This guide provides detailed design and implementation information relating to the different layered security features in the Cisco® Virtual Office.
Please refer to the Cisco Virtual Office overview (http://www.cisco.com/go/cvo) for more information about the solution, its architecture, and all of its components.
Purpose and Scope
This guide explains how the layered security approach is implemented in the Cisco Virtual Office solution. This deployment can be used as a baseline for similar remote-access, site-to-site VPN, and managed service provider VPN deployments. This document does not explain all the alternative designs or different configurations, nor does it explain the zone-based security features. Please refer to the Advanced Layered Security Features guide for the zone-based security features (Reference 21).
Introduction
Following are the major features included in this guide:
User and Device Security and Authentication
• Authentication Proxy (AuthProxy)
• IEEE 802.1x-based user authentication
• Secure Address Resolution Protocol (ARP)
Router Security and Authentication
• RSA keys and certificates
• Public key infrastructure (PKI) with authentication, authorization, and accounting (AAA)
• RSA key erase on password recovery
• RSA key locking
• Disabling password recovery
• Restricting console access
• Disabling console access
Network Security
• Stateful Firewall-Legacy
• Intrusion prevention system (IPS)
Domain Separation
• Split Domain Name System (DNS)
Hardware and Software
This guide is based on a Cisco 881 Integrated Services Router with wireless running Cisco IOS® Software Release 12.4(20)T. The FastEthernet4 interface connects to the Internet service provider (ISP). Two internal networks are configured using VLANs, namely VLAN10 and VLAN20. They are called "trusted" network and "guest" network in this guide. The devices such as IP phone, computer, etc. that need corporate access are connected to the trusted network. Other devices that do not need corporate access are connected to the guest network. The guest network is optional. For other Cisco router platforms, the sample configurations may need minor modifications.
User and Device Security and Authentication
The security and authentication features mainly ensure that only authorized users and devices can access the corporate network.
Authentication Proxy
A remote-office network may not be physically as secure as the corporate environment, meaning that nonemployees also may have access to the devices connected to the spoke router. Authentication Proxy provides a way to identify legitimate users and limit access to the corporate network to only those users. Auth-proxy can be used to provide role based access permissions to the users.
All access to the corporate network is denied by an inbound access control list (ACL) applied on the inside interface of the router. To initiate the authentication process user will have to first access a corporate website using a Web browser. This access will be intercepted by the router and will be replaced with a web based user authentication prompt. The user will be allowed to have access to the corporate site only if correct credentials are provided. The credentials are verified by a RADIUS server. Upon verification of the credentials, appropriate permit access control entries (ACEs) are downloaded and applied on the spoke router, based on the credentials. It is possible to download a "permit ip any any" for all users or to download specific ACEs based on the group to which the user belongs. This way the network administrator can implement role-based access control.
The authentication process begins when a user initiates web access using HTTP. FTP and Telnet can also be configured to initiate the authentication. The traffic that initiates authentication process is defined by an intercept ACL.
The authenticated sessions can be configured to time out after an absolute timeout or inactivity timeout, whose values are configurable. An inactivity timer triggers if there is no traffic from the client computer for the configured period of time. If any of the timers is triggered, the authentication cache is cleared, and you have to reauthenticate.
If a computer is disconnected from the network, the authentication cache remains until the inactivity timeout occurs. Before the cache is expired, a different computer can use the same IP address and continue to use the authenticated session that already exists for that address. A smaller inactivity time reduces the chance of this event happening.
Authentication Proxy Sample Configuration
aaa new-model
aaa group server radius authproxy
server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
ip radius source-interface Vlan10
!
aaa authorization auth-proxy default group authproxy
!
ip inspect fw test tcp
ip inspect fw test udp
ip inspect fw test rtsp
ip inspect fw test tftp
ip inspect fw test skinny
ip inspect name test sip
ip inspect name test sip-tls
!
ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm
ip admission auth-proxy-banner http ^
This is the authentication proxy challenge
^
ip admission max-login-attempts 6
! Configure 30 minutes of inactivity timeout.
