Cisco Systems OL-5650-02 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Cisco Systems OL-5650-02. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Cisco Systems OL-5650-02 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Cisco Systems OL-5650-02 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Cisco Systems OL-5650-02, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones Cisco Systems OL-5650-02 debe contener:
- información acerca de las especificaciones técnicas del dispositivo Cisco Systems OL-5650-02
- nombre de fabricante y año de fabricación del dispositivo Cisco Systems OL-5650-02
- condiciones de uso, configuración y mantenimiento del dispositivo Cisco Systems OL-5650-02
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Cisco Systems OL-5650-02 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Cisco Systems OL-5650-02 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Cisco Systems en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Cisco Systems OL-5650-02, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Cisco Systems OL-5650-02, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Cisco Systems OL-5650-02. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Cisco Content S er vices S witc h S ecurity Conf iguration Guide Sof twa re V er sion 7 .50 Marc h 2005 Text Part Number: O L-5650-02[...]

  • Página 2

    THE SPECIFICA T IONS AND INFORMA TION REGARDING THE PRODUCTS IN THIS MAN U AL ARE SUBJECT TO CHANGE WITHOUT NO TICE. ALL ST A TEMENTS, INFORMA TION, AND RECOMMENDA TION S IN THIS MANUAL ARE BELIEVED T O BE A CCURA TE BUT ARE PRESENTED WITHOUT W ARRANTY OF ANY KIND, EX PRESS OR IMPLIED. USERS MUST T AKE FULL RESPONSIBILITY FO R THEIR APPLICA TION OF[...]

  • Página 3

    iii Cisco Content Services Switch Security Configuration Guide OL-5650-02 CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.com xvii Documentation DVD xviii Ordering Documentation xviii Documentation Feedback xviii Cisco Product Security Overview xix [...]

  • Página 4

    Contents iv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Admi nistrative Access to the CSS 1-10 Enabling Administrativ e Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Cr[...]

  • Página 5

    v Cisco Content Services Switch Security Configuration Guide OL-5650-02 Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Cl[...]

  • Página 6

    Contents vi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Global TACACS+ Keepalive Fre quency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Acco unting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 C[...]

  • Página 7

    vii Cisco Content Services Switch Security Configuration Guide OL-5650-02 FIG UR ES Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled o n the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11[...]

  • Página 8

    Figures viii Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Página 9

    ix Cisco Content Services Switch Security Configuration Guide OL-5650-02 TABLES T able 1-1 ACL Configuration Quick Start 1-16 T able 1-2 Clause Command Option s 1-21 T able 1-3 Field Descriptions for the show acl Command Output 1-31 T able 1-4 Field Descriptions for the show nql Command Output 1-38 T able 2-1 Field Descriptions for the show sshd co[...]

  • Página 10

    Tables x Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Página 11

    xi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface This guide provides in structions fo r configuring the securi ty features of th e Cisco 11500 Series Co ntent Services Switches (CSS). Information in this guide applies to all CSS models except where noted . The CSS software is a vailable in a Stan dard or optional Enh[...]

  • Página 12

    Preface Audience xii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Audience This guide is intended for the follo wing trained and qualif ied service personnel who are responsible for conf iguring the CSS: • We b m a s t e r • System adminis trator • System operator How to Use This Guide This guide is or ganized as foll[...]

  • Página 13

    xiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Related Documentation In addition to thi s guide, the Content Se rvices Switch docume ntation includes the follo wing publications. Document T itle Description Release Note for the Cisco 11500 Series Content Services Switc h This release note pr[...]

  • Página 14

    Preface Related Do cumentation xiv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Cisco Conte nt Services Switch Adm inistrati on Guide This guide de scribes how to perform adm inistrative tasks on the CSS, including upg rading your CSS software and co nfigu ring the follo wing: • Logging, includi ng displaying log messages[...]

