Cisco Systems OL-5650-02 manuale d’uso

Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Cisco Content S er vices S witc h S ecurity Conf iguration Guide Sof twa re V er sion 7 .50 Marc h 2005 Text Part Number: O L-5650-02[...]

THE SPECIFICA T IONS AND INFORMA TION REGARDING THE PRODUCTS IN THIS MAN U AL ARE SUBJECT TO CHANGE WITHOUT NO TICE. ALL ST A TEMENTS, INFORMA TION, AND RECOMMENDA TION S IN THIS MANUAL ARE BELIEVED T O BE A CCURA TE BUT ARE PRESENTED WITHOUT W ARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST T AKE FULL RESPONSIBILITY FO R THEIR APPLICA TION OF[...]

iii Cisco Content Services Switch Security Configuration Guide OL-5650-02 CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.com xvii Documentation DVD xviii Ordering Documentation xviii Documentation Feedback xviii Cisco Product Security Overview xix [...]

Contents iv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Admi nistrative Access to the CSS 1-10 Enabling Administrativ e Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Cr[...]

v Cisco Content Services Switch Security Configuration Guide OL-5650-02 Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Cl[...]

Contents vi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Global TACACS+ Keepalive Fre quency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Acco unting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 C[...]

vii Cisco Content Services Switch Security Configuration Guide OL-5650-02 FIG UR ES Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled o n the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11[...]

Figures viii Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

ix Cisco Content Services Switch Security Configuration Guide OL-5650-02 TABLES T able 1-1 ACL Configuration Quick Start 1-16 T able 1-2 Clause Command Option s 1-21 T able 1-3 Field Descriptions for the show acl Command Output 1-31 T able 1-4 Field Descriptions for the show nql Command Output 1-38 T able 2-1 Field Descriptions for the show sshd co[...]

Tables x Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

xi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface This guide provides in structions fo r configuring the securi ty features of th e Cisco 11500 Series Co ntent Services Switches (CSS). Information in this guide applies to all CSS models except where noted . The CSS software is a vailable in a Stan dard or optional Enh[...]

Preface Audience xii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Audience This guide is intended for the follo wing trained and qualif ied service personnel who are responsible for conf iguring the CSS: • We b m a s t e r • System adminis trator • System operator How to Use This Guide This guide is or ganized as foll[...]

xiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Related Documentation In addition to thi s guide, the Content Se rvices Switch docume ntation includes the follo wing publications. Document T itle Description Release Note for the Cisco 11500 Series Content Services Switc h This release note pr[...]

Preface Related Do cumentation xiv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Cisco Conte nt Services Switch Adm inistrati on Guide This guide de scribes how to perform adm inistrative tasks on the CSS, including upg rading your CSS software and co nfigu ring the follo wing: • Logging, includi ng displaying log messages[...]

xv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Cisco Conte nt Services Switch Cont ent Load-Balancing Conf iguratio n Guide This guide describes ho w to perform CSS content load-balancing configur ation tasks, in cluding: • Flo w and port mapping • Services • Service, global, and script [...]

Preface Symbols and Conventions xvi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Symbols and Conventions This guide u ses the fol lowing symbols and conv entions to identify d if ferent ty pes of informatio n. Caution A caution means that a specific action you take co uld cause a loss of data or adversely impact use of the [...]

xvii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and te xt you enter in a command line. Italics text indicates the first occurrence of a ne w term, book title, emphasize[...]

Preface Documentation Feedba ck xviii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Documentation DVD Cisco documentation and additi onal litera ture are a vailable in a Documentation D VD package, which m ay hav e shipped w ith your produc t. The Document ation D VD is updated regularly an d may be more current than pri nte[...]

xix Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Cisco Product Security O verview Y ou can submit comments by using th e response card (if present) behind the front cov e r of your document or b y writing to the follo wing address: Cisco Systems Attn: Customer Document Or dering 170 W est T asman Driv e San Jose, CA[...]

Preface Obtaining Technical Assistance xx Cisco Content Services Switch Security Configuration Guide OL-5650-02 • Nonemergencies — psirt@cisco.com Ti p W e encourage you to use Pretty Good Pri vac y (PGP) or a compatible produ ct to encrypt any sensiti ve information that you send to Cisco. PSIR T can work from encrypted information that is com[...]

xxi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Techn ical Assistance Access to all tools on the Cisco T echni cal Support W ebsite requires a Cisco.com user ID and password. If you hav e a valid service contract b ut do not hav e a user ID or password, you can re gister at this URL: http://tools.cisco.co[...]

