A significant percentage of the students I teach manage multiple Cisco security devices: IOS routers/switches, ASA or PIX firewalls, IPS sensors and, yes, even the occasional VPN concentrator. While most of the official training courses offered provide at least one chapter which discusses “best practices” in managing each of these devices, they omit the comparison of the default IP-based access policies. That comparison is the subject of this article.
The table below shows a brief summary of two sharply-contrasting default access policies: a) An open one where an access-list is used to restrict access and b) A closed one where the access-list is used to permit access. The VPN Concentrator was added to this list due to its continued presence at many end-user locations despite the product being more than 2 years End-Of-Sale.
Default IP-Based Access Policy
Open (ACL restricts access) Closed (ACL permits access)
IOS router / switch ASA appliance / PIX firewall
VPN Concentrator IPS Sensor
IOS router/switch – Most network administrators know that although the default access policy for these devices is wide open, a CLI management session with telnet or ssh cannot be done to the device until a line password is configured. Following this implementation, it is highly recommended that an access-class into the vty lines referencing a standard access-list be added to restrict access. Additionally, a transport input ssh vty line configuration command can be added to restrict access exclusively by this protocol.
VPN Concentrator – The screenshots below show how to add access control to an otherwise unrestricted default IP-based access policy. While this device allows for management to be done using either HTTP or HTTPS; the use of the clear-text HTTP should be discouraged.
When the Add button is clicked, the following screen results; note that individual workstations and/or networks can be added for each administrative group.
ASA appliance / PIX Firewall – Both the CCO documents and the Cisco training courses recommend initial provisioning of either the ASA or PIX using a directly con-nected terminal, often using the setup dialog. This is necessary because initially no IP-based access of any kind is permitted. With these appliances, each management protocol – telnet, ssh, and http (a misnomer as it is actually https) must each have its own corresponding “permit list”. A strong recommendation here: configure, at the very least ssh local authentication using the aaa authentication ssh console LOCAL global configuration command. An insecure default setting for ssh is that the default username of pix and default password of cisco can allow any permitted IP address entry! Having said that, changing that default telnet password from something other than cisco would be a good idea as well!
IPS sensor – Although the IPS sensor defaults to a “closed” access policy as well, the access-list utilization to permit access is implemented differently than with the security appliances. On the sensor, the access-list (as it is known in the CLI) or “allowed hosts” (as it is known in the IDM GUI) permits the two forms of default management access, SSH and SSL. Again, the setup dialog is often used for initial provisioning via the CLI.
For all of the devices listed above, a “best practice” is to ensure that communication via either the CLI or GUI be done over a secure Out-Of-Band (OOB) channel. This is best implemented by dedicating a management subnet on a VLAN on which general user traffic will not be seen. The consumption of bandwidth by generic applications could pose real problems in the real-time monitoring of IPS alarms and syslog messages.
Author: Doug McKillip
- Cisco IOS Security Configuration Guide – SSH Terminal-Line Access
- VPN 3000 Concentrator Reference Volume II – Administration and Monitoring
- Configuring Management Access – ASA CLI 8.2
- Installing Cisco Intrusion Prevention System Appliances and Modules