  • Página 15

    xv Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Related Documentation Cisco Conte nt Services Switch Cont ent Load-Balancing Conf iguratio n Guide This guide describes ho w to perform CSS content load-balancing configur ation tasks, in cluding: • Flo w and port mapping • Services • Service, global, and script [...]

  • Página 16

    Preface Symbols and Conventions xvi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Symbols and Conventions This guide u ses the fol lowing symbols and conv entions to identify d if ferent ty pes of informatio n. Caution A caution means that a specific action you take co uld cause a loss of data or adversely impact use of the [...]

  • Página 17

    xvii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and te xt you enter in a command line. Italics text indicates the first occurrence of a ne w term, book title, emphasize[...]

  • Página 18

    Preface Documentation Feedba ck xviii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Documentation DVD Cisco documentation and additi onal litera ture are a vailable in a Documentation D VD package, which m ay hav e shipped w ith your produc t. The Document ation D VD is updated regularly an d may be more current than pri nte[...]

  • Página 19

    xix Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Cisco Product Security O verview Y ou can submit comments by using th e response card (if present) behind the front cov e r of your document or b y writing to the follo wing address: Cisco Systems Attn: Customer Document Or dering 170 W est T asman Driv e San Jose, CA[...]

  • Página 20

    Preface Obtaining Technical Assistance xx Cisco Content Services Switch Security Configuration Guide OL-5650-02 • Nonemergencies — psirt@cisco.com Ti p W e encourage you to use Pretty Good Pri vac y (PGP) or a compatible produ ct to encrypt any sensiti ve information that you send to Cisco. PSIR T can work from encrypted information that is com[...]

  • Página 21

    xxi Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Techn ical Assistance Access to all tools on the Cisco T echni cal Support W ebsite requires a Cisco.com user ID and password. If you hav e a valid service contract b ut do not hav e a user ID or password, you can re gister at this URL: http://tools.cisco.co[...]

  • Página 22

    Preface Obtaining Additional Publ ications and Information xxii Cisco Content Services Switch Security Configuration Guide OL-5650-02 For a complete list of Cisco T A C contacts, go to this URL: http://www .cisco.com/t echsupport/contacts Definitions of Service Request Severity T o ensure that all service req uests are reported in a standard format[...]

  • Página 23

    xxiii Cisco Content Services Switch Security Configuration Guide OL-5650-02 Preface Obtaining Additional Public ations and Information • Pa c k e t magazine is the C isco System s technical user magazine for maximizing Internet and netw orking in vestments. Each quarter , Packet deli vers co verage of the latest industry trends, tech nology break[...]

  • Página 24

    Preface Obtaining Additional Publ ications and Information xxiv Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Página 25

    CH A P T E R 1-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 1 Controlling CSS Access This chapter describes how to config ure access to the CSS including network traf fic. Information in this chapter applie s to all models of the CSS, except where noted. This chapter contains t he follo wing major sections: • Changing t[...]

  • Página 26

    Chapter 1 Controlling CSS Access Changing the Administra tive Username and Pa ssword 1-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Changing the Administrative Username and Password During the initial log in to the CSS you enter the def ault user name admin and the default passw ord system in lo wercase text. F or securit[...]

  • Página 27

    1-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds Creating Usernames and Passwords Logging into the CSS requ ires a username and passw ord. The CSS supports a maximum of 32 usernames, inclu ding the administrator and tech nician usernames. Y ou can assign eac[...]

  • Página 28

    Chapter 1 Controlling CSS Access Creating Usernames and Passwords 1-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • password - Specif ies the password is not en crypted. Use this option when you use the CLI to dynamically create use rs. • password - The p assword. Enter an unquoted te xt string with no spaces and a len[...]

  • Página 29

    1-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Creating Usernames and Passwo rds • access - Specifies directory access privileg es for the username. By default, users hav e both read- and write-acces s pr i vileges (B) to all se ven directories. Enter , in order , one of the followi ng a[...]

