled. When you use SSH D, you can disable nonsecure T elnet access to the CSS. T o enhance [...]

  • Seite 69

    2-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Showing SSHD Configuratio ns T o display the SSHD sessions, enter: # show sshd sessions Listen Socket Count The number of sock ets that SSHD is cu rrently listen ing on (not currently co nfigurable, def ault is 1). Listen[...]

  • Seite 70

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Showing SSHD Configurations 2-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ta b l e 2 - 2 describes the fields in the show sshd sessions command output. T o display the SSHD v ersion, enter: # show sshd version SSHield version 1.5, SSH version OpenSSH_3.0.2p1 T able [...]

  • Seite 71

    CH A P T E R 3-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 3 Configuring the CSS as a Client of a RADIUS Server The Remote Authentication Dial-In User Servi ce (RADIUS) protocol is a distribu ted client/server pr otocol that protects networks ag ainst unauthorized access. RADIUS uses the User Data gram Protocol (UDP) to [...]

  • Seite 72

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server 3-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In a conf iguration where b oth a primary RA DIUS serv er and a seco ndary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS automatically tran smits a k eepalive authent[...]

  • Seite 73

    3-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server RADIUS Configuration Quick Start RADIUS Configuration Quick Start Ta b l e 3 - 1 provides a quic k overvie w of the steps required to c onfigure the RADIUS feature on a CSS. Each ste p includes the CLI command requi[...]

  • Seite 74

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Serv er for Use with the CSS 3-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 3 - 1 . !*************************** GLOBAL ******************[...]

  • Seite 75

    3-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Configuring Authentication Settings T o configure the authentication settings on Cisco Secure A CS, go to the Network Config uration section of the Cisco Secure A CS [...]

  • Seite 76

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Primary RADIUS Server 3-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o add a user to a group, go to the User Setup sectio n of the Cisco Secure A CS HTML interface: • On the User Set up Select page, specify a username. • On the User Set up Edi[...]

  • Seite 77

    3-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Secondary RADIUS Server T o remove a primary RADIUS server , enter: (config)# no radius-server primary Specifying a Secondary RADIUS Server The CSS directs authentication requests to the secondary RADIU[...]

  • Seite 78

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RA DIUS Server Timeouts 3-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring the RADIUS Server Timeouts By default, th e CSS waits 10 seco nds for the RADIUS serv er (primary or secondary) to repl y to an authentication request before retra[...]

  • Seite 79

    3-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Dead-Time T o reset the RADIUS server retransmit request to the default of 3 r et ran sm is sio ns , enter: (config)# no radius-server retransmit Configuring the RADIUS Server Dead-Time[...]

  • Seite 80

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o view the authentication statistics for a RADI US secondary ser ver , enter: (config)# show radius statistics secondary Ta b l e 3 - 2 describes the fields in th[...]

  • Seite 81

    3-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Infor mation Ta b l e 3 - 3 describes the fields in the show radius statistics output. T able 3-3 Field Descriptions f o r the show r adius statistics Command Field Description S[...]

  • Seite 82

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Seite 83

    CH A P T E R 4-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 4 Configuring the CSS as a Client of a TACACS+ Server The T erminal Access Controller Access Control System (T A CACS+) protocol provides access cont rol for routers, netw ork access servers (N AS), or other devices through one or mo re daemon se rvers. T A CA CS[...]

  • Seite 84

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server TACACS+ Configuration Quick Start 4-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 TACACS+ Configuration Quick Start Ta b l e 4 - 1 provides a quic k overvie w of the steps required to c onfigure the T ACA CS+ feature on a CSS. Each step include s the CLI comman[...]

  • Seite 85

    4-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User A ccounts for Use with the CSS The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 4 - 1 . !************************** GLOBAL *****[...]

  • Seite 86

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User Accounts for Use with the CSS 4-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • K ey - Enter the shared secret that the CSS and Cisco Se cure A CS us e to authenticate transactions . For correct operation , you must specify the[...]

  • Seite 87

    4-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes 4. Proceed next to Unmatched Commands, either permit or d eny e xecution of the pri vilege command: • For a user that has SuperUser pri vileges on the CSS, click Perm it . A[...]

