Cisco OL-5650-02 - Manual

Contents vi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Global TACACS+ Keepalive Frequency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Accounting 4-13 Showing TACACS+ S...

vii Cisco Content Services Switch Security Configuration Guide OL-5650-02 F I G U R E S Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled on the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11

Figures viii Cisco Content Services Switch Security Configuration Guide OL-5650-02

ix Cisco Content Services Switch Security Configuration Guide OL-5650-02 T A B L E S Table 1-1 ACL Configuration Quick Start 1-16 Table 1-2 Clause Command Options 1-21 Table 1-3 Field Descriptions for the show acl Command Output 1-31 Table 1-4 Field Descriptions for the show nql Command Output 1-38 ...

xi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface This guide provides instructions for configuring the security features of the Cisco 11500 Series Content Services Switches (CSS). Information in this guide applies to all CSS models except where noted . The CSS software...

Preface Audience xii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Audience This guide is intended for the following trained and qualified service personnel who are responsible for configuring the CSS: • Web master • System administrator • System operator How to Use This Guid...

xiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Related Documentation In addition to this guide, the Content Services Switch documentation includes the following publications. Document Title Description Release Note for the Cisco 11500 Series ...

Preface Related Documentation xiv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Cisco Content Services Switch Administration Guide This guide describes how to perform administrative tasks on the CSS, including upgrading your CSS software and configuring the following: • Loggi...

xv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Cisco Content Services Switch Content Load-Balancing Configuration Guide This guide describes how to perform CSS content load-balancing configuration tasks, including: • Flow and port mapping • Ser...

Preface Symbols and Conventions xvi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Symbols and Conventions This guide uses the following symbols and conventions to identify different types of information. Caution A caution means that a specific action you take could cause a lo...

xvii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and text you enter in a command line. Italics text indicates the first...

Preface Documentation Feedback xviii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Documentation DVD Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularl...

xix Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Cisco Product Security Overview You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco SystemsAttn: Customer Document Order...

Preface Obtaining Technical Assistance xx Cisco Content Services Switch Security Configuration Guide OL-5650-02 • Nonemergencies — [email protected] Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work...

xxi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Technical Assistance Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can r...

Preface Obtaining Additional Publications and Information xxii Cisco Content Services Switch Security Configuration Guide OL-5650-02 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts Definitions of Service Request Severity To ensure that all service...

xxiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Additional Publications and Information • Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the lates...

Preface Obtaining Additional Publications and Information xxiv Cisco Content Services Switch Security Configuration Guide OL-5650-02

Chapter 1 Controlling CSS Access Changing the Administrative Username and Password 1-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Changing the Administrative Username and Password During the initial log in to the CSS you enter the default user name admin and the default pa...

1-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwords Creating Usernames and Passwords Logging into the CSS requires a username and password. The CSS supports a maximum of 32 usernames, including the administrator ...

Chapter 1 Controlling CSS Access Creating Usernames and Passwords 1-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • password - Specifies the password is not encrypted. Use this option when you use the CLI to dynamically create users. • password - The password. Enter an unqu...

1-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwords • access - Specifies directory access privileges for the username. By default, users have both read- and write-access privileges (B) to all seven directories. E...

Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Remote User Access to the CSS To control access to the CSS, you can configure the CSS to authenticate remote (virtual) or console users. Th...

1-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Configuring Virtual Authentication Virtual authentication allows remote users to log in to the CSS when they are using FTP, Telnet, SSHD, or the Device...

Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 To remove users currently logged in to the CSS, use the disconnect command. To define the TACACS+ server as the primary virtual authentication method, ...

Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS 1-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Administrative Access to the CSS CSS access through a console, FTP, SSH, SNMP, and Telnet is enabled by default. The CSS supports a max...

1-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS • no restrict xml - Enables the transfer of XML configuration files to the CSS through unsecure HTTP connections (disabled by default). • no restri...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • restrict secure-xml - Disables the transfer of XML configuration files to the CSS through secure HTTPS SSL connections (disabled ...

1-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists • Logging ACL Activity • ACL Example ACL Overview ACLs configured on the CSS provide a basic level of security for accessing your n...

1-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Enabling ACLs globally affects all traffic on all CSS circuits whether they have ACLs or not. When you enable ACLs, all traffic on ...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Table 1-1 ACL Configuration Quick Start Task and Command Example 1. Enter global configuration mode. # config (config)# 2. Create a...