! proxy_acl is the intercept ACL
ip admission name pxy proxy http inactivity-time 30 list proxy_acl
!
ip admission name test_proxy proxy http list proxy_acl
interface Vlan10
description inside interface
ip inspect fw in
ip access-group proxy_inbound_acl in
ip admission test_proxy
!...
ip access-list extended proxy_acl
remark --- Auth-Proxy ACL -----------
! Deny lines are used to bypass auth-proxy
deny tcp any host 10.10.200.1 eq www
! auth-proxy will intercept http access matching the below permit lines
permit tcp any 10.10.30.0 0.0.255 eq www
...
!
ip access-list extended proxy_inbound_acl
remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
! Allow access to certain protcols
permit udp any any eq domain
permit udp any any eq netbios-ns
permit udp any any eq netbios-dgm
permit udp any any eq 5445
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 2000
permit tcp any any eq 2443
permit udp any any eq tftp
! Block corporate subnets. If split tunneling is not enabled denying
! all traffic using
! "deny any any" is sufficient
deny ip any 10.0.0.0 0.255.255.255
...
...
Permit ip any any ! if split tunneling is enabled
!
IP Phone Consideration
IP phones cannot display the Authentication Proxy prompt, so they cannot be authenticated using AuthProxy. One solution to this problem is to use Context-Based Access Control (CBAC). IP phones usually download their initial configuration using Trivial File Transfer Protocol (TFTP). In that case TFTP needs to be opened in the inbound ACL. If the IP phone is using Skinny Client Control Protocol (SCCP), then User Datagram Protocol (UDP) port 2000 needs to be opened. IP inspection dynamically opens holes for Real-Time Transport Protocol (RTP) streams when a phone call is made. By opening only UDP 2000, access control is not diluted much and the IP phone works without doing AuthProxy. The same thing works for Session Initiation Protocol (SIP) phones, but for SIP phones you need to open UDP ports 5060 and 5061.
UDP port 5445 needs to be opened if Cisco Unified Video Advantage (CUVA) is enabled on the IP phone.
Table 1 lists some important Authentication Proxy diagnostics commands.
Table 1. Authentication Proxy Diagnostics Commands
IEEE 802.1x-Based Device Authentication
Using IEEE 802.1x-based device authentication, all IP devices connecting to the router are subject to 802.1x-based credential validation. This authentication works only on the switch ports of the integrated services router platforms. The device does not get an IP address until the credentials are validated. When validated, the port becomes active and the device gets network access. If the validation fails the port is shut down.
This authentication requires an 802.1x client (called supplicant) running on the device. Many devices such as IP phones do not have an 802.1x supplicant. In order to accommodate client less device, guest VLAN feature can be enabled. Guest VLANs typically have less access privilege than the primary VLAN. In the case of Cisco Virtual Office, the guest VLAN is part of VLAN20.
Cisco IP phones can request a voice VLAN. If a voice VLAN is enabled on the router, the Cisco IP phone is automatically placed in that VLAN and bypasses 802.1x authentication.
If just user authentication is the goal, then AuthProxy is sufficient. Table 2 compares Authentication Proxy and 802.1x authentication.
Table 2. Authentication Proxy vs. 802.1x
For more information about this feature and its configuration on Cisco Virtual Office, refer to the deployment guide "Deploying 802.1x-Based Port Authentication on the Cisco Virtual Office Solution" (Reference 6). All the Cisco Virtual Office deployment guides are available at http://www.cisco.com/go/cvo.
Secure ARP
Secure Address Resolution Protocol (ARP) locks the Dynamic Host Configuration Protocol (DHCP)-assigned IP address to a MAC address. The DHCP server does not reassign this IP address to another device unless it has received a DHCP release. During an active lease a different IP address cannot overwrite the ARP entry, reducing the possibility of IP address spoofing. With this setup a second computer cannot take control of the IP address by manually configuring it on the interface.
