Safe configuration recommendations. Firmware version 1.13.0

The safe configuration recommendations are general and suitable for most installations. These recommendations greatly improve the safe operation of the unit, but are not exhaustive. Depending on the application of the device, other safety parameters must also be configured. In some specific cases, the implementation of these recommendations may result in a non-functional network. When configuring the device, firstly it is necessary to follow the technical requirements and regulations of the networks in which the device will be used.

General recommendations

• It is recommended to always disable unused physical interfaces with the shutdown The command is described in detail in the Interface monitoring and configuration section of the CLI Command Reference.
• It is recommended to always set the system clock to synchronize with trusted network time sources (NTP). The NTP setup algorithm is described in the NTP configuration section of this manual. For detailed information on the NTP configuration commands, see System timer management in the CLI Command Reference.
• It is recommended to disable the NTP broadcast client, which is enabled by default in the factory configuration.
• It is not recommended to use the ip firewall disable command that disables firewalling. Always assign appropriate security zones to interfaces and configure the correct firewall rules. The firewall configuration algorithm is described in the Firewall configuration section of this manual. For detailed information on the Firewall configuration commands, see Firewall management in the CLI Command Reference.

Event logging system configuration

Event logging system configuration algorithms are described in the «Syslog configuration» subsection of the Monitoring. Firmware version 1.13.0 section of this manual.

For detailed information on the Event logging system configuration commands, see SYSLOG management section in the CLI Command Reference.

Recommendations

• It is recommended to configure the event message storage in a syslog file on the device and transfer these events to an external syslog server.
• It is recommended to limit the size of the syslog file on the device.
• It is recommended to configure syslog file rotation on the device.
• It is recommended to enable syslog message enumeration.
• It is recommended that timestamp msec tags be added to syslog messages on ESR-1500 and ESR-1511.

Warnings

• The data stored in the tmpsys:syslog file system is not saved when the device is rebooted. This type of file system is recommended for storing operational logs.
• It is not recommended to use the flash:syslog file system to store logs, as it may cause premature ESR device failure.

Configuration example

Objective:

Configure the storage of event messages of info level and higher in a syslog file on the device and configure transmission of these events to an external syslog server. Limit the file size to 512kb. Enable rotation of 3 files. Enable syslog message enumeration.

Solution:

Configure the storage of syslog messages in the file:

esr(config)# syslog file tmpsys:syslog/default info

Configure size limitation and file rotation:

esr(config)# syslog max-files 3
esr(config)# syslog file-size 512

Configure the transmission of messages to an external server:

esr(config)# syslog host mylog 192.168.1.2 info udp 514

Enable syslog message enumeration:

esr(config)# syslog sequence-numbers

Password usage policy configuration

The configuration algorithms for the password usage policy are described in the AAA configuration section of this manual.

For detailed information on the configuration commands for the password usage policy, see AAA configuration in the CLI Commands Reference.

Recommendations

• It is recommended to always enable the default password change request for the admin user.
• It is recommended to limit the lifetime of passwords and prohibit reusing at least the previous password.
• It is recommended to set the minimum password length requirement greater than 8 characters.
• It is recommended to set requirements for the use of lowercase and uppercase letters, numbers and special characters.

Configuration example

Objective:

• Configure a password policy with a requirement to change the default password, a password validity period of 1 month, and a ban on using the last 12 passwords.
• Set the minimum password length to 16 characters, the maximum to 64 characters.
• The password must contain at least 3 uppercase letters, at least 5 lowercase letters, at least 4 digits and at least 2 special characters. The password must contain all 4 types of characters.

Solution:

Enables the default password reset request for admin user:

esr(config)# security passwords default-expered

Set the password lifetime to 30 days and prohibit the use of the previous 12 passwords:

esr(config)# security passwords lifetime 30
esr(config)# security passwords history 12

Set a limit to the password length:

esr(config)# security passwords min-length 16
esr(config)# security passwords max-length 64

Set a limit on the minimum number of characters of the respective types:

esr(config)# security passwords upper-case 3
esr(config)# security passwords lower-case 5
esr(config)# security passwords special-case 2
esr(config)# security passwords numeric-count 4
esr(config)# security passwords symbol-types 4

AAA policy configuration

The algorithms for AAA policy are described in the AAA configuration section of this manual.

For detailed information on the commands for AAA policy, see AAA configuration in the CLI Commands Reference.

Recommendations

• It is recommended to use a role-based access model on the device.
• It is recommended to use personal accounts to authenticate on the device.
• It is recommended to enable logging of commands entered by the user.
• It is recommended to use several authentication methods for logging in to devices via console, remote login to devices and privilege escalation. A combination of RADIUS/TACACS/LDAP authentication and local authentication is considered optimal.
• It is recommended to lower the built-in admin account privileges to 1.
• It is recommended to configure logging of changes of local accounts.
• It is recommended to configure AAA policy change logging.

Warnings

• The built-in admin account cannot be deleted.
• The no username admin command does not remove the admin user, it resets his configuration to defaults. After applying this command, the admin user will not appear in the configuration.
• The no password command for the admin user also does not remove the admin user's password, but resets it to its default value. After applying this command, the admin user password is no longer displayed in the configuration and becomes 'password'.
• Attention! You must have a user with privilege level 15 or an ENABLE password configured before you can set the admin user to downgrade privileges.

Configuration example

Objective:

Configure AAA policy:

• Use RADIUS authentication for remote login via SSH.
• Use RADIUS authentication for local console login, use local authentication if there is no connection to RADIUS servers.
• Use ENABLE password set via RADIUS, if there is no connection to RADIUS servers, use local ENABLE password.
• Set the admin user to a reduced privilege level.
• Configure logging of changes of local accounts.
• Configure AAA policy changes logging.
• Configure the logging of entered commands.

Solution:

Create a local-operator user with privilege level 8:

esr(config)# username local-operator
esr(config-user)# password Pa$$w0rd1
esr(config-user)# privilege 8 
esr(config-user)# exit

Set local ENABLE password:

esr(config)# enable password $6e5c4r3e2t!

Lower the privileges of the admin user:

esr(config)# username admin
esr(config-user)# privilege 1 
esr(config-user)# exit

Configure the connection to the two RADIUS servers, the primary 192.168.1.11 and the backup 192.168.2.12:

esr(config)# radius-server host 192.168.1.11
esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF
esr(config-radius-server)# priority 100 esr(config-radius-server)# exit
esr(config)# radius-server host 192.168.2.12
esr(config-radius-server)# key ascii-text encrypted 8CB5107EA7005AFF
esr(config-radius-server)# priority 150
esr(config-radius-server)# exit

Configure AAA policy:

esr(config)# aaa authentication login CONSOLE radius local 
esr(config)# aaa authentication login SSH radius 
esr(config)# aaa authentication enable default radius enable
esr(config)# aaa authentication mode break
esr(config)# line console
esr(config-line-console)# login authentication CONSOLE 
esr(config-line-console)# exit esr(config)# line ssh 
esr(config-line-ssh)# login authentication SSH 
esr(config-line-ssh)# exit

Configure logging:

esr(config)# logging userinfo 
esr(config)# logging aaa
esr(config)# syslog cli-commands

Remote management configuration 

For more information on remote access configuration commands, see SSH, Telnet access configuration in the CLI command reference.

Recommendations

• It is recommended to disable remote control via telnet.
• It is recommended to generate new cryptographic keys.
• It is recommended to use crypto-resistant sha2-256, sha2-512 authentication algorithms and disable all others.
• It is recommended to use crypto-resistant aes256, aes256ctr encryption algorithms and disable all others.
• It is recommended to use dh-group-exchange-sha256 crypto-proof encryption key exchange algorithm and disable all others.
• It is recommended to allow access to remote control of the device only from certain IP addresses.   