Preface Obtaining Additional Publ ications and Information xxii Cisco Content Services Switch Security Configuration Guide OL-5650-02 For a complete list of Cisco T A C contacts, go to this URL: http://www .cisco.com/t echsupport/contacts Definitions of Service Request Severity T o ensure that all service req uests are reported in a standard format[...]

xxiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Additional Public ations and Information • Pa c k e t magazine is the C isco System s technical user magazine for maximizing Internet and netw orking in vestments. Each quarter , Packet deli vers co verage of the latest industry trends, tech nology break[...]

Preface Obtaining Additional Publ ications and Information xxiv Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

CH A P T E R 1-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 1 Controlling CSS Access This chapter describes how to config ure access to the CSS including network traf fic. Information in this chapter applie s to all models of the CSS, except where noted. This chapter contains t he follo wing major sections: • Changing t[...]

Chapter 1 Controlling CSS Access Changing the Administra tive Username and Pa ssword 1-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Changing the Administrative Username and Password During the initial log in to the CSS you enter the def ault user name admin and the default passw ord system in lo wercase text. F or securit[...]

1-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds Creating Usernames and Passwords Logging into the CSS requ ires a username and passw ord. The CSS supports a maximum of 32 usernames, inclu ding the administrator and tech nician usernames. Y ou can assign eac[...]

Chapter 1 Controlling CSS Access Creating Usernames and Passwords 1-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • password - Specif ies the password is not en crypted. Use this option when you use the CLI to dynamically create use rs. • password - The p assword. Enter an unquoted te xt string with no spaces and a len[...]

1-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds • access - Specifies directory access privileg es for the username. By default, users hav e both read- and write-acces s pr i vileges (B) to all se ven directories. Enter , in order , one of the followi ng a[...]

Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Remote User Access to the CSS T o control access to th e CSS, you can config ure the CSS to authenti cate remote (virtual) or console users. The CSS can a u thenticate users by using the lo[...]

1-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Configuring Virtual Authentication V irtual authentication allo ws remote users to log in to the CSS when they are using FTP , T elnet, SSHD, or the Device Management user interface wi th or without re[...]

Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o remov e users currently logged in to th e CSS, use the disconnect command. T o define th e T A CA CS+ server as the p rimary virtual authentication method, enter: #(config) virtual authentication p[...]

1-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS • secondary - Defines the seco nd authentication method that the CSS u ses if the fi rst method fails. The d efault secondar y console authenticatio n method is to disallow all user access. Note If y[...]

Chapter 1 Controlling CSS Access Controlling Administra tive Access to the CSS 1-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Administrati ve Access to the CSS CSS access through a console, FTP , SSH, SNMP , and T elnet is enabled by default. The CSS su pports a maximum of four FTP sessions and a max imum of [...]

1-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS • no restrict xml - Enables t he transfer of XML conf iguration f iles to the CSS through unsecu re HTTP connection s (disabled by default). • no restrict web-mgmt - Enables De vice M anagement[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • re strict se cure -xml - Disables the transfer of XML configuration f iles to the CSS through secure HTTPS SSL conn ections (d isabled by default). • re strict xml - Disabl e[...]

1-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • Logging A CL Acti vity • A CL Example ACL Overview A CLs configured on the CSS provide a ba sic le vel of security for accessing your network. W ithout A CLs on the CSS, al[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, Figure 1-2 shows three VLAN circui ts on the CSS. Figure 1 -2 ACLs Enabled on the CSS For VLAN1, if you w ant to allow any TC P traf fic to the destination V IP addre[...]

1-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Enabling A CLs globally af fects all traf fic on all CSS circui ts whether they h av e A CLs or not. When you enable A CLs, all tr aff ic on a c ircuit that is not conf igured in[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T able 1 -1 ACL Confi guration Quic k Start T ask and Command Example 1. Enter global conf iguration mode. # config (config)# 2. Create an A CL and access A C L mode. Enter an A CL[...]

