380 likes | 470 Vues
Network Security 2. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Module 8 – PIX Security Appliance Contexts, Failover, and Management. Lesson 8.4 PIX Security Appliance Management. Managing System Access. Internet.
E N D
Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management
Module 8 – PIX Security Appliance Contexts, Failover, and Management Lesson8.4 PIX Security Appliance Management
Internet Configuring Telnet Access to the Security Appliance Console 10.0.0.11 Telnet ciscoasa(config)# telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}} • Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance ciscoasa(config)# passwd password [encrypted] • Sets the password for Telnet access to set the security appliance asa1(config)# telnet 10.0.0.11 255.255.255.255 inside asa1(config)# telnet timeout 15 asa1(config)# passwd telnetpass
Viewing and Disabling Telnet ciscoasa# show running-config telnet [timeout] • Displays IP addresses permitted to access the security appliance via Telnet ciscoasa(config)# clear configure telnet • Removes the Telnet connection and the idle timeout from the configuration ciscoasa# who [local_ip] • Enables you to view which IP addresses are currently accessing the security appliance console via Telnet ciscoasa# kill telnet_id • Terminates a Telnet session
SSH Connections to the Security Appliance • SSH connections to the security appliance: • Provide secure remote access • Provide strong authentication and encryption • Require RSA key pairs for the security appliance • Require 3DES/AES or DES activation keys • Allow up to five SSH clients to simultaneously access the security appliance console • Use the Telnet password for local authentication
Removes any previously generated RSA keys Configuring SSH Access to the Security Appliance Console ciscoasa(config)# ciscoasa(config)# crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm] crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm] • Generates an RSA key pair ciscoasa(config)# ciscoasa(config)# ssh {ip_address mask | ipv6_address/prefix} interface write memory • Saves the CA state • Specifies the host or network authorized to initiate an SSH connection ciscoasa(config)# ciscoasa(config)# ssh timeout number domain-name name • Specifies how long a session can be idle before being disconnected • Configures the domain name
Internet Connecting to the Security Appliance with an SSH Client username: pix password: telnetpassword SSH 172.26.26.50 asa1(config)# crypto key zeroize rsa asa1(config)# write memory asa1(config)# domain-name cisco.com asa1(config)# crypto key generate rsa modulus 1024 asa1(config)# write memory asa1(config)# ssh 172.26.26.50 255.255.255.255 outside asa1(config)# ssh timeout 30
Viewing, Disabling, and Debugging SSH ciscoasa# show ssh sessions [ip_address] • Enables you to view the status of your SSH sessions ciscoasa# ssh disconnect session_id • Disconnects an SSH session ciscoasa(config)# clear configure ssh • Removes all SSH command statements from the configuration ciscoasa(config)# debug ssh • Enables SSH debugging
Command Authorization Overview • The purpose of command authorization is to securely and efficiently administer the security appliance. You can configure the following types of command authorization: • Command authorization with password-protected privilege levels • Command authorization with username and password authentication
Command Authorization with Password-Protected Privilege Levels • The following tasks are required to configure command authorization with password-protected privilege levels: • Use the enable command to create privilege levels and assign passwords to them. • Use the privilege command to assign specific commands to privilege levels. • Use the aaa authorization command to enable the command authorization feature. • Users must complete the following steps to use command authorization with password-protected privilege levels: • Use the enable command with the level option to access the desired privilege level. • Provide the password for the privilege level when prompted. • The user can then execute any command assigned to that privilege level or to a lower privilege level.