  • Seite 88

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ A ttributes 4-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note The timeout, encryption k ey , or keepali ve frequency that you define wh en you configure a T ACA CS+ server o verrid es the global attribute (see the “Defining a TA [...]

  • Seite 89

    4-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes Defining a Global Encryption Key The CSS allo ws you to def ine a global encryption ke y for communications with all configured T A CA CS+ servers. T o encrypt T A CACS+ packe[...]

  • Seite 90

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 When it sends a keepaliv e to the T ACA CS+ server , the CSS attempts to use a persistent connection with the serv er . If the server is not conf igured for persistence, the CSS opens a n[...]

  • Seite 91

    4-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Note For general guideli nes on the recommended setup of a T A CA CS+ server (the Cisco Secure Access Control Serv er in this example), see the “ T AC AC S+ Config uration Quick Start”[...]

  • Seite 92

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Defin ing this option o verrides the tacacs-server key command. F or more information on defining a gl obal encryption ke y , see the “Defining a Global Encryption Key” section. • [...]

  • Seite 93

    4-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Authorization Setting TACACS+ Authorization T ACA CS+ authorization allo ws the T A CACS+ serv er to control specif ic CSS commands that the user can execute. C SS authorization di vides the comman[...]

  • Seite 94

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Sending Full CSS Commands to the TACACS+ Server 4-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In releases prior to 7.30.1.05 , if you transitioned from one CLI mod e to another (for ex ample, from conf ig mode to service mode), and a ser vice already ex iste[...]

  • Seite 95

    4-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Accounting T o reenable the CSS to send t he full command syntax, use the taca cs-ser ver send-full-command command. F or example: #(config) tacacs-server send-full-command Setting TACACS+ Accounti[...]

  • Seite 96

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Showing TACACS+ Server Configuration Information Use the show tacacs-server command to display the T A CA CS+ server confi guration information. T o view this inf[...]

  • Seite 97

    4-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Infor mation Authorize Conf ig Commands Indicates whether configuration commands receiv e authorization Authorize Non-Conf ig Indicates whether nonconfiguration commands recei [...]

  • Seite 98

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Seite 99

    CH A P T E R 5-1 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 5 Configuring Firewall Load Balancing This chapter descri bes how to configure the CSS Firew all Load Balanc ing (FWLB) feature. Informati on in this chapte r applie s to all CSS mod els, except where noted. This chapter contains t he follo wing major sections:[...]

  • Seite 100

    Chapter 5 Configurin g Firewall Load Balancing Overview of FWLB 5-2 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Overview of FWLB FWLB enables you to conf igure a maximum of 15 fire walls per CSS. Config uring multiple f irewalls can o vercome performance limitations and remov e the single point of fai lure when all traff [...]

  • Seite 101

    5-3 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Firewall Synchronization Fire wall solutions provi ding Stateful Inspectio n, such as Check Point ™ FireW all-1 ® , create and maintain virt ual state for all connections through their devices, e ven for st[...]

  • Seite 102

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-4 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Y ou must define f irewal l parameters for each path through the f irewalls on bo th local and r emote CSSs. Us e the ip fi rewall command t o defin e fire wall parameters. The syntax for this glob al conf igura[...]

  • Seite 103

    5-5 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Use the ip fir ewall timeout number command to specify the number of seconds the CSS will wait to recei ve a keepali v e message from the remote CSS before declaring the firew all unreacha ble.The timeout rang[...]

  • Seite 104

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-6 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 • inde x - An ex isting inde x number for the f irew all route. For information on config uring a f ire wall inde x, see the ip f irewall command. • distance - The optional administrati ve distance. Ente r a[...]

  • Seite 105

    5-7 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB T o stop adv ertising f irew all routes, enter: (config)# no ospf redistribute firewall Configuring RIP to Advertise Firewall Routes T o adver tise fire wall routes from other p rotocols through RIP , use the [...]

  • Seite 106

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-8 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 T o conf igure CSS-A (the client side of the network co nfiguratio n) as sho wn in Figure 5-1 : 1. Use the ip fir ewall command to define f irewall 1. For e xample: (config)# ip firewall 1 192.168.28.1 192.168.2[...]