1-17 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists The follo w ing running-conf ig example sho ws the result of entering the commands in Ta b l e 1 - 1 . !**************************** ACL **************************** acl 7 clause[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-18 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note If a circuit does not have an A CL, the CSS applies an implicit “deny all” clause to this circuit causing th e CSS to deny all traf fic on it. T o create an A CL and acces[...]

1-19 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 4. Apply another A CL on the circuit. I f you do not apply an A CL on the circuit, the CSS denies traff ic on the circu it when you enable A CLs on the CSS. 5. Reenable all A CLs[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-20 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • clause numbe r bypass - Creates a clause in the A CL to permit traffic on a circuit and bypasses (d oes not process) c ontent rules that apply to the traff ic. The syntax for c[...]

1-21 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Ta b l e 1 - 2 provides v ariables and options for the clause command. Bolded sy ntax defines keyw ords that you e nter on the comm and line. Italics de fine v ariab les where yo[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-22 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sour ce_port The source port for the traf fic. If yo u do not designate a source port, this clause allo ws traff ic from any port number . E nter one of the follo wing: • eq port[...]

1-23 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists destination_port The desti nation port. Enter one of the follo wing. Y ou may use a port number or port name with th e options. • eq port is equal to the port n umber . • lt [...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-24 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sourcegroup name The source group a s the destina t ion for the traf fic. Enter the group name. T o see a list of source grou ps, enter: show group ? Note The clause number bypass [...]

1-25 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists After you create clauses for an ACL, you ca n apply the A CL to a circuit. For more informatio n, see the “ A pplying an A CL to a Circuit or DNS Queries” section. Adding a C[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-26 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, you apply A CL 7 to VLAN1 and then globally enable A CLs on the CSS. At a later time, to add a new clause to A CL 7 and to hav e the clause take effect on the CSS, en[...]

1-27 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Note When you remov e an applied A CL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traf fic on it. If you want [...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-28 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ho wev er , if you conf igure a CSS with the d ns-ser ver command, and the CSS recei ves a DNS query fo r a domain name that you conf igured on the CSS using the host command, the [...]

1-29 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 2. In A CL mode, remove the A CL from the circuit. (config-acl[7])# remove circuit-(VLAN1) 3. Make any changes to the A CL. If you delete an A CL from the circuit, conf igure ano[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-30 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the global configuration acl enable command to enable all A CLs on the CSS. T o globally enable all A CLs, enter: (config)# acl enable Disabling ACLs on the CSS If you need to [...]

1-31 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • DNS Hits - Pack ets that match an A CL clause for DNS f lo ws when an A CL clause is applied to DNS queries. Th e display includes a DNS hit counter , which counts DNS look u[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-32 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Show ACL Counters to Zero Use the zero counts com mand to reset the content and DNS hit coun ters in the show acl command screen to zero for a specif ic ACL. Y ou mu st[...]

1-33 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists T o enable logging on an existing A CL clause, us e the log en able option for th e clause command and enter: (config-acl[7])# clause 1 log enable If A CLs are globally enabled o[...]

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-34 Cisco Content Services Switch Security Configuration Guide OL-5650-02 5. Reapply the A CL to the circuit. (config-acl[7])# apply circuit-(VLAN1) 6. In global configuration m ode, reenable a ll A CLs on the CSS. (config)# acl enable T o globally disab[...]

1-35 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs !**************************** ACL *************************** acl 1 clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15 clause 30 permit any 172.16.107.0 255.255.255.0 destina[...]

Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-36 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Creating an NQL Enter the name of the ne w NQL you want to create or an e xisting NQL. Enter the name as an unquoted te xt string with no spaces and a maximum of 31 characters. Y ou can create a m[...]

1-37 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs The v ariables and options are: • ip_addr ess - The destination network addr ess. Enter the IP address in dotted-decimal notation (for e x ample, 192.168.0.0) . • subnet_pref ix | subnet_mask -[...]

Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-38 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Adding an NQL to an ACL Clause T o add an NQL to an A CL clause: 1. Create the A CL. For example, enter: (config)# acl 10 2. Define the clause, incl uding the NQ L as either a source or destinatio[...]

CH A P T E R 2-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 2 Configuring the Secure Shell Daemon Protocol The Secure Shell Daemon (SSHD) prot ocol provide s secure encr ypted communications between two hosts communicating o ver an insecure network. The CSS supports an implemen tation of OpenSSH to pr ovide this secure co[...]