asa1> enable 10 password: PasswOrD Internet Configuring Command Authorization with Password-Protected Privilege Levels 10.0.0.11 ciscoasa(config)# enable password password [level level] [encrypted] • Creates and password-protects privilege levels by configuring enable passwords for the various privilege levels asa1(config)# enable password Passw0rD level 10 ciscoasa enable [level] • Provides access to a particular privilege level from the > prompt asa1> enable 10 Password: Passw0rD asa1#
Configuring Command Authorization with Password-Protected Privilege Levels (Cont.) ciscoasa> enable 10 Password: Passw0rD ciscoasa# config t ciscoasa(config)# access-list . . . ciscoasa(config)# privilege [show | clear | configure] level level [mode command_mode] command command • Configures user-defined privilege levels for security appliance commands ciscoasa(config)# aaa authorization command {LOCAL | server-tag [LOCAL]} • Enables command authorization asa1(config)# enable password Passw0rD level 10 asa1(config)# privilege show level 8 command access-list asa1(config)# privilege configure level 10 command access-list asa1(config)# aaa authorization command LOCAL
Command Authorization with Username and Password Authentication • The following tasks are required to configure command authorization with username and password authentication: • Use the privilege command to assign specific commands to privilege levels. • Use the username command to create user accounts in the local user database and assign privilege levels to the accounts. • Use the aaa authorization command to enable command authorization. • Use the aaa authentication command to enable authentication using the local database.
Command Authorization with Username and Password Authentication • Users must complete one of the following tasks to use command authorization with username and password authentication: • Enter the login command at the > prompt and log in with a username and password. • Enter the enable command at the > prompt and log in with a username and password. • The user can then execute any command assigned to the same privilege level as the user account or to a lower privilege level.
Internet Configuring Command Authorization with Username and Password Authentication Local database: admin passw0rd 15 kenny chickadee 10 10.0.0.11 ciscoasa(config)# username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level] • Creates a user account in the local database • Can be used to configure a privilege level for the user account asa1(config)# usernameadmin password passw0rd privilege 15 asa1(config)# usernamekenny password chickadee privilege 10
Internet Configuring Command Authorization with Username and Password Authentication (Cont.) ciscoasa> login Username: kenny Password: chickadee ciscoasa# config t ciscoasa(config)# access-list . . . 10.0.0.11 ciscoasa(config)# aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL} • Enables you to configure authentication with the local database asa1(config)# privilege configure level 10 command access-list asa1(config)# usernamekenny password chickadee privilege 10 asa1(config)# aaa authorization command LOCAL asa1(config)# aaa authentication enable console LOCAL • Configures command authorization with username and password authentication using the local database
Displays the privileges for a command or set of commands. Internet Viewing Your Command Authorization Configuration 10.0.0.11 TACACS+ server 10.0.0.2 ciscoasa# show running-config [all] privilege [all | command command | level level] • Displays the privilege levels assigned to commands ciscoasa# show curpriv • Displays the user account that is currently logged in
Local database: Internet Lockout X 10.0.0.11 X TACACS+ server 10.0.0.2 You can lock yourself out of the security appliance by: • Configuring authentication using the local database without configuring any user accounts in the local database • Configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured Do not save your command authorization configuration until you are sure it works as intended.
Internet Password Recovery for the Cisco ASA Security Appliance 10.0.0.11 Password? 192.168.0.0 10.0.0.3 ciscoasa(config)# service password-recovery • Enables password recovery • On by default asa1(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.
Password Recovery for the Cisco PIX Security Appliance • Download the following file from Cisco.com: npXX.bin, where XX is the Cisco PIX security appliance image version number. • Reboot the system and break the boot process when prompted to go into monitor mode. • Set the interface, IP address, gateway, server, and file to access the previously downloaded image via TFTP. • Follow the directions displayed.
Internet Viewing Directory Contents 10.0.0.11 dir 192.168.0.0 10.0.0.3 ciscoasa# dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path] • Displays the directory contents asa1# dir Directory of disk0:/ 4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin 6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin 7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg 62947328 bytes total (29495296 bytes free) • You can use the pwd command to display the current working directory.
Internet Viewing File Contents 10.0.0.11 more 192.168.0.0 10.0.0.3 ciscoasa# more [/ascii | /binary | /ebcdic | disk0: | disk1: | flash: | ftp: | http: | https: | system: | tftp:] filename • Displays the contents of a file asa1# more ctx1.cfg : Saved : Written by enable_15 at 14:12:08.092 UTC Sat Oct 7 2006 ! ASA Version 7.2(1) <context> ! hostname CTX1 enable password 8Ry2YjIyt7RRXU24 encrypted . . .