Configuration example

Objective:

Disable telnet. Generate new encryption keys. Use crypto-resistant algorithms.

Solution:

Disable remote telnet control:

esr(config)# no ip telnet server

Generate new encryption keys:

esr-20(config)# crypto key generate dsa 
esr-20(config)# crypto key generate ecdsa 
esr-20(config)# crypto key generate ed25519 
esr-20(config)# crypto key generate rsa
esr-20(config)# crypto key generate rsa1

Disable outdated and not crypto-resistant algorithms:

esr(config)# ip ssh server
esr(config)# ip ssh authentication algorithm md5 disable
esr(config)# ip ssh authentication algorithm md5-96 disable
esr(config)# ip ssh authentication algorithm ripemd160 disable
esr(config)# ip ssh authentication algorithm sha1 disable
esr(config)# ip ssh authentication algorithm sha1-96 disable
esr(config)# ip ssh encryption algorithm aes128 disable
esr(config)# ip ssh encryption algorithm aes128ctr disable
esr(config)# ip ssh encryption algorithm aes192 disable
esr(config)# ip ssh encryption algorithm aes192ctr disable
esr(config)# ip ssh encryption algorithm arcfour disable
esr(config)# ip ssh encryption algorithm arcfour128 disable
esr(config)# ip ssh encryption algorithm arcfour256 disable
esr(config)# ip ssh encryption algorithm blowfish disable
esr(config)# ip ssh encryption algorithm cast128 disable
esr(config)# ip ssh key-exchange algorithm dh-group-exchange-sha1 disable
esr(config)# ip ssh key-exchange algorithm dh-group1-sha1 disable
esr(config)# ip ssh key-exchange algorithm dh-group14-sha1 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable

Configuration of protection against network attacks mechanisms

The algorithms for configuring the network attack protection mechanisms are described in the Logging and network protection configuration section of this manual.

For detailed information about the commands to configure the password policy, see Management of logging and protection against network attacks in the CLI Command Reference.

Recommendations

• It is recommended to always enable protection against ip spoofing.
• It is recommended to always enable protection against TCP packets with incorrectly set flags.
• It is recommended to always enable protection against fragmented TCP packets with the SYN flag set.
• It is recommended to always enable protection against fragmented ICMP packets.
• It is recommended to always enable protection against large ICMP packets.
• It is recommended to always enable protection against unregistered ip-protocols.
• It is recommended to enable logging of the protection mechanism against network attacks.

Configuration example

Objective:

Configure the protection mechanism against network attacks in accordance with the recommendations.

Solution:

Enable protection against ip spoofing and logging of the protection mechanism:

esr(config)# ip firewall screen spy-blocking spoofing
esr(config)# logging firewall screen spy-blocking spoofing

Enable protection against TCP packets with incorrectly set flags and logging of the protection mechanism:

esr(config)# ip firewall screen spy-blocking syn-fin
esr(config)# logging firewall screen spy-blocking syn-fin
esr(config)# ip firewall screen spy-blocking fin-no-ack
esr(config)# logging firewall screen spy-blocking fin-no-ack
esr(config)# ip firewall screen spy-blocking tcp-no-flag
esr(config)# logging firewall screen spy-blocking tcp-no-flag
esr(config)# ip firewall screen spy-blocking tcp-all-flags
esr(config)# logging firewall screen spy-blocking tcp-all-flags

Enable protection against fragmented ICMP packets and protection mechanism logging:

esr(config)# ip firewall screen suspicious-packets icmp-fragment
esr(config)# logging firewall screen suspicious-packets icmp-fragment

Enable protection against large ICMP packets and logging of the protection mechanism:

esr(config)# ip firewall screen suspicious-packets large-icmp
esr(config)# logging firewall screen suspicious-packets large-icmp

Enable protection against unregistered ip-protocols and logging protection mechanism:

esr(config)# ip firewall screen suspicious-packets unknown-protocols
esr(config)# logging firewall screen suspicious-packets unknown-protocols