Chapter 2 Configuring t he Secure Shell Daemon Protocol Enabling SSH 2-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 This chapter contains t he follo wing major sections: • Enabling SSH • Config uring SSH Access • Config uring SSHD in the CSS • Config uring T elnet Access When Using SSHD • Showing SSHD Configurat[...]

2-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuri ng SSH Access Configuring SSH Access SSH access to the CSS is enabled by default through the no restrict ssh command. Y ou can verify the SSH access se lection in the running-config f ile. T o enhance security w[...]

Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring SSHD in the CSS 2-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the sshd keepalive command to enable SSHD keepaliv e. SSHD keepali ve is enabled by default. T o enable sending SSHD keepali ves to the client, enter: (config)# sshd keepalive T o disable [...]

2-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Note The valid range for this comma nd is 512 to 1024. Howe ver , to m aintain backward compatibility wi th version 5.00, the CSS allo ws you to enter a value from 512 to 32768. If you enter a [...]

Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring Telnet Acc ess When Using SSHD 2-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring Telnet Access When Using SSHD By default, T elnet access to the CSS is enabled. When you use SSH D, you can disable nonsecure T elnet access to the CSS. T o enhance [...]

2-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Showing SSHD Configuratio ns T o display the SSHD sessions, enter: # show sshd sessions Listen Socket Count The number of sock ets that SSHD is cu rrently listen ing on (not currently co nfigurable, def ault is 1). Listen[...]

Chapter 2 Configuring t he Secure Shell Daemon Protocol Showing SSHD Configurations 2-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ta b l e 2 - 2 describes the fields in the show sshd sessions command output. T o display the SSHD v ersion, enter: # show sshd version SSHield version 1.5, SSH version OpenSSH_3.0.2p1 T able [...]

CH A P T E R 3-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 3 Configuring the CSS as a Client of a RADIUS Server The Remote Authentication Dial-In User Servi ce (RADIUS) protocol is a distribu ted client/server pr otocol that protects networks ag ainst unauthorized access. RADIUS uses the User Data gram Protocol (UDP) to [...]

Chapter 3 Configuring the CSS as a Client of a RADIUS Server 3-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In a conf iguration where b oth a primary RA DIUS serv er and a seco ndary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS automatically tran smits a k eepalive authent[...]

3-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server RADIUS Configuration Quick Start RADIUS Configuration Quick Start Ta b l e 3 - 1 provides a quic k overvie w of the steps required to c onfigure the RADIUS feature on a CSS. Each ste p includes the CLI command requi[...]

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Serv er for Use with the CSS 3-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 3 - 1 . !*************************** GLOBAL ******************[...]

3-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Configuring Authentication Settings T o configure the authentication settings on Cisco Secure A CS, go to the Network Config uration section of the Cisco Secure A CS [...]

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Primary RADIUS Server 3-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o add a user to a group, go to the User Setup sectio n of the Cisco Secure A CS HTML interface: • On the User Set up Select page, specify a username. • On the User Set up Edi[...]

3-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Secondary RADIUS Server T o remove a primary RADIUS server , enter: (config)# no radius-server primary Specifying a Secondary RADIUS Server The CSS directs authentication requests to the secondary RADIU[...]

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RA DIUS Server Timeouts 3-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring the RADIUS Server Timeouts By default, th e CSS waits 10 seco nds for the RADIUS serv er (primary or secondary) to repl y to an authentication request before retra[...]

3-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Dead-Time T o reset the RADIUS server retransmit request to the default of 3 r et ran sm is sio ns , enter: (config)# no radius-server retransmit Configuring the RADIUS Server Dead-Time[...]

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o view the authentication statistics for a RADI US secondary ser ver , enter: (config)# show radius statistics secondary Ta b l e 3 - 2 describes the fields in th[...]

3-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Infor mation Ta b l e 3 - 3 describes the fields in the show radius statistics output. T able 3-3 Field Descriptions f o r the show r adius statistics Command Field Description S[...]