Secure ARP Configuration
ip dhcp pool client
update arp
Router Security and Authentication
It is assumed that the router at a remote office or home office has a certain level of physical security. But it is not as safe as sitting inside an office building where the access is limited to only employees. The following features add some extra security to the routers to compensate.
RSA Keys and Certificates
The routers are configured with RSA key pairs for the purpose of VPN. Digital certificates are issued to each router. Digital certificates are very difficult to spoof. Because the certificates are used for PKI authentication, no unauthorized spokes are connected to the VPN. Unless marked as exportable, the RSA keys cannot be exported, meaning that RSA keys cannot be transferred to another router. Cisco IOS Software supports certificate servers from many vendors, including one based on Cisco IOS Software.
Following is the basic configuration of the PKI feature. For more details about the configuration and deployment options, refer to the deployment guide "Public Key Infrastructure Integration with Cisco Virtual Office Solution" (Reference 8) and "Public Key Infrastructure Resource Page" (Reference 9).
Certificate Authority Trustpoint Configuration
The following sample configuration uses a Cisco IOS Software certificate server.
ip host test-ca <ip address>
crypto pki trustpoint testtp
enrollment url http://test-ca:80
! Include serial number in the certificate request
serial-number
! Do not check CRL for peer certificates
revocation-check none
! Source the traffic from Vlan10 for any communication with
! Cert server
source interface Vlan10
! Re-enroll automatically when the current cert is 75% of its age
auto-enroll 75
Generating RSA Keys
The following command is executed in configuration mode:
crypto key gen rsa general-keys modulus 1024
! Refer the documentation guide for other options.
Authenticating the Certificate Authority Server
The following command is executed in configuration mode. The Certificate Authority server root certificate is downloaded as a result of this command:
crypto pki authenticate test-ca
Enrolling with the New Certificate Authority Server
This feature is also executed in configuration mode. After execution the router gets its public key signed by the Certificate Authority server, generating its certificate.
cry pki enroll test-ca
Conditional CRL Checking
In some cases there might be a need to skip Certificate Revocation List (CRL) checking for some peer routers; Cisco Virtual Office is an example. In the Cisco Virtual Office solution, if the CRL is hosted on the management network, the spoke router cannot download the CRL without first establishing the management VPN tunnel. So the CRL checking needs to be skipped when establishing the management VPN tunnel. All future VPN establishment with other hubs and spokes will continue to check CRL after it is downloaded though the management tunnel.
The following configuration example skips CRL validation for a peer certificate if the subject-name of the certificate contains "mgmthub1.mydomain.com" or "mgmthub2.mydomain.com":
crypto pki trustpoint testtp
...
revocation-check crl
match certificate mgmt-hub skip revocation-check
!
crypto pki certificate map mgmt-hub 1
subject-name co mgmt-hub1.mydomain.com
crypto pki certificate map mgmt-hub 2
subject-name co mgmt-hub2.mydomain.com
Note: Instead of subject-name, other fields in the certificate can also be matched in the rule. The match certificate ... command has other options also, but they are not discussed in this document.
Table 3 lists some important diagnostic and show commands for PKI.
Table 3. Diagnostic and Show Commands for PKI
PKI-AAA Authentication and Authorization
The hub router can be configured to do certificate revocation list (CRL) validation for each peer certificate. PKI-AAA authorization is an alternative way to validate the peer certificates. This authorization can also work as an additional check along with CRL validation. The router extracts a specified field from the peer certificate subject and sends it to a RADIUS server. It is sent as the username, and the password is fixed as "cisco". The field that should be sent as the username is specified in the trustpoint configuration.
If the RADIUS server has an entry for this username with password set as "cisco", the query returns success along with the following Cisco attribute-value (AV) pairs configured for that username:
• Certificate usage (cert-application)
• Certificate trustpoint (cert-trustpoint)
• Serial number (cert-serial)
• Certificate lifetime (cert-lifetime-end)
Following is a sample Cisco AV pair configuration which can be configured on a Cisco Secure Access Control Server (ACS):
cisco-avpair = "pki:cert-application=all"
cisco-avpair = "pki:cert-trustpoint=msca"
cisco-avpair = "pki:cert-serial=16318DB7000100001671"
cisco-avpair = "pki:cert-lifetime-end=1:00 jan 1, 2003"
The RADIUS server returns failure if the record is not found or password is not "cisco". The peer certificate is not accepted if the RADIUS request failed.
