The safe configuration recommendations are general and suitable for most installations. These recommendations greatly improve the safe operation of the unit, but are not exhaustive. Depending on the application of the device, other safety parameters must also be configured. In some specific cases, the implementation of these recommendations may result in a non-functional network. When configuring the device, firstly it is necessary to follow the technical requirements and regulations of the networks in which the device will be used.
General recommendations
- It is recommended to always disable unused physical interfaces with the shutdown.
- It is recommended to always set the system clock to synchronize with trusted network time sources (NTP). The NTP setup algorithm is described in the NTP configuration section of this manual.
- It is recommended to disable the NTP broadcast client, which is enabled by default in the factory configuration.
- It is not recommended to use the ip firewall disable command that disables firewalling. Always assign appropriate security zones to interfaces and configure the correct firewall rules. The firewall configuration algorithm is described in the Firewall configuration section of this manual.
Event logging system configuration
Event logging system configuration algorithms are described in the 'Syslog configuration' subsection of the Monitoring section of this manual.
Recommendations
- It is recommended to configure the event message storage in a syslog file on the device and transfer these events to an external syslog server.
- It is recommended to limit the size of the syslog file on the device.
- It is recommended to configure syslog file rotation on the device.
- It is recommended to enable syslog message enumeration.
- It is recommended that timestamp msec tags be added to syslog messages on ESR-1500 and ESR-1511.
Warnings
- The data stored in the tmpsys:syslog file system is not saved when the device is rebooted. This type of file system is recommended for storing operational logs.
- It is not recommended to use the flash:syslog file system to store logs, as it may cause premature ESR device failure.
Configuration example
Objective:
Configure the storage of event messages of info level and higher in a syslog file on the device and configure transmission of these events to an external syslog server. Limit the file size to 512 KB. Enable rotation of 3 files. Enable syslog message enumeration.
Solution:
Configure the storage of syslog messages in the file:
esr(config)# syslog file tmpsys:syslog/default info
Configure size limitation and file rotation:
esr(config)# syslog max-files 3 esr(config)# syslog file-size 512
Configure the transmission of messages to an external server:
esr(config)# syslog host mylog 192.168.1.2 info udp 514
Enable syslog message enumeration:
esr(config)# syslog sequence-numbers
Password usage policy configuration
The configuration algorithms for the password usage policy are described in the AAA configuration section of this manual.
Recommendations
- It is recommended to always enable the default password change request for the admin user.
- It is recommended to limit the lifetime of passwords and prohibit reusing at least the previous password.
- It is recommended to set the minimum password length requirement greater than 8 characters.
- It is recommended to set requirements for the use of lowercase and uppercase letters, numbers and special characters.
Configuration example
Objective:
- Configure a password policy with a requirement to change the default password, a password validity period of 1 month, and a ban on using the last 12 passwords.
- Set the minimum password length to 16 characters, the maximum to 64 characters.
- The password must contain at least 3 uppercase letters, at least 5 lowercase letters, at least 4 digits and at least 2 special characters. The password must contain all 4 types of characters.
Solution:
Enables the default password reset request for admin user:
esr(config)# security passwords default-expered
Set the password lifetime to 30 days and prohibit the use of the previous 12 passwords:
esr(config)# security passwords lifetime 30 esr(config)# security passwords history 12
Set a limit to the password length:
esr(config)# security passwords min-length 16 esr(config)# security passwords max-length 64
Set a limit on the minimum number of characters of the respective types:
esr(config)# security passwords upper-case 3 esr(config)# security passwords lower-case 5 esr(config)# security passwords special-case 2 esr(config)# security passwords numeric-count 4 esr(config)# security passwords symbol-types 4
AAA policy configuration
The algorithms for AAA policy are described in the AAA configuration section of this manual.
Recommendations
- It is recommended to use a role-based access model on the device.
- It is recommended to use personal accounts to authenticate on the device.
- It is recommended to enable logging of commands entered by the user.
- It is recommended to use several authentication methods for logging in to devices via console, remote login to devices and privilege escalation. A combination of RADIUS/TACACS/LDAP authentication and local authentication is considered optimal.
- It is recommended to lower the built-in admin account privileges to 1.
- It is recommended to configure logging of changes of local accounts.
- It is recommended to configure AAA policy change logging.
Warnings
- The built-in admin account cannot be deleted.
- The no username admin command does not remove the admin user, it resets his configuration to defaults. After applying this command, the admin user will not appear in the configuration.
- The no password command for the admin user also does not remove the admin user's password, but resets it to its default value. After applying this command, the admin user password is no longer displayed in the configuration and becomes 'password'.
- User with privilege level 15 or an ENABLE password must be configured before setting the admin user to downgrade privileges.
Configuration example
Objective:
Configure AAA policy:
- Use RADIUS authentication for remote login via SSH.
- Use RADIUS authentication for local console login, use local authentication if there is no connection to RADIUS servers.
- Use ENABLE password set via RADIUS, if there is no connection to RADIUS servers, use local ENABLE password.
- Set the admin user to a reduced privilege level.
- Configure logging of changes of local accounts.
- Configure AAA policy changes logging.
- Configure the logging of entered commands.
Solution:
Create a local-operator user with privilege level 8:
esr(config)# username local-operator esr(config-user)# password Pa$$w0rd1 esr(config-user)# privilege 8 esr(config-user)# exit
Set local ENABLE password:
esr(config)# enable password $6e5c4r3e2t!