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

CH A P T E R 4-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 4 Configuring the CSS as a Client of a TACACS+ Server The T erminal Access Controller Access Control System (T A CACS+) protocol provides access cont rol for routers, netw ork access servers (N AS), or other devices through one or mo re daemon se rvers. T A CA CS[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server TACACS+ Configuration Quick Start 4-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 TACACS+ Configuration Quick Start Ta b l e 4 - 1 provides a quic k overvie w of the steps required to c onfigure the T ACA CS+ feature on a CSS. Each step include s the CLI comman[...]

4-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User A ccounts for Use with the CSS The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 4 - 1 . !************************** GLOBAL *****[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User Accounts for Use with the CSS 4-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • K ey - Enter the shared secret that the CSS and Cisco Se cure A CS us e to authenticate transactions . For correct operation , you must specify the[...]

4-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes 4. Proceed next to Unmatched Commands, either permit or d eny e xecution of the pri vilege command: • For a user that has SuperUser pri vileges on the CSS, click Perm it . A[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ A ttributes 4-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note The timeout, encryption k ey , or keepali ve frequency that you define wh en you configure a T ACA CS+ server o verrid es the global attribute (see the “Defining a TA [...]

4-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes Defining a Global Encryption Key The CSS allo ws you to def ine a global encryption ke y for communications with all configured T A CA CS+ servers. T o encrypt T A CACS+ packe[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 When it sends a keepaliv e to the T ACA CS+ server , the CSS attempts to use a persistent connection with the serv er . If the server is not conf igured for persistence, the CSS opens a n[...]

4-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Note For general guideli nes on the recommended setup of a T A CA CS+ server (the Cisco Secure Access Control Serv er in this example), see the “ T AC AC S+ Config uration Quick Start”[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Defin ing this option o verrides the tacacs-server key command. F or more information on defining a gl obal encryption ke y , see the “Defining a Global Encryption Key” section. • [...]

4-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Authorization Setting TACACS+ Authorization T ACA CS+ authorization allo ws the T A CACS+ serv er to control specif ic CSS commands that the user can execute. C SS authorization di vides the comman[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Sending Full CSS Commands to the TACACS+ Server 4-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In releases prior to 7.30.1.05 , if you transitioned from one CLI mod e to another (for ex ample, from conf ig mode to service mode), and a ser vice already ex iste[...]

4-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Accounting T o reenable the CSS to send t he full command syntax, use the taca cs-ser ver send-full-command command. F or example: #(config) tacacs-server send-full-command Setting TACACS+ Accounti[...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Showing TACACS+ Server Configuration Information Use the show tacacs-server command to display the T A CA CS+ server confi guration information. T o view this inf[...]

4-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Infor mation Authorize Conf ig Commands Indicates whether configuration commands receiv e authorization Authorize Non-Conf ig Indicates whether nonconfiguration commands recei [...]

Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

CH A P T E R 5-1 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 5 Configuring Firewall Load Balancing This chapter descri bes how to configure the CSS Firew all Load Balanc ing (FWLB) feature. Informati on in this chapte r applie s to all CSS mod els, except where noted. This chapter contains t he follo wing major sections:[...]

Chapter 5 Configurin g Firewall Load Balancing Overview of FWLB 5-2 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Overview of FWLB FWLB enables you to conf igure a maximum of 15 fire walls per CSS. Config uring multiple f irewalls can o vercome performance limitations and remov e the single point of fai lure when all traff [...]

5-3 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Firewall Synchronization Fire wall solutions provi ding Stateful Inspectio n, such as Check Point ™ FireW all-1 ® , create and maintain virt ual state for all connections through their devices, e ven for st[...]

Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-4 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Y ou must define f irewal l parameters for each path through the f irewalls on bo th local and r emote CSSs. Us e the ip fi rewall command t o defin e fire wall parameters. The syntax for this glob al conf igura[...]

5-5 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Use the ip fir ewall timeout number command to specify the number of seconds the CSS will wait to recei ve a keepali v e message from the remote CSS before declaring the firew all unreacha ble.The timeout rang[...]

Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-6 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 • inde x - An ex isting inde x number for the f irew all route. For information on config uring a f ire wall inde x, see the ip f irewall command. • distance - The optional administrati ve distance. Ente r a[...]

5-7 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB T o stop adv ertising f irew all routes, enter: (config)# no ospf redistribute firewall Configuring RIP to Advertise Firewall Routes T o adver tise fire wall routes from other p rotocols through RIP , use the [...]

Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-8 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 T o conf igure CSS-A (the client side of the network co nfiguratio n) as sho wn in Figure 5-1 : 1. Use the ip fir ewall command to define f irewall 1. For e xample: (config)# ip firewall 1 192.168.28.1 192.168.2[...]

5-9 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Figure 5-1 illu strates the configur ation def ined in the f irewall command s. Figur e 5-1 Example of FWLB CSS-B CSS-A Server1 Client Firew all 2 Firew all 1 Client Server2 Ser ver3 Internet Router Client 192[...]

Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-10 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Configuring FWLB with VIP and Virtual Interface Redundancy Config ure FWLB with VIP and virtual interf ace redundancy to provide the follo wing benefits: • V ery fas[...]

5-11 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy In Figure 5-2 , odd-numbered f irew alls are conn ected to the Layer 2 switches servicing the CSS-OUT -L and CSS-IN-L CSSs. Even-numb ered fire walls are connected t[...]

Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-12 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 If the f ire wall supports i t, you can use multinetting b y configuring mu ltiple addresses on the f i re wall. If the f irewa ll does not support multipl e addresses[...]

5-13 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy Example of Firewall and Route Configurations The follo wing ip fir ewall and ip route exampl e conf igurations are v alid for Figure 5-2 with four act iv e fire wall[...]

Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-14 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 CSS-IN-L Configuration ip firewall 1 10.3.200.1 10.2.200.1 10.2.1.254 ip firewall 2 10.3.200.2 10.2.200.2 10.2.1.254 ip firewall 3 10.3.200.3 10.2.200.3 10.2.1.254 ip [...]

5-15 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall Flow Summaries Displaying Firewall Flow Summaries Use the sh ow flow s command to display the flo w summary for a source IP address, or for a specific source address an d its destinatio n IP address on a S[...]

Chapter 5 Configurin g Firewall Load Balancing Displaying Firewall IP Routes 5-16 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Ta b l e 5 - 1 describes the fields in the show flo ws output. Displaying Firewall IP Routes Use the show i p ro u t es fi rew a ll command to display all static f irewa ll routes. For exa mpl e: ([...]

5-17 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall IP Information Displaying Firewall IP Information Use the show ip f irewall command to display the conf igured v alues of the IP fire wall keepali ve timeout and the state of each f irewa ll path conf igur[...]

Chapter 5 Configurin g Firewall Load Balancing Displaying Firewa ll IP Information 5-18 Cisco Content Services Switch Security Configura tion Guide OL-5650-02[...]

IN-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 INDEX A Access Control Lists. See ACLs ACLs adding an NQL to a clause 1-38 applying to a circuit 1-27 clause number 1-19 configuration example 1-34 configuring 1-15 configuring clauses 1-19 creating 1-17 definition 1-13 deletin g 1-18 disabling globally 1-30 disabling loggin[...]

Index IN-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 configuration example ACL 1-34 firewall load balancing 5-7 configuratio n quick start ACL 1-15 configuring ACL 1-12 CSS as RADIUS client 3-1 CSS as TACACS+ clien t 4-8 source group in an A CL 1-24 static proximity in ACL clause 1-25 user name and p assword 1-3 console [...]

IN-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index FTP enabling access 1-10 restricting access to the CSS 1-11 I IP route firewall load balancing , displaying 5-16, 5-17 static, for firewall load balancing 5-5 K keepalive ACL example 1-34 L license ke y Enhanced feat ure set 2-2 Proximity Database 2-2 license key, Sec [...]

Index IN-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 R RADIUS Cisco Secure Access Control Server (ACS) 3-4 console authentication 1-8 CSS as RADIUS client, configuri ng 3-1 displaying c onfiguration i nformation 3-9 overview 3-1 primary RADIUS server 3-6 RADIUS server host parameters 3-1 running-config examp le 3-4 secon[...]

IN-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index T TACACS+ accounting, setting 4-13 authentication, setting 4-11 Cisco Secure Access Control Server (ACS) 4-3 console authentication 1-8 CSS as client, configuring 4-8 displaying c onfiguration i nformation 4-14 global encryptio n key 4-7 global keepalive f requency 4-7[...]

Index IN-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]