Among these AV pairs only cert-application is mandatory. If this AV pair is not returned or the value of the AV pair is "none", then the certificate is rejected. For the certificate to be accepted, the value of the cert-application should be "all" (more specific keyswords may be supported in the future; "all" means the certificate can be used for any purpose, including PKI).
If any or both of "cert-trustpoint" and "cert-serial" are specified, the router compares these values with the trustpoint name and serial number extracted from the peer certificate. The certificate is accepted only if these fields match.
The "cert-lifetime-end" value can be used to bypass the actual expiry date of the certificate. This is useful if an expired peer certificate needs to be accepted. A different date can be specified in the AV pair and the router will use this date for the expiry date calculation.
With the PKI-AAA feature the hub accepts a certificate only if it has an entry on the RADIUS server. The certificate can be temporarily disabled by setting the "cert-application" value to "none."
PKI-AAA Configuration
aaa new-model
aaa group server radius pki-aaa-server
server <ip addr> auth-port 1812 acct-port 1813
!
aaa authorization network pkiaaa group pki-aaa-server
!
crypto pki trustpoint testtp
enrollment mode ra
enrollment url http://test-ca:80/certsrv/mscep/mscep.dll
authorization list pkiaaa
authorization username subjectname commonname
Diagnostics
Use debug crypto pki transactions regular AAA and RADIUS debugs to diagnose problems. The logs on the RADIUS server also help.
For more details about this feature, refer to the deployment guide "Public Key Infrastructure Integration with Cisco Virtual Office Solution" (Reference 8).
RSA Key Erase on Password Recovery
The spoke routers are centrally managed. Therefore there is no need for the end user to know the router administrator password. If any user tries to do a password recovery, then the RSA key becomes un-usable. The password recovery process involves booting the router without loading the router configuration and then copying the startup configuration to the running configuration. During this process, the RSA private key is not copied to the running configuration. Without the private key the router cannot establish the VPN session. If the user issues a write mem command at this point, the RSA private key will be permanently lost . User will have to contact the administrator to restore VPN connectivity.
This feature does not have any specific configurations. It is enabled by default and cannot be disabled.
RSA Key Locking
This feature locks the RSA key using the specified password. When locked, it needs to be unlocked before it can be used for negotiating VPN sessions. The key is automatically locked after a reboot. This feature is useful if the router is to be installed in insecure places or needs to be shipped fully configured. If the router is stolen, it cannot be used to establish VPN connectivity to the corporate network without giving the correct unlock password. If the router falls into the wrong hands, this feature acts as a deterrent from getting illegal access to the corporate VPN.
Generating an RSA Key Pair
test-router(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys is test-router.cisco.com.
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
test-router(config)#
Encrypting the RSA Key
test-router(config)#crypto key encrypt rsa passphrase <pass-phase>
Encrypting keypair labeled test-router.cisco.com
WARNING: Configuration with encrypted key not saved.
Please save it manually as soon as possible to
save encrypted key
test-router(config)#
Now the key is encrypted. The output of sh cry key my rsa will have the string "*** The key is protected and UNLOCKED. ***".
Locking the RSA Key
test-router>crypto key lock rsa passphrase <pass-phase>
Now the key is locked. The output of sh cry key my rsa will have the string "*** The key is protected and LOCKED. ***".
Unlocking the RSA Key
test-router>crypto key unlock rsa passphrase <pass-phase>
If there are more than one set of keys on the router, the administrator can selectively lock or unlock by specifying the name of the set in the command line.
crypto key encrypt rsa name <key name> passphrase <pass-phrase>
The user can also use the web interface to unlock the RSA key by accessing the URL http://<router's ip address>/exec/crypto/key. Only privilege 1 users can lock or unlock the RSA key. Administrators can create a privilege 1 user account on the router to give other users lock and unlock privileges; the process is accomplished by accessing the URL http://<router's ip address>/level/01/exec/crypto/key/.
user <username> priv 1 pass <password>
ip http server
ip http authentication local
Diagnostics
show crypto key mypubkey rsa-Displays the RSA key status.
