Cisco Storage Security
Like IP infrastructure, the storage infrastructure must be protected from security vulnerabilities such as denial of service (DoS) and other malware attacks. In addition, elevation of privileges can also occur if a guest’s account is not managed properly. These security risks can result in data being stolen, corrupted, and applications not functioning properly. Because of its broad capabilities, unique security considerations must be addressed when deploying the storage infrastructure in your network. The Cisco MDS 9000 NX-OS software supports advanced security features that provide security within a storage-area network (SAN). These features protect your network against deliberate or unintentional disruptions from internal or external threats. This chapter discusses the following key topics: Authentication, Authorization, and Accounting (AAA): This section discusses the concepts of authentication, authorization, and accounting. Later in this section, we discuss server groups, server monitoring, remote and local AAA services, server distribution using CFS, and implications of merging…
Multiple Authentication Services Configuration – Cisco Compute Security
You can configure Cisco UCS to use multiple authentication services by configuring the following features: Provider groups Authentication domains A provider group is a set of providers that the Cisco UCS accesses during the authentication process. All of the providers within a provider group are accessed in the order that the Cisco UCS provider uses to authenticate users. If all of the configured servers are unavailable or unreachable, the Cisco UCS Manager automatically falls back to the local authentication method using the local username and password. The Cisco UCS Manager allows you to create a maximum of 16 provider groups, with a maximum of 8 providers allowed per group. Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 20, “Final Preparation,” and the exam simulation questions in the Pearson Test…
RADIUS and TACACS+ Authentication Configurations – Cisco Compute Security
To add a RADIUS or TACACS+ provider, first you need to configure RADIUS/TACACS+ properties, and after that to add RADIUS/TACACS+ server information. You can configure default settings; default properties apply to all provider connections of this type defined in the Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco UCS uses provider setting and ignores the default setting. The following scenario shows step by step how to create a UCS provider. Note RADIUS authentication uses the Password Authentication Protocol (PAP). Note The Cisco UCS Manager supports a maximum of 16 RADIUS providers. This example shows you step by step how to create RADIUS/TACACS+ remote authentication. Before adding a RADIUS provider, you need to perform the following RADIUS server configurations: Configure users with the attribute that holds the user role and locale information for the Cisco UCS Manager. You can choose whether to extend…
LDAP group mapping eliminates the requirement to define role or locale information in the LDAP user object. The UCS Manager can use group membership information to assign a role or locale to an LDAP user during login for organizations using LDAP groups to restrict access to LDAP databases. When a user logs in to the Cisco UCS Manager, the LDAP group map pulls information about the user’s role and locale. If the role and locale criteria match the information in the policy, access is granted. The Cisco UCS Manager supports a maximum of 28, 128, or 160 LDAP group maps depending on the release version. Note Cisco UCS Manager Release 3.1(1) supports a maximum of 128 LDAP group maps, and Release 3.1(2) and later support a maximum of 160 LDAP group maps. The role and locale definitions that you configure locally in the Cisco UCS Manager do not update automatically…
Two-Factor Authentication – Cisco Compute Security
The Cisco UCS Manager supports two-factor authentication for remote user logins, which adds a level of security to account logins. Two-factor authentication login requires a username, a token, and a password combination in the password field. You can provide a PIN, certificate, or token. Two-factor authentication uses authentication applications that maintain token servers to generate one-time tokens for users during the login process and to store passwords in the AAA server. Requests are sent to the token server to retrieve a vendor-specific attribute. The Cisco UCS Manager expects the token server to integrate with the AAA server; therefore, it forwards the request to the AAA server. The password and token are validated at the same time by the AAA server. Users must enter the token and password sequence in the same order as it is configured in the AAA server. Two-factor authentication is supported by associating RADIUS or TACACS+ provider…
Securing UCS Management Using Authentication, Authorization, and Accounting – Cisco Compute Security
The authentication, authorization, and accounting (AAA) framework is vital to securing network devices. The AAA framework provides authentication of management sessions, limits users to specific administrator-defined commands, and logs all commands entered by all users. RADIUS and TACACS+ are both supported on the UCS compute system. TACACS+ encrypts the entire TCP payload, which includes both the username and password. RADIUS only encrypts the password. Therefore, TACACS+ is more secure. Additionally, you can use LDAP for user authentication. To encrypt the LDAP authentication exchange, enable the SSL option. 1. Authentication: Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be an end user, a machine, or an application. Authentication mechanisms differ depending on the components that are communicating. Cisco UCS provides two methods of user authentication: Local accounts on the Cisco UCS Manager Remote authentication using…
Cisco Compute Security
Most computing platforms are designed to meet performance and function requirements with little or no attention to security. Compute hardening is an important security requirement for any data center platform. As a result, Cisco released a UCS hardening guide to help users secure Cisco Unified Computing System (Cisco UCS) platform devices to improve network security. This chapter covers the following key topics: Securing UCS Management Using Authentication, Authorization, and Accounting (AAA): This section discusses the concepts of Cisco UCS authentication, authorization, and accounting. Later in this section, we discuss user attributes; two-factor authentications; LDAP, RADIUS, and TACACS+ providers; and group configurations. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of…
Keychain Authentication – Cisco Network Security
Public key infrastructure (PKI) services provide a scalable and trusted method of authentication. UCS Manager supports PKI only for the web sessions(https) to establish secure communication between the Client’s browser and UCS Manager for management purposes. To 885know more about UCS Manager Communication Services, refer to the “Cisco UCS Manager Administration Management Guide”. 350-601 DCCOR blueprint includes Keychain Authentication under Compute Security, whereas it should be part of Network Security. We are placing this section here to reflect the blueprint flow of topics. This section discusses Keychain management on NX-OS and not UCS. NX-OS Keychain management allows you to create and maