Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: Secure Sensitive Data Management SSD Rules Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 443 21 is recommended that the user authentication process on a device is secured. To secure the user authentication process, you can use the local authentication database, as well as secure the communication through external authentication servers, such as a RADIUS server. The configuration of the secure communication to the external authentication servers are sensitive data and are protected under SSD. NOTEThe user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate channel, the device applies the read permission and default read mode from the SSD rule that match the user credential and the alternate channel. For example, if a user logs in via a secure channel and starts a TFTP upload session, the SSD read permission of the user on the insecure channel (TFTP) is applied Default SSD Rules The device has the following factory default rules: The default rules can be modified, but they cannot be deleted. If the SSD default rules have been changed, they can be restored. Ta b l e 3 Rule Key Rule Action User Channel Read Permission Default Read Mode Level 15 Secure XML SNMP Plaintext Only Plaintext Level 15 Secure Both Encrypted Level 15 Insecure Both Encrypted All Insecure XML SNMP Exclude Exclude All Secure Encrypted Only Encrypted All Insecure Encrypted Only Encrypted
Security: Secure Sensitive Data Management SSD Properties 444 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 SSD Default Read Mode Session Override The system contains sensitive data in a session, as either encrypted or plaintext, based on the read permission and the default read mode of the user. The default read mode can be temporarily overridden as long it does not conflict with the SSD read permission of the session. This change is effective immediately in the current session, until one of the following occurs: •User changes it again. •Session is terminated. •The read permission of the SSD rule that is applied to the session user is changed and is no longer compatible with the current read mode of the session. In this case, the session read mode returns to the default read mode of the SSD rule. SSD Properties SSD properties are a set of parameters that, in conjunction with the SSD rules, define and control the SSD environment of a device. The SSD environment consists of these properties: •Controlling how the sensitive data is encrypted. •Controlling the strength of security on configuration files. •Controlling how the sensitive data is viewed within the current session. Passphrase A passphrase is the basis of the security mechanism in the SSD feature, and is used to generate the key for the encryption and decryption of sensitive data. Sx200, Sx300, Sx500, and SG500X/SG500XG/ESW2-550X series switches that have the same passphrase are able to decrypt each others sensitive data encrypted with the key generated from the passphrase. A passphrase must comply with the following rules: •Length—Between 8-16 characters.
Security: Secure Sensitive Data Management SSD Properties Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 445 21 •Character Classes—The passphrase must have at least one upper case character, one lower case character, one numeric character, and one special character e.g. #,$. Default and User-defined Passphrases All devices come with a default, out-of-the box passphrase that is transparent to users. The default passphrase is never displayed in the configuration file or in the CLI/GUI. If better security and protection are desired, an administrator should configure SSD on a device to use a user-defined passphrase instead of the default passphrase. A user-defined passphrase should be treated as a well-guard secret, so that the security of the sensitive data on the device is not compromised. A user-defined passphrase can be configured manually in plain text. It can also be derived from a configuration file. (See Sensitive Data Zero-Touch Auto Configuration). A device always displays user-defined passphrases encrypted. Local Passphrase A device maintains a local passphrase which is the passphrase of its Running Configuration. SSD normally performs encryption and decryption of sensitive data with the key generated from the local passphrase. The local passphrase can be configured to be either the default passphrase or a user-defined passphrase. By default, the local passphrase and default passphrase are identical. It can be changed by administrative actions from either the Command Line Interface (if available) or the web-based interface. It is automatically changed to the passphrase in the startup configuration file, when the startup configuration becomes the running configuration of the device. When a device is reset to factory default, the local passphrase is reset to the default passphrase. Configuration File Passphrase Control File passphrase control provides additional protection for a user-defined passphrase, and the sensitive data that are encrypted with the key generated from the user-defined passphrase, in text-based configuration files. The following are the existing passphrase control modes:
Security: Secure Sensitive Data Management SSD Properties 446 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 •Unrestricted (default)—The device includes its passphrase when creating a configuration file. This enables any device accepting the configuration file to learn the passphrase from the file. •Restricted—The device restricts its passphrase from being exported into a configuration file. Restricted mode protects the encrypted sensitive data in a configuration file from devices that do not have the passphrase. This mode should be used when a user does not want to expose the passphrase in a configuration file. After a device is reset to the factory default, its local passphrase is reset to the default passphrase. As a result, the device will be not able to decrypt any sensitive data encrypted based on a user-defined passphrase entered from a management session (GUI/CLI), or in any configuration file with restricted mode, including the files created by the device itself before it is reset to factory default. This remains until the device is manually reconfigured with the user-defined passphrase, or learns the user-defined passphrase from a configuration file. Configuration File Integrity Control A user can protect a configuration file from being tampered or modified by creating the configuration file with Configuration File Integrity Control. It is recommended that Configuration File Integrity Control be enabled when a device uses a user-defined passphrase with Unrestricted Configuration File Passprhase Control. ! CAUTIONAny modification made to a configuration file that is integrity protected is considered tampering. A device determines whether the integrity of a configuration file is protected by examining the File Integrity Control command in the files SSD Control block. If a file is integrity protected but a device finds the integrity of the file is not intact, the device rejects the file. Otherwise, the file is accepted for further processing. A device checks for the integrity of a text-based configuration file when the file is downloaded or copied to the Startup Configuration file.