Lower the privileges of the admin user:
esr(config)# username admin esr(config-user)# privilege 1 esr(config-user)# exit
Configure the connection to the two RADIUS servers, the primary 192.168.1.11 and the backup 192.168.2.12:
esr(config)# radius-server host 192.168.1.11 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority 100 esr(config-radius-server)# exit esr(config)# radius-server host 192.168.2.12 esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF esr(config-radius-server)# priority 150 esr(config-radius-server)# exit
Configure AAA policy:
esr(config)# aaa authentication login CONSOLE radius local esr(config)# aaa authentication login SSH radius esr(config)# aaa authentication enable default radius enable esr(config)# aaa authentication mode break esr(config)# line console esr(config-line-console)# login authentication CONSOLE esr(config-line-console)# exit esr(config)# line ssh esr(config-line-ssh)# login authentication SSH esr(config-line-ssh)# exit
Configure logging:
esr(config)# logging userinfo esr(config)# logging aaa esr(config)# syslog cli-commands
Remote management configuration
Recommendations
- It is recommended to disable remote control via telnet.
- It is recommended to use crypto-resistant sha2-512 authentication algorithms and disable all others.
- It is recommended to use crypto-resistant aes256ctr encryption algorithms and disable all others.
- It is recommended to use dh-group-exchange-sha256 crypto-proof encryption key exchange algorithm and disable all others.
- It is recommended to use crypto-resistant Host-Key verification algorithm for SSH rsa and disable all others.
- It is recommended to allow access to remote control of the device only from certain IP addresses;
- It is recommended to regenerate the encryption keys before starting operation.
Configuration example
Objective:
Disable telnet. Generate new encryption keys. Use crypto-resistant algorithms.
Solution:
Disable remote telnet control:
esr(config)# no ip telnet server
Disable outdated and not crypto-resistant algorithms:
esr(config)# ip ssh server esr(config)# ip ssh authentication algorithm md5 disable esr(config)# ip ssh authentication algorithm md5-96 disable esr(config)# ip ssh authentication algorithm ripemd160 disable esr(config)# ip ssh authentication algorithm sha1 disable esr(config)# ip ssh authentication algorithm sha1-96 disable esr(config)# ip ssh authentication algorithm sha2-256 disable esr(config)# ip ssh encryption algorithm 3des disable esr(config)# ip ssh encryption algorithm aes128 disable esr(config)# ip ssh encryption algorithm aes128ctr disable esr(config)# ip ssh encryption algorithm aes192 disable esr(config)# ip ssh encryption algorithm aes192ctr disable esr(config)# ip ssh encryption algorithm aes256 disable esr(config)# ip ssh encryption algorithm arcfour disable esr(config)# ip ssh encryption algorithm arcfour128 disable esr(config)# ip ssh encryption algorithm arcfour256 disable esr(config)# ip ssh encryption algorithm blowfish disable esr(config)# ip ssh encryption algorithm cast128 disable esr(config)# ip ssh key-exchange algorithm dh-group-exchange-sha1 disable esr(config)# ip ssh key-exchange algorithm dh-group1-sha1 disable esr(config)# ip ssh key-exchange algorithm dh-group14-sha1 disable esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable esr(config)# ip ssh host-key algorithm dsa disable esr(config)# ip ssh host-key algorithm ecdsa256 disable esr(config)# ip ssh host-key algorithm ecdsa384 disable esr(config)# ip ssh host-key algorithm ecdsa521 disable esr(config)# ip ssh host-key algorithm ed25519 disable
Generate new encryption keys:
esr# update ssh-host-key rsa esr# update ssh-host-key rsa 2048
Configuration of protection against network attacks mechanisms
The algorithms for configuring the network attack protection mechanisms are described in the Logging and network protection configuration section of this manual.
Recommendations
- It is recommended to always enable protection against ip spoofing.
- It is recommended to always enable protection against TCP packets with incorrectly set flags.
- It is recommended to always enable protection against fragmented TCP packets with the SYN flag set.
- It is recommended to always enable protection against fragmented ICMP packets.
- It is recommended to always enable protection against large ICMP packets.
- It is recommended to always enable protection against unregistered IP protocols.
- It is recommended to enable logging of the protection mechanism against network attacks.
Configuration example
Objective:
Configure the protection mechanism against network attacks in accordance with the recommendations.
Solution:
Enable protection against ip spoofing and logging of the protection mechanism:
esr(config)# ip firewall screen spy-blocking spoofing esr(config)# logging firewall screen spy-blocking spoofing
Enable protection against TCP packets with incorrectly set flags and logging of the protection mechanism:
esr(config)# ip firewall screen spy-blocking syn-fin esr(config)# logging firewall screen spy-blocking syn-fin esr(config)# ip firewall screen spy-blocking fin-no-ack esr(config)# logging firewall screen spy-blocking fin-no-ack esr(config)# ip firewall screen spy-blocking tcp-no-flag esr(config)# logging firewall screen spy-blocking tcp-no-flag esr(config)# ip firewall screen spy-blocking tcp-all-flags esr(config)# logging firewall screen spy-blocking tcp-all-flags
Enable protection against fragmented ICMP packets and protection mechanism logging:
esr(config)# ip firewall screen suspicious-packets icmp-fragment esr(config)# logging firewall screen suspicious-packets icmp-fragment
Enable protection against large ICMP packets and logging of the protection mechanism:
esr(config)# ip firewall screen suspicious-packets large-icmp esr(config)# logging firewall screen suspicious-packets large-icmp
Enable protection against unregistered ip-protocols and logging protection mechanism:
esr(config)# ip firewall screen suspicious-packets unknown-protocols esr(config)# logging firewall screen suspicious-packets unknown-protocols