  • Página 30

    Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Remote User Access to the CSS T o control access to th e CSS, you can config ure the CSS to authenti cate remote (virtual) or console users. The CSS can a u thenticate users by using the lo[...]

  • Página 31

    1-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS Configuring Virtual Authentication V irtual authentication allo ws remote users to log in to the CSS when they are using FTP , T elnet, SSHD, or the Device Management user interface wi th or without re[...]

  • Página 32

    Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS 1-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o remov e users currently logged in to th e CSS, use the disconnect command. T o define th e T A CA CS+ server as the p rimary virtual authentication method, enter: #(config) virtual authentication p[...]

  • Página 33

    1-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Remote User Access to the CSS • secondary - Defines the seco nd authentication method that the CSS u ses if the fi rst method fails. The d efault secondar y console authenticatio n method is to disallow all user access. Note If y[...]

  • Página 34

    Chapter 1 Controlling CSS Access Controlling Administra tive Access to the CSS 1-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Controlling Administrati ve Access to the CSS CSS access through a console, FTP , SSH, SNMP , and T elnet is enabled by default. The CSS su pports a maximum of four FTP sessions and a max imum of [...]

  • Página 35

    1-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controlling Administrative Access to the CSS • no restrict xml - Enables t he transfer of XML conf iguration f iles to the CSS through unsecu re HTTP connection s (disabled by default). • no restrict web-mgmt - Enables De vice M anagement[...]

  • Página 36

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • re strict se cure -xml - Disables the transfer of XML configuration f iles to the CSS through secure HTTPS SSL conn ections (d isabled by default). • re strict xml - Disabl e[...]

  • Página 37

    1-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • Logging A CL Acti vity • A CL Example ACL Overview A CLs configured on the CSS provide a ba sic le vel of security for accessing your network. W ithout A CLs on the CSS, al[...]

  • Página 38

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, Figure 1-2 shows three VLAN circui ts on the CSS. Figure 1 -2 ACLs Enabled on the CSS For VLAN1, if you w ant to allow any TC P traf fic to the destination V IP addre[...]

  • Página 39

    1-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Enabling A CLs globally af fects all traf fic on all CSS circui ts whether they h av e A CLs or not. When you enable A CLs, all tr aff ic on a c ircuit that is not conf igured in[...]

  • Página 40

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T able 1 -1 ACL Confi guration Quic k Start T ask and Command Example 1. Enter global conf iguration mode. # config (config)# 2. Create an A CL and access A C L mode. Enter an A CL[...]

  • Página 41

    1-17 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists The follo w ing running-conf ig example sho ws the result of entering the commands in Ta b l e 1 - 1 . !**************************** ACL **************************** acl 7 clause[...]

  • Página 42

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-18 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note If a circuit does not have an A CL, the CSS applies an implicit “deny all” clause to this circuit causing th e CSS to deny all traf fic on it. T o create an A CL and acces[...]

  • Página 43

    1-19 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 4. Apply another A CL on the circuit. I f you do not apply an A CL on the circuit, the CSS denies traff ic on the circu it when you enable A CLs on the CSS. 5. Reenable all A CLs[...]

  • Página 44

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-20 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • clause numbe r bypass - Creates a clause in the A CL to permit traffic on a circuit and bypasses (d oes not process) c ontent rules that apply to the traff ic. The syntax for c[...]

  • Página 45

    1-21 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Ta b l e 1 - 2 provides v ariables and options for the clause command. Bolded sy ntax defines keyw ords that you e nter on the comm and line. Italics de fine v ariab les where yo[...]

  • Página 46

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-22 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sour ce_port The source port for the traf fic. If yo u do not designate a source port, this clause allo ws traff ic from any port number . E nter one of the follo wing: • eq port[...]

  • Página 47

    1-23 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists destination_port The desti nation port. Enter one of the follo wing. Y ou may use a port number or port name with th e options. • eq port is equal to the port n umber . • lt [...]