1-17 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists The following running-config example shows the result of entering the commands in Table 1-1 . !**************************** ACL ***...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-18 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note If a circuit does not have an ACL, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all t...

1-19 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 4. Apply another ACL on the circuit. If you do not apply an ACL on the circuit, the CSS denies traffic on the circuit when you enab...

1-21 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Table 1-2 provides variables and options for the clause command. Bolded syntax defines keywords that you enter on the command line....

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-24 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sourcegroup name The source group as the destination for the traffic. Enter the group name. To see a list of source groups, enter: ...

1-25 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists After you create clauses for an ACL, you can apply the ACL to a circuit. For more information, see the “Applying an ACL to a Circui...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-26 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For example, you apply ACL 7 to VLAN1 and then globally enable ACLs on the CSS. At a later time, to add a new clause to ACL 7 and t...

1-27 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists Note When you remove an applied ACL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-28 Cisco Content Services Switch Security Configuration Guide OL-5650-02 However, if you configure a CSS with the dns-server command, and the CSS receives a DNS query for a domain name that you configured...

1-29 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 2. In ACL mode, remove the ACL from the circuit. (config-acl[7])# remove circuit-(VLAN1) 3. Make any changes to the ACL. If you del...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-30 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the global configuration acl enable command to enable all ACLs on the CSS. To globally enable all ACLs, enter: (config)# acl en...

1-31 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists • DNS Hits - Packets that match an ACL clause for DNS flows when an ACL clause is applied to DNS queries. The display includes a DN...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-32 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Show ACL Counters to Zero Use the zero counts command to reset the content and DNS hit counters in the show acl command...

1-33 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists To enable logging on an existing ACL clause, use the log enable option for the clause command and enter: (config-acl[7])# clause 1 ...

Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Through Access Control Lists 1-34 Cisco Content Services Switch Security Configuration Guide OL-5650-02 5. Reapply the ACL to the circuit. (config-acl[7])# apply circuit-(VLAN1) 6. In global configuration mode, reenable all ACLs on the...

1-35 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs !**************************** ACL *************************** acl 1 clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15 claus...

Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs 1-36 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Creating an NQL Enter the name of the new NQL you want to create or an existing NQL. Enter the name as an unquoted text string with no spaces and a...

1-37 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs The variables and options are: • ip_address - The destination network address. Enter the IP address in dotted-decimal notation (for example, 192.16...

Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs 1-38 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Adding an NQL to an ACL Clause To add an NQL to an ACL clause: 1. Create the ACL. For example, enter: (config)# acl 10 2. Define the clause, includ...

Chapter 2 Configuring the Secure Shell Daemon Protocol Enabling SSH 2-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 This chapter contains the following major sections: • Enabling SSH • Configuring SSH Access • Configuring SSHD in the CSS • Configuring Telnet Access When Usi...

2-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSH Access Configuring SSH Access SSH access to the CSS is enabled by default through the no restrict ssh command. You can verify the SSH access selection in t...

Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS 2-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the sshd keepalive command to enable SSHD keepalive. SSHD keepalive is enabled by default. To enable sending SSHD keepalives to the client,...

2-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Note The valid range for this command is 512 to 1024. However, to maintain backward compatibility with version 5.00, the CSS allows you to ente...

Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring Telnet Access When Using SSHD 2-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring Telnet Access When Using SSHD By default, Telnet access to the CSS is enabled. When you use SSHD, you can disable non...

Chapter 3 Configuring the CSS as a Client of a RADIUS Server 3-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In a configuration where both a primary RADIUS server and a secondary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS ...

3-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server RADIUS Configuration Quick Start RADIUS Configuration Quick Start Table 3-1 provides a quick overview of the steps required to configure the RADIUS feature on a CSS....

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS 3-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 The following running-configuration example shows the results of entering the commands in Table 3-1 . !*************...

3-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Configuring Authentication Settings To configure the authentication settings on Cisco Secure ACS, go to the Network ...

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Primary RADIUS Server 3-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 To add a user to a group, go to the User Setup section of the Cisco Secure ACS HTML interface: • On the User Setup Select page, sp...