Security: Secure Sensitive Data Management Configuration Files Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 447 21 Read Mode Each session has a Read mode. This determines how sensitive data appears. The Read mode can be either Plaintext, in which case sensitive data appears as regular text, or Encrypted, in which sensitive data appears in its encrypted form. Configuration Files A configuration file contains the configuration of a device. A device has a Running Configuration file, a Startup Configuration file, a Mirror Configuration file (optionally), and a Backup Configuration file. A user can manually upload and download a configuration file to and from a remote file-server. A device can automatically download its Startup Configuration from a remote file server during the auto configuration stage using DHCP. Configuration files stored on remote file servers are referred to as remote configuration files. A Running Configuration file contains the configuration currently being used by a device. The configuration in a Startup Configuration file becomes the Running Configuration after reboot. Running and Startup Configuration files are formatted in internal format. Mirror, Backup, and the remote configuration files are text-based files usually kept for archive, records, or recovery. During copying, uploading, and downloading a source configuration file, a device automatically transforms the source content to the format of the destination file if the two files are of different formats . File SSD Indicator When copying the Running or Startup Configuration file into a text-based configuration file, the device generates and places the file SSD indicator in the text-based configuration file to indicate whether the file contains encrypted sensitive data, plaintext sensitive data or excludes sensitive data. •The SSD indicator, if it exists, must be in the configuration header file. •A text-based configuration that does not include an SSD indicator is considered not to contain sensitive data. •The SSD indicator is used to enforce SSD read permissions on text-based configuration files, but is ignored when copying the configuration files to the Running or Startup Configuration file.
Security: Secure Sensitive Data Management Configuration Files 448 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 The SSD indicator in a file is set according to the user ’s instruction, during copy, to include encrypted, plaintext or exclude sensitive data from a file. SSD Control Block When a device creates a text-based configuration file from its Startup or Running Configuration file, it inserts an SSD control block into the file if a user requests the file is to include sensitive data. The SSD control block, which is protected from tampering, contains SSD rules and SSD properties of the device creating the file. A SSD control block starts and ends with ssd-control-start and ssd-control-end respectively. Startup Configuration File The device currently supports copying from the Running, Backup, Mirror, and Remote Configuration files to a Startup Configuration file. The configurations in the Startup Configuration are effective and become the Running Configuration after reboot. A user can retrieve the sensitive data encrypted or in plaintext from a startup configuration file, subject to the SSD read permission and the current SSD read mode of the management session. Read access of sensitive data in the startup configuration in any forms is excluded if the passphrase in the Startup Configuration file and the local passphrase are different. SSD adds the following rules when copying the Backup, Mirror, and Remote Configuration files to the Startup Configuration file: •After a device is reset to factory default, all of its configurations, including the SSD rules and properties are reset to default. •If a source configuration file contains encrypted sensitive data, but is missing an SSD control block, the device rejects the source file and the copy fails. •If there is no SSD control block in the source configuration file, the SSD configuration in the Startup Configuration file is reset to default. •If there is a passphrase in the SSD control block of the source configuration file, the device will reject the source file, and the copy fails if there is encrypted sensitive data in the file not encrypted by the key generated from the passphrase in the SSD control block.
Security: Secure Sensitive Data Management Configuration Files Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 449 21 •If there is an SSD control block in the source configuration file and the file fails the SSD integrity check, and/or file integrity check, the device rejects the source file and fails the copy. •If there is no passphrase in the SSD control block of the source configuration file, all the encrypted sensitive data in the file must be encrypted by either the key generated from the local passphrase, or the key generated from the default passphrase, but not both. Otherwise, the source file is rejected and the copy fails. •The device configures the passphrase, passphrase control, and file integrity, if any, from the SSD Control Block in the source configuration file to the Startup Configuration file. It configures the Startup Configuration file with the passphrase that is used to generate the key to decrypt the sensitive data in the source configuration file. Any SSD configurations that are not found are reset to the default. •If there is an SSD control block in the source configuration file and the file contains plaintext, sensitive data excluding the SSD configurations in the SSD control block, the file is accepted. Running Configuration File A Running Configuration file contains the configuration currently being used by the device. A user can retrieve the sensitive data encrypted or in plaintext from a running configuration file, subject to the SSD read permission and the current SSD read mode of the management session. The user can change the Running Configuration by copying the Backup or Mirror Configuration files through other management actions via CLI, XML,SNMP, and so on. A device applies the following rules when a user directly changes the SSD configuration in the Running Configuration: •If the user that opened the management session does not have SSD permissions (meaning read permissions of either Both or Plaintext Only), the device rejects all SSD commands. •When copied from a source file, File SSD indicator, SSD Control Block Integrity, and SSD File Integrity are neither verified nor enforced. •When copied from a source file, the copy will fail if the passphrase in the source file is in plaintext. If the passphrase is encrypted, it is ignored. •When directly configuring the passphrase, (non file copy), in the Running Configuration, the passphrase in the command must be entered in plaintext. Otherwise, the command is rejected.
Security: Secure Sensitive Data Management Configuration Files 450 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 •Configuration commands with encrypted sensitive data, that are encrypted with the key generated from the local passphrase, are configured into the Running Configuration. Otherwise, the configuration command is in error, and is not incorporated into the Running Configuration file. Backup and Mirror Configuration File A device periodically generates its Mirror Configuration file from the Startup Configuration file if auto mirror configuration service is enabled. A device always generates a Mirror Configuration file with encrypted sensitive data. Therefore, the File SSD Indicator in a Mirror Configuration file always indicates that the file contains encrypted sensitive data. By default, auto mirror configuration service is enabled. To configure auto mirror configuration to be enabled or disabled, click Administration > File Management > Configuration File Properties. A user can display, copy, and upload the complete mirror and backup configuration files, subject to SSD read permission, the current read mode in the session, and the file SSD indicator in the source file as follows: •If there is no file SSD indicator in a mirror or backup configuration file, all users are allowed to access the file. •A user with Both read permission can access all mirror and backup configuration files. However, if the current read mode of the session is different than the file SSD indicator, the user is presented with a prompt indicating that this action is not allowed. •A user with Plaintext Only permission can access mirror and backup configuration files if their file SSD Indicator shows Exclude or Plaintext Only sensitive data. •A user with Encrypted Only permission can access mirror and backup configuration files with their file SSD Indicator showing Exclude or Encrypted sensitive data. •A user with Exclude permission cannot access mirror and backup configuration files with their file SSD indicator showing either encrypted or plaintext sensitive data. The user should not manually change the file SSD indicator that conflicts with the sensitive data, if any, in the file. Otherwise, plaintext sensitive data may be unexpectedly exposed.
Security: Secure Sensitive Data Management Configuration Files Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 451 21 Sensitive Data Zero-Touch Auto Configuration SSD Zero-touch Auto Configuration is the auto configuration of target devices with encrypted sensitive data, without the need to manually pre-configure the target devices with the passphrase whose key is used to encrypted the sensitive data. The device currently supports Auto Configuration, which is enabled by default. When Auto Configuration is enabled on a device and the device receives DHCP options that specify a file server and a boot file, the device downloads the boot file (remote configuration file) into the Startup Configuration file from a file server, and then reboots. NOTEThe file server may be specified by the bootp siaddr and sname fields, as well as DHCP option 150 and statically configured on the device. The user can safely auto configure target devices with encrypted sensitive data, by first creating the configuration file that is to be used in the auto configuration from a device that contains the configurations. The device must be configured and instructed to: •Encrypt the sensitive data in the file •Enforce the integrity of the file content •Include the secure, authentication configuration commands and SSD rules that properly control and secure the access to devices and the sensitive data If the configuration file was generated with a user passphrase and SSD file passphrase control is Restricted, the resulting configuration file can be auto- configured to the desired target devices. However, for auto configuration to succeed with a user-defined passphrase, the target devices must be manually pre-configured with the same passphrase as the device that generates the files, which is not zero touch. If the device creating the configuration file is in Unrestricted passphrase control mode, the device includes the passphrase in the file. As a result, the user can auto configure the target devices, including devices that are out-of-the-box or in factory default, with the configuration file without manually pre-configuring the target devices with the passphrase. This is zero touch because the target devices learn the passphrase directly from the configuration file. NOTEDevices that are out-of-the-box or in factory default states use the default anonymous user to access the SCP server.
Security: Secure Sensitive Data Management SSD Management Channels 452 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 SSD Management Channels Devices can be managed over management channels such as telnet, SSH, and web. SSD categories the channels into the following types based on their security and/or protocols: secured, insecure, secure-XML-SNMP, and insecure-XML-SNMP. The following describes whether SSD considers each management channel to be secure or insecure. If it is insecure, the table indicates the parallel secure channel. Menu CLI and Password Recovery The Menu CLI interface is only allowed to users if their read permissions are Both or Plaintext Only. Other users are rejected. Sensitive data in the Menu CLI is always displayed as plaintext.Management Channel SSD Management Channel Type Parallel Secured Management Channel Console Secure Telnet Insecure SSH SSH Secure GUI/HTTP Insecure GUI/HTTPS GUI/HTTPS Secure XML/HTTP Insecure-XML- SNMP XML/HTTPS XML/HTTPS Secure-XML-SNMP SNMPv1/v2/v3 without privacy Insecure-XML- SNMP Secure-XML-SNMP SNMPv3 with privacy Secure-XML-SNMP (level-15 users) TFTP Insecure SCP SCP (Secure Copy) Secure HTTP based file transfer Insecure HTTPS-based file transfer HTTPS based file transfer Secure