  • Página 48

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-24 Cisco Content Services Switch Security Configuration Guide OL-5650-02 sourcegroup name The source group a s the destina t ion for the traf fic. Enter the group name. T o see a list of source grou ps, enter: show group ? Note The clause number bypass [...]

  • Página 49

    1-25 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists After you create clauses for an ACL, you ca n apply the A CL to a circuit. For more informatio n, see the “ A pplying an A CL to a Circuit or DNS Queries” section. Adding a C[...]

  • Página 50

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-26 Cisco Content Services Switch Security Configuration Guide OL-5650-02 For e xample, you apply A CL 7 to VLAN1 and then globally enable A CLs on the CSS. At a later time, to add a new clause to A CL 7 and to hav e the clause take effect on the CSS, en[...]

  • Página 51

    1-27 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists Note When you remov e an applied A CL from the circuit, the CSS applies an implicit “deny all” clause to this circuit causing the CSS to deny all traf fic on it. If you want [...]

  • Página 52

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-28 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ho wev er , if you conf igure a CSS with the d ns-ser ver command, and the CSS recei ves a DNS query fo r a domain name that you conf igured on the CSS using the host command, the [...]

  • Página 53

    1-29 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists 2. In A CL mode, remove the A CL from the circuit. (config-acl[7])# remove circuit-(VLAN1) 3. Make any changes to the A CL. If you delete an A CL from the circuit, conf igure ano[...]

  • Página 54

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-30 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the global configuration acl enable command to enable all A CLs on the CSS. T o globally enable all A CLs, enter: (config)# acl enable Disabling ACLs on the CSS If you need to [...]

  • Página 55

    1-31 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists • DNS Hits - Pack ets that match an A CL clause for DNS f lo ws when an A CL clause is applied to DNS queries. Th e display includes a DNS hit counter , which counts DNS look u[...]

  • Página 56

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-32 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Setting the Show ACL Counters to Zero Use the zero counts com mand to reset the content and DNS hit coun ters in the show acl command screen to zero for a specif ic ACL. Y ou mu st[...]

  • Página 57

    1-33 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Controllin g CSS Network Tr affic Through Ac cess Control Lists T o enable logging on an existing A CL clause, us e the log en able option for th e clause command and enter: (config-acl[7])# clause 1 log enable If A CLs are globally enabled o[...]

  • Página 58

    Chapter 1 Controlling CSS Access Controlling CSS Network Traffic Thr ough Access Control Lists 1-34 Cisco Content Services Switch Security Configuration Guide OL-5650-02 5. Reapply the A CL to the circuit. (config-acl[7])# apply circuit-(VLAN1) 6. In global configuration m ode, reenable a ll A CLs on the CSS. (config)# acl enable T o globally disab[...]

  • Página 59

    1-35 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs !**************************** ACL *************************** acl 1 clause 20 permit any 172.16.107.0 255.255.255.0 destination 172.16.107.15 clause 30 permit any 172.16.107.0 255.255.255.0 destina[...]

  • Página 60

    Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-36 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Creating an NQL Enter the name of the ne w NQL you want to create or an e xisting NQL. Enter the name as an unquoted te xt string with no spaces and a maximum of 31 characters. Y ou can create a m[...]

  • Página 61

    1-37 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 1 Controlling CSS Access Configuring Network Qualifier Lists for ACLs The v ariables and options are: • ip_addr ess - The destination network addr ess. Enter the IP address in dotted-decimal notation (for e x ample, 192.168.0.0) . • subnet_pref ix | subnet_mask -[...]

  • Página 62

    Chapter 1 Controlling CSS Access Configuring Network Q ualifier Lists for ACLs 1-38 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Adding an NQL to an ACL Clause T o add an NQL to an A CL clause: 1. Create the A CL. For example, enter: (config)# acl 10 2. Define the clause, incl uding the NQ L as either a source or destinatio[...]

  • Página 63

    CH A P T E R 2-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 2 Configuring the Secure Shell Daemon Protocol The Secure Shell Daemon (SSHD) prot ocol provide s secure encr ypted communications between two hosts communicating o ver an insecure network. The CSS supports an implemen tation of OpenSSH to pr ovide this secure co[...]

  • Página 64

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Enabling SSH 2-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 This chapter contains t he follo wing major sections: • Enabling SSH • Config uring SSH Access • Config uring SSHD in the CSS • Config uring T elnet Access When Using SSHD • Showing SSHD Configurat[...]

  • Página 65

    2-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuri ng SSH Access Configuring SSH Access SSH access to the CSS is enabled by default through the no restrict ssh command. Y ou can verify the SSH access se lection in the running-config f ile. T o enhance security w[...]

  • Página 66

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring SSHD in the CSS 2-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Use the sshd keepalive command to enable SSHD keepaliv e. SSHD keepali ve is enabled by default. T o enable sending SSHD keepali ves to the client, enter: (config)# sshd keepalive T o disable [...]

  • Página 67

    2-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Configuring SSHD in the CSS Note The valid range for this comma nd is 512 to 1024. Howe ver , to m aintain backward compatibility wi th version 5.00, the CSS allo ws you to enter a value from 512 to 32768. If you enter a [...]

  • Página 68

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Configuring Telnet Acc ess When Using SSHD 2-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring Telnet Access When Using SSHD By default, T elnet access to the CSS is enabled. When you use SSH D, you can disable nonsecure T elnet access to the CSS. T o enhance [...]

  • Página 69

    2-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 2 Configuring the Secure Shell Daemon Protocol Showing SSHD Configuratio ns T o display the SSHD sessions, enter: # show sshd sessions Listen Socket Count The number of sock ets that SSHD is cu rrently listen ing on (not currently co nfigurable, def ault is 1). Listen[...]

  • Página 70

    Chapter 2 Configuring t he Secure Shell Daemon Protocol Showing SSHD Configurations 2-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Ta b l e 2 - 2 describes the fields in the show sshd sessions command output. T o display the SSHD v ersion, enter: # show sshd version SSHield version 1.5, SSH version OpenSSH_3.0.2p1 T able [...]

  • Página 71

    CH A P T E R 3-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 3 Configuring the CSS as a Client of a RADIUS Server The Remote Authentication Dial-In User Servi ce (RADIUS) protocol is a distribu ted client/server pr otocol that protects networks ag ainst unauthorized access. RADIUS uses the User Data gram Protocol (UDP) to [...]

  • Página 72

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server 3-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In a conf iguration where b oth a primary RA DIUS serv er and a seco ndary RADIUS server are specified, and one or both of the RADIUS servers become unreachable, the CSS automatically tran smits a k eepalive authent[...]

  • Página 73

    3-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server RADIUS Configuration Quick Start RADIUS Configuration Quick Start Ta b l e 3 - 1 provides a quic k overvie w of the steps required to c onfigure the RADIUS feature on a CSS. Each ste p includes the CLI command requi[...]

  • Página 74

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Serv er for Use with the CSS 3-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 3 - 1 . !*************************** GLOBAL ******************[...]

  • Página 75

    3-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring a RADIUS Server for Use with the CSS Configuring Authentication Settings T o configure the authentication settings on Cisco Secure A CS, go to the Network Config uration section of the Cisco Secure A CS [...]

  • Página 76

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Primary RADIUS Server 3-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o add a user to a group, go to the User Setup sectio n of the Cisco Secure A CS HTML interface: • On the User Set up Select page, specify a username. • On the User Set up Edi[...]

  • Página 77

    3-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Specifying a Secondary RADIUS Server T o remove a primary RADIUS server , enter: (config)# no radius-server primary Specifying a Secondary RADIUS Server The CSS directs authentication requests to the secondary RADIU[...]

