CCNA-SEC Lec#2 | Securing Management Plane

We will discuss at this lecture with more details about NFP and how to secure the three planes “Management plane, Control plane and Data plane”
As discussed at the previous lecture Cisco NFP (Network Foundation Protection) is a framework which provides the technologies and tools to protect different types of network traffic; Cisco has classified different type of network traffic as different planes of communication. Cisco NFP (Network Foundation Protection) defines three planes and they are Management plane, Control plane and Data plane.

Securing Management Plane

The management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network.
Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical.
There are many methods you can manage a device “VTY, AUX, and Console” lines and ports and you should do your best to keep access through it more secure as you can among some procedures such as :-
Strong passwords
Make passwords very difficult to break,  An attacker can break a password in several ways, including a dictionary and/or a brute force attack. In addition to this, you should use the encrypted password “enable secret” instead of plain text password “enable password”; Enable secrets are hashed using the MD5 algorithm. Also, work on enforcing password policy, including features such as maximum number of login attempts and minimum password length. 
Encrypted management protocols
Undoubtedly, accessing devices through “Telnet or HTTP” is not secure anymore as the password sent in plain text, so encrypted communications should be used, such as Secure Shell (SSH) or Hypertext Transfer Protocol Secure (HTTPS).
User authentication and AAA
AAA stands for Authentication, Authorization and Accounting.
In large networks it isn’t logic to depend on the local user database for authenticating users.
The goal of AAA is to identify who users are before giving them any kind of access to the network, and once they are identified, only give them access to the part they are authorized to use, see, or manage.
Cisco provides many ways to implement AAA services for Cisco devices, such as  ACS server, TACACS server, or RADIUS server and we will cover this point in more details at our next sessions.

 Role-based access control (RBAC)

 With RBAC,we can create a role (like a group) and assign that role to the users who will be acting in that role. With the role comes the permissions and access. Ways to implement RBACs include using Access Control Server (ACS) and CLI parser views.
 Logging is a way to create an audit trail,  Logging may be done in many different ways, logging includes not only what administrators have changed or done, but also system events that are generated by the router or switch because of some problem that has occurred or some threshold that has been reached. This logging information may be  sent to a syslog server. SNMP one of the most important protocols can be used here.
Network Time Protocol (NTP)
NTP is a protocol which is used widely in networking industry to synchronize the clocks of network infrastructure devices (Servers, Routers, Switches, Computers) over a network,  This becomes very important to correlate logs between devices in case there is ever a breach and you need to reconstruct (or prove in a court of law) what occurred.
Now, We are about discuss some practical issues about: 
1- How to enable SSH to access a router or switch
To enable SSH on a router or switch, the following items need to be in place:
Hostname other than the default name of router.
Domain name.
Generating a public/private key pair, used behind the scenes by SSH.
Requiring user login via the vty lines, instead of just a password. Local authentication or
authentication using an ACS server are both options.
Having at least one user account to log in with, either locally on the router, or on an ACS


2- User Authentication with AAA
There are two models to implement AAA server:-
Self-Contained AAA

AAA services in this model is a self-contained in the router. It is also known as local authentication.
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local
Sample of the configuration
Server-Based AAA
Uses an external database server to authenticate the username/Password.
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.server-aaa
There are many names and access methods associated with the central server, including calling it an authentication server, AAA server,ACS server, TACACS server, or RADIUS server.
The following list describes a few of these centralized server types:
Cisco Secure ACS Solution Engine: It’s  a server appliance with the Access Control Server (ACS) software preinstalled, Cisco ACS uses the two distinct protocols for AAA services RADIUS & TACACS+. 
Cisco Secure ACS for Windows ServerThis software package may be used for user and administrator authentication,  AAA services on the router contact an external Cisco Secure ACS (running on a Microsoft Windows system).
By: Hatem Farag | CCIE#54446

3 thoughts on “CCNA-SEC Lec#2 | Securing Management Plane

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s