Disabling Password Recovery
The Cisco IOS Software router provides the facility to recover from a forgotten password. An IOS savvy end user may be able to look at the router configuration using this method. This can be prevented by disabling password recovery. To prevent unwanted password activity, no service password-recovery can be configured on the router:
config terminal
test-router(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]:yes
test-router(config)#
Restricting Console Access
The security policy of some customers may require controlling access to the console port. There are two ways to control the console access, password protection and locking down.
If console access authentication is enabled, the console access is password-protected. User will be prompted for username and password. Access is granted only if the correct credentials are entered. The router can be configured to verify with the local credentials configured on the router or with a RADIUS or TACACS server. Doing local authentication will ensure that console access is possible even if the network connectivity is down.
Configuration for Local Authentication
aaa authentication login default local
username <username> password <password>
!
Configuration for RADIUS-Based Authentication
aaa group server radius myradius
server-private 10.32.227.161 auth-port 1812 acct-port 1813 key <server password>
!
aaa authentication login default group myradius
! "aaa authentication login default local group myradius" will check
! with both local and RADIUS user database.
Disabling Console Access
Disabling console access completely locks down the console. When this feature is enabled, the only way to access the router is by using network-based mechanisms such as Secure Shell (SSH) Protocol or Telnet. When the network access is gone, the router is inaccessible. Therefore, extreme caution should be exercised when deploying this feature on the router. For example, if the user changes his ISP to a different IP address assignment , the router may not be accessible via the network anymore. The user needs to press the reset button on the Cisco 881 router platform for 6 to 10 seconds while the router is rebooting to reset the router to the factory default configuration.
Configuration for Locking the Console Port
menu disable clear-screen
menu disable title %Console Disabled%
line con 0
autocommand menu disable
! "clear line 0" will clear the console connection if a connection
! is active. But this needs to be done from a ssh or telnet window.
Network Security
Stateful Firewall-Legacy Configuration
The spoke router and the network behind the spoke should be considered as part of the corporate network. So an attempt should be made to provide the same level of security as for the corporate firewall.
An access list is configured on the outside interface (which is connected to the ISP) such that no traffic initiated from outside (Internet) is permitted into the network. Only VPN traffic and some basic traffic such as Internet Control Message Protocol (ICMP), DHCP, Network Time Protocol (NTP), and so on are permitted into the router.
Port Address Translation (PAT) is configured on the outside interface such that all traffic originated from inside the network to the Internet is translated into a single public IP address. PAT is configured so that multiple devices behind the router can share the same IP address assigned by the ISP.
IP inspection (CBAC) is configured on the inside interface. When traffic is originated from inside toward the public network, CBAC selectively opens holes in the firewall ACL for the return traffic.
CBAC and PAT are needed on the spoke router only if Split Tunneling is allowed. Otherwise all traffic is directed through the corporate network. No firewall or address translation is configured between the corporate network and the trusted network (which is the tunnel interface).
Stateful Firewall Configuration
ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw realaudio
ip inspect name fw rtsp
ip inspect name fw tftp
ip inspect name fw ftp
ip inspect name fw h323
ip inspect name fw smtp
ip inspect name fw skinny
ip inspect name fw sip
!
interface Vlan10
description inside interface - Secure network with corporate access
ip address 10.10.100.1 255.255.255.240
ip nat inside
ip inspect fw in
!
interface Vlan20
description inside interface - Gust network without corporate access
ip address 10.10.200.1 255.255.255.240
ip nat inside
ip inspect fw in
!
interface FastEthernet4
description outside interface
ip address dhcp
ip access-group fw_acl in
ip nat outside
!
ip nat inside source list nat_acl interface Fastethernet4 overload