  • Página 78

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RA DIUS Server Timeouts 3-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Configuring the RADIUS Server Timeouts By default, th e CSS waits 10 seco nds for the RADIUS serv er (primary or secondary) to repl y to an authentication request before retra[...]

  • Página 79

    3-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Configuring the RADIUS Server Dead-Time T o reset the RADIUS server retransmit request to the default of 3 r et ran sm is sio ns , enter: (config)# no radius-server retransmit Configuring the RADIUS Server Dead-Time[...]

  • Página 80

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 T o view the authentication statistics for a RADI US secondary ser ver , enter: (config)# show radius statistics secondary Ta b l e 3 - 2 describes the fields in th[...]

  • Página 81

    3-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Server Configuration Infor mation Ta b l e 3 - 3 describes the fields in the show radius statistics output. T able 3-3 Field Descriptions f o r the show r adius statistics Command Field Description S[...]

  • Página 82

    Chapter 3 Configuring the CSS as a Client of a RADIUS Server Showing RADIUS Serve r Co nfiguration Information 3-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Página 83

    CH A P T E R 4-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 4 Configuring the CSS as a Client of a TACACS+ Server The T erminal Access Controller Access Control System (T A CACS+) protocol provides access cont rol for routers, netw ork access servers (N AS), or other devices through one or mo re daemon se rvers. T A CA CS[...]

  • Página 84

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server TACACS+ Configuration Quick Start 4-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 TACACS+ Configuration Quick Start Ta b l e 4 - 1 provides a quic k overvie w of the steps required to c onfigure the T ACA CS+ feature on a CSS. Each step include s the CLI comman[...]

  • Página 85

    4-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User A ccounts for Use with the CSS The follo wing running-configurat ion example sh ows the resul ts of entering the commands in Ta b l e 4 - 1 . !************************** GLOBAL *****[...]

  • Página 86

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring TACACS+ Server User Accounts for Use with the CSS 4-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 • K ey - Enter the shared secret that the CSS and Cisco Se cure A CS us e to authenticate transactions . For correct operation , you must specify the[...]

  • Página 87

    4-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes 4. Proceed next to Unmatched Commands, either permit or d eny e xecution of the pri vilege command: • For a user that has SuperUser pri vileges on the CSS, click Perm it . A[...]

  • Página 88

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ A ttributes 4-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Note The timeout, encryption k ey , or keepali ve frequency that you define wh en you configure a T ACA CS+ server o verrid es the global attribute (see the “Defining a TA [...]

  • Página 89

    4-7 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Configuring Global TACACS+ Attrib utes Defining a Global Encryption Key The CSS allo ws you to def ine a global encryption ke y for communications with all configured T A CA CS+ servers. T o encrypt T A CACS+ packe[...]

  • Página 90

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-8 Cisco Content Services Switch Security Configuration Guide OL-5650-02 When it sends a keepaliv e to the T ACA CS+ server , the CSS attempts to use a persistent connection with the serv er . If the server is not conf igured for persistence, the CSS opens a n[...]

  • Página 91

    4-9 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server Note For general guideli nes on the recommended setup of a T A CA CS+ server (the Cisco Secure Access Control Serv er in this example), see the “ T AC AC S+ Config uration Quick Start”[...]

  • Página 92

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Defining a TACACS+ Server 4-10 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Defin ing this option o verrides the tacacs-server key command. F or more information on defining a gl obal encryption ke y , see the “Defining a Global Encryption Key” section. • [...]

  • Página 93

    4-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Authorization Setting TACACS+ Authorization T ACA CS+ authorization allo ws the T A CACS+ serv er to control specif ic CSS commands that the user can execute. C SS authorization di vides the comman[...]

  • Página 94

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Sending Full CSS Commands to the TACACS+ Server 4-12 Cisco Content Services Switch Security Configuration Guide OL-5650-02 In releases prior to 7.30.1.05 , if you transitioned from one CLI mod e to another (for ex ample, from conf ig mode to service mode), and a ser vice already ex iste[...]