  • Seite 107

    5-9 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Figure 5-1 illu strates the configur ation def ined in the f irewall command s. Figur e 5-1 Example of FWLB CSS-B CSS-A Server1 Client Firew all 2 Firew all 1 Client Server2 Ser ver3 Internet Router Client 192[...]

  • Seite 108

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-10 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Configuring FWLB with VIP and Virtual Interface Redundancy Config ure FWLB with VIP and virtual interf ace redundancy to provide the follo wing benefits: • V ery fas[...]

  • Seite 109

    5-11 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy In Figure 5-2 , odd-numbered f irew alls are conn ected to the Layer 2 switches servicing the CSS-OUT -L and CSS-IN-L CSSs. Even-numb ered fire walls are connected t[...]

  • Seite 110

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-12 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 If the f ire wall supports i t, you can use multinetting b y configuring mu ltiple addresses on the f i re wall. If the f irewa ll does not support multipl e addresses[...]

  • Seite 111

    5-13 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy Example of Firewall and Route Configurations The follo wing ip fir ewall and ip route exampl e conf igurations are v alid for Figure 5-2 with four act iv e fire wall[...]

  • Seite 112

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-14 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 CSS-IN-L Configuration ip firewall 1 10.3.200.1 10.2.200.1 10.2.1.254 ip firewall 2 10.3.200.2 10.2.200.2 10.2.1.254 ip firewall 3 10.3.200.3 10.2.200.3 10.2.1.254 ip [...]

  • Seite 113

    5-15 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall Flow Summaries Displaying Firewall Flow Summaries Use the sh ow flow s command to display the flo w summary for a source IP address, or for a specific source address an d its destinatio n IP address on a S[...]

  • Seite 114

    Chapter 5 Configurin g Firewall Load Balancing Displaying Firewall IP Routes 5-16 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Ta b l e 5 - 1 describes the fields in the show flo ws output. Displaying Firewall IP Routes Use the show i p ro u t es fi rew a ll command to display all static f irewa ll routes. For exa mpl e: ([...]

  • Seite 115

    5-17 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall IP Information Displaying Firewall IP Information Use the show ip f irewall command to display the conf igured v alues of the IP fire wall keepali ve timeout and the state of each f irewa ll path conf igur[...]

  • Seite 116

    Chapter 5 Configurin g Firewall Load Balancing Displaying Firewa ll IP Information 5-18 Cisco Content Services Switch Security Configura tion Guide OL-5650-02[...]

  • Seite 117

    IN-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 INDEX A Access Control Lists. See ACLs ACLs adding an NQL to a clause 1-38 applying to a circuit 1-27 clause number 1-19 configuration example 1-34 configuring 1-15 configuring clauses 1-19 creating 1-17 definition 1-13 deletin g 1-18 disabling globally 1-30 disabling loggin[...]

  • Seite 118

    Index IN-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 configuration example ACL 1-34 firewall load balancing 5-7 configuratio n quick start ACL 1-15 configuring ACL 1-12 CSS as RADIUS client 3-1 CSS as TACACS+ clien t 4-8 source group in an A CL 1-24 static proximity in ACL clause 1-25 user name and p assword 1-3 console [...]

  • Seite 119

    IN-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index FTP enabling access 1-10 restricting access to the CSS 1-11 I IP route firewall load balancing , displaying 5-16, 5-17 static, for firewall load balancing 5-5 K keepalive ACL example 1-34 L license ke y Enhanced feat ure set 2-2 Proximity Database 2-2 license key, Sec [...]

  • Seite 120

    Index IN-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 R RADIUS Cisco Secure Access Control Server (ACS) 3-4 console authentication 1-8 CSS as RADIUS client, configuri ng 3-1 displaying c onfiguration i nformation 3-9 overview 3-1 primary RADIUS server 3-6 RADIUS server host parameters 3-1 running-config examp le 3-4 secon[...]

  • Seite 121

    IN-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index T TACACS+ accounting, setting 4-13 authentication, setting 4-11 Cisco Secure Access Control Server (ACS) 4-3 console authentication 1-8 CSS as client, configuring 4-8 displaying c onfiguration i nformation 4-14 global encryptio n key 4-7 global keepalive f requency 4-7[...]

  • Seite 122

    Index IN-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]