3-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Secondary RADIUS Server To remove a primary RADIUS server, enter: (config)# no radius-server primary Specifying a Secondary RADIUS Server The CSS direct...

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Timeouts 3-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring the RADIUS Server Timeouts By default, the CSS waits 10 seconds for the RADIUS server (primary or secondary) to re...

3-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Dead-Time To reset the RADIUS server retransmit request to the default of 3 retransmissions, enter: (config)# no radius-server retransm...

Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Information 3-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 To view the authentication statistics for a RADIUS secondary server, enter: (config)# show radius statistics seconda...

3-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Information Table 3-3 describes the fields in the show radius statistics output. Table 3-3 Field Descriptions for the show radiu...

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User Accounts for Use with the CSS 4-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • Key - Enter the shared secret that the CSS and Cisco Secure ACS use to authenticate transactions. Fo...

4-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attributes 4. Proceed next to Unmatched Commands, either permit or deny execution of the privilege command: • For a user that has SuperUs...

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attributes 4-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note The timeout, encryption key, or keepalive frequency that you define when you configure a TACACS+ server overrides the glo...

4-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attributes Defining a Global Encryption Key The CSS allows you to define a global encryption key for communications with all configured T...

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 When it sends a keepalive to the TACACS+ server, the CSS attempts to use a persistent connection with the server. If the server is not con...

4-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Note For general guidelines on the recommended setup of a TACACS+ server (the Cisco Secure Access Control Server in this example), see the...

4-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Authorization Setting TACACS+ Authorization TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can exec...

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Sending Full CSS Commands to the TACACS+ Server 4-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In releases prior to 7.30.1.05, if you transitioned from one CLI mode to another (for example, from config mode to ...

4-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Accounting To reenable the CSS to send the full command syntax, use the tacacs-server send-full-command command. For example: #(config) tacacs-serv...

Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Information 4-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Showing TACACS+ Server Configuration Information Use the show tacacs-server command to display the TACACS+ server ...

Chapter 5 Configuring Firewall Load Balancing Overview of FWLB 5-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Overview of FWLB FWLB enables you to configure a maximum of 15 firewalls per CSS. Configuring multiple firewalls can overcome performance limitations and remove th...

5-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 5 Configuring Firewall Load Balancing Configuring FWLB Firewall Synchronization Firewall solutions providing Stateful Inspection, such as Check Point ™ FireWall-1 ® , create and maintain virtual state for all connectio...

Chapter 5 Configuring Firewall Load Balancing Configuring FWLB 5-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 You must define firewall parameters for each path through the firewalls on both local and remote CSSs. Use the ip firewall command to define firewall parameters. T...

5-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 5 Configuring Firewall Load Balancing Configuring FWLB Use the ip firewall timeout number command to specify the number of seconds the CSS will wait to receive a keepalive message from the remote CSS before declaring t...

Chapter 5 Configuring Firewall Load Balancing Configuring FWLB 5-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • index - An existing index number for the firewall route. For information on configuring a firewall index, see the ip firewall command. • distance - The optional ...

5-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 5 Configuring Firewall Load Balancing Configuring FWLB To stop advertising firewall routes, enter: (config)# no ospf redistribute firewall Configuring RIP to Advertise Firewall Routes To advertise firewall routes from ...

5-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 5 Configuring Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundancy Example of Firewall and Route Configurations The following ip firewall and ip route example configurations are valid for...

5-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 5 Configuring Firewall Load Balancing Displaying Firewall Flow Summaries Displaying Firewall Flow Summaries Use the show flows command to display the flow summary for a source IP address, or for a specific source addr...

Chapter 5 Configuring Firewall Load Balancing Displaying Firewall IP Routes 5-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Table 5-1 describes the fields in the show flows output. Displaying Firewall IP Routes Use the show ip routes firewall command to display all static ...

5-17 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 5 Configuring Firewall Load Balancing Displaying Firewall IP Information Displaying Firewall IP Information Use the show ip firewall command to display the configured values of the IP firewall keepalive timeout and th...

IN-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 I N D E X A Access Control Lists. See ACLs ACLs adding an NQL to a clause 1-38 applying to a circuit 1-27 clause number 1-19 configuration example 1-34 configuring 1-15 configuring clauses 1-19 creating 1-17 definition 1-13 d...