  • Página 95

    4-13 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Setting TACACS+ Accounting T o reenable the CSS to send t he full command syntax, use the taca cs-ser ver send-full-command command. F or example: #(config) tacacs-server send-full-command Setting TACACS+ Accounti[...]

  • Página 96

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-14 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Showing TACACS+ Server Configuration Information Use the show tacacs-server command to display the T A CA CS+ server confi guration information. T o view this inf[...]

  • Página 97

    4-15 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Chapter 4 Configuring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server Configuration Infor mation Authorize Conf ig Commands Indicates whether configuration commands receiv e authorization Authorize Non-Conf ig Indicates whether nonconfiguration commands recei [...]

  • Página 98

    Chapter 4 Configu ring the CSS as a Client of a TACACS+ Server Showing TACACS+ Server C onfiguration Information 4-16 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]

  • Página 99

    CH A P T E R 5-1 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 5 Configuring Firewall Load Balancing This chapter descri bes how to configure the CSS Firew all Load Balanc ing (FWLB) feature. Informati on in this chapte r applie s to all CSS mod els, except where noted. This chapter contains t he follo wing major sections:[...]

  • Página 100

    Chapter 5 Configurin g Firewall Load Balancing Overview of FWLB 5-2 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Overview of FWLB FWLB enables you to conf igure a maximum of 15 fire walls per CSS. Config uring multiple f irewalls can o vercome performance limitations and remov e the single point of fai lure when all traff [...]

  • Página 101

    5-3 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Firewall Synchronization Fire wall solutions provi ding Stateful Inspectio n, such as Check Point ™ FireW all-1 ® , create and maintain virt ual state for all connections through their devices, e ven for st[...]

  • Página 102

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-4 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Y ou must define f irewal l parameters for each path through the f irewalls on bo th local and r emote CSSs. Us e the ip fi rewall command t o defin e fire wall parameters. The syntax for this glob al conf igura[...]

  • Página 103

    5-5 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Use the ip fir ewall timeout number command to specify the number of seconds the CSS will wait to recei ve a keepali v e message from the remote CSS before declaring the firew all unreacha ble.The timeout rang[...]

  • Página 104

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-6 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 • inde x - An ex isting inde x number for the f irew all route. For information on config uring a f ire wall inde x, see the ip f irewall command. • distance - The optional administrati ve distance. Ente r a[...]

  • Página 105

    5-7 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB T o stop adv ertising f irew all routes, enter: (config)# no ospf redistribute firewall Configuring RIP to Advertise Firewall Routes T o adver tise fire wall routes from other p rotocols through RIP , use the [...]

  • Página 106

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB 5-8 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 T o conf igure CSS-A (the client side of the network co nfiguratio n) as sho wn in Figure 5-1 : 1. Use the ip fir ewall command to define f irewall 1. For e xample: (config)# ip firewall 1 192.168.28.1 192.168.2[...]

  • Página 107

    5-9 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB Figure 5-1 illu strates the configur ation def ined in the f irewall command s. Figur e 5-1 Example of FWLB CSS-B CSS-A Server1 Client Firew all 2 Firew all 1 Client Server2 Ser ver3 Internet Router Client 192[...]

  • Página 108

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-10 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Configuring FWLB with VIP and Virtual Interface Redundancy Config ure FWLB with VIP and virtual interf ace redundancy to provide the follo wing benefits: • V ery fas[...]

  • Página 109

    5-11 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy In Figure 5-2 , odd-numbered f irew alls are conn ected to the Layer 2 switches servicing the CSS-OUT -L and CSS-IN-L CSSs. Even-numb ered fire walls are connected t[...]

  • Página 110

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-12 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 If the f ire wall supports i t, you can use multinetting b y configuring mu ltiple addresses on the f i re wall. If the f irewa ll does not support multipl e addresses[...]