Internet Directory Management 10.0.0.11 mkdir 192.168.0.0 10.0.0.3 ciscoasa# mkdir [/noconfirm] [disk0: | disk1: | flash:]path • Creates a new directory ciscoasa# rmdir [/noconfirm] [disk0: | disk1: | flash:]path • Removes a directory ciscoasa# cd [disk0: | disk1: | flash:][path] • Changes the current working directory to the one specified
Internet Copying Files 10.0.0.11 copy 192.168.0.0 10.0.0.3 ciscoasa# copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url} • Copies a file from one location to another asa1# copy disk0:MYCONTEXT.cfg startup-config • Copies the file MYCONTEXT.cfg from disk0 to the startup configuration
Internet Installing Application or ASDM Software Example 10.0.0.11 192.168.0.0 ASDM 10.0.0.3 TFTP server ciscoasa# copy tftp://server[/path]/filename flash:/filename • Enables you to copy the application software or ASDM software to the flash file system from a TFTP server asa1# copy tftp://10.0.0.3/cisco/123file.bin flash:/123file.bin • Copies the file 123file.bin from 10.0.0.3 to the security appliance asa1# copy tftp://www.example.com/cisco/123file.bin flash:/123file.bin • Copies the file 123file.bin from www.example.com to the security appliance
Internet Downloading and Backing Up Configuration Files Example 10.0.0.11 config 192.168.0.0 10.0.0.3 FTP server ciscoasa# copy ftp://[user[:password]@]server[/path] /filename[;type=xx] startup-config • Copies the configuration file from an FTP server ciscoasa# copy {startup-config | running-config | disk0:[path/]filename} ftp://[user[:password]@]server[/path]/filename[;type=xx] • Copies the configuration file to an FTP server asa1# copy ftp://admin:letmein@10.0.0.3/configs/startup.cfg;type=an startup-config
Internet Viewing Version Information version? 10.0.0.11 10.0.0.3 ciscoasa# show version • Displays the software version, hardware configuration, license key, and related uptime data asa1# show version Cisco Adaptive Security Appliance Software Version 7.2(1) Device Manager Version 5.2(1) Compiled on Wed 31-May-06 14:45 by root System image file is “disk0:/asa721-k8.bin” Config file at boot was “startup-config” asa1 up 17 hours 40 mins . . .
Internet Image Upgrade 10.0.0.11 TFTP 10.0.0.3 ciscoasa# copy tftp://server[/path]/filename flash:/filename • Enables you to change software images without accessing the TFTP monitor mode. asa1# copy tftp://10.0.0.3/asa721-k8.bin flash • The TFTP server at IP address 10.0.0.3 receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.
Internet Entering a New Activation Key Activation Key 10.0.0.11 192.168.0.0 10.0.0.3 ciscoasa(config)# activation-key [noconfirm] {activation-key-four-tuple | activation-key-five-tuple} • Updates the activation key on the security appliance • Used to enable licensed features on the security appliance asa1(config)# activation-key 0x12345678 0xabcdef01 0x2345678ab 0xcdef01234
Upgrading the Image and the Activation Key • Complete the following steps to upgrade the image and the activation key at the same time: • Step 1: Install the new image. • Step 2: Reboot the system. • Step 3: Update the activation key. • Step 4: Reboot the system.
Summary • SSH provides secure remote management of the security appliance. • TFTP is used to upgrade the software image on security appliances. • You can configure the following types of command authorization: • Command authorization with password-protected privilege levels • Command authorization with username and password authentication • The security appliance can be configured to permit multiple users to access its console simultaneously via Telnet. • You can enable Telnet to the security appliance on all interfaces. • Password recovery for the security appliance requires a TFTP server.