  • Página 111

    5-13 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redundan cy Example of Firewall and Route Configurations The follo wing ip fir ewall and ip route exampl e conf igurations are v alid for Figure 5-2 with four act iv e fire wall[...]

  • Página 112

    Chapter 5 Configurin g Firewall Load Balancing Configuring FWLB with VIP and Virtual Interface Redu ndancy 5-14 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 CSS-IN-L Configuration ip firewall 1 10.3.200.1 10.2.200.1 10.2.1.254 ip firewall 2 10.3.200.2 10.2.200.2 10.2.1.254 ip firewall 3 10.3.200.3 10.2.200.3 10.2.1.254 ip [...]

  • Página 113

    5-15 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall Flow Summaries Displaying Firewall Flow Summaries Use the sh ow flow s command to display the flo w summary for a source IP address, or for a specific source address an d its destinatio n IP address on a S[...]

  • Página 114

    Chapter 5 Configurin g Firewall Load Balancing Displaying Firewall IP Routes 5-16 Cisco Content Services Switch Security Configura tion Guide OL-5650-02 Ta b l e 5 - 1 describes the fields in the show flo ws output. Displaying Firewall IP Routes Use the show i p ro u t es fi rew a ll command to display all static f irewa ll routes. For exa mpl e: ([...]

  • Página 115

    5-17 Cisco Content Service s Switch Security Config uration Guide OL-5650-02 Chapter 5 Con figurin g Firewall Load Balancing Displaying Firewall IP Information Displaying Firewall IP Information Use the show ip f irewall command to display the conf igured v alues of the IP fire wall keepali ve timeout and the state of each f irewa ll path conf igur[...]

  • Página 116

    Chapter 5 Configurin g Firewall Load Balancing Displaying Firewa ll IP Information 5-18 Cisco Content Services Switch Security Configura tion Guide OL-5650-02[...]

  • Página 117

    IN-1 Cisco Content Services Switch Security Configuration Guide OL-5650-02 INDEX A Access Control Lists. See ACLs ACLs adding an NQL to a clause 1-38 applying to a circuit 1-27 clause number 1-19 configuration example 1-34 configuring 1-15 configuring clauses 1-19 creating 1-17 definition 1-13 deletin g 1-18 disabling globally 1-30 disabling loggin[...]

  • Página 118

    Index IN-2 Cisco Content Services Switch Security Configuration Guide OL-5650-02 configuration example ACL 1-34 firewall load balancing 5-7 configuratio n quick start ACL 1-15 configuring ACL 1-12 CSS as RADIUS client 3-1 CSS as TACACS+ clien t 4-8 source group in an A CL 1-24 static proximity in ACL clause 1-25 user name and p assword 1-3 console [...]

  • Página 119

    IN-3 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index FTP enabling access 1-10 restricting access to the CSS 1-11 I IP route firewall load balancing , displaying 5-16, 5-17 static, for firewall load balancing 5-5 K keepalive ACL example 1-34 L license ke y Enhanced feat ure set 2-2 Proximity Database 2-2 license key, Sec [...]

  • Página 120

    Index IN-4 Cisco Content Services Switch Security Configuration Guide OL-5650-02 R RADIUS Cisco Secure Access Control Server (ACS) 3-4 console authentication 1-8 CSS as RADIUS client, configuri ng 3-1 displaying c onfiguration i nformation 3-9 overview 3-1 primary RADIUS server 3-6 RADIUS server host parameters 3-1 running-config examp le 3-4 secon[...]

  • Página 121

    IN-5 Cisco Content Services Switch Security Configuration Guide OL-5650-02 Index T TACACS+ accounting, setting 4-13 authentication, setting 4-11 Cisco Secure Access Control Server (ACS) 4-3 console authentication 1-8 CSS as client, configuring 4-8 displaying c onfiguration i nformation 4-14 global encryptio n key 4-7 global keepalive f requency 4-7[...]

  • Página 122

    Index IN-6 Cisco Content Services Switch Security Configuration Guide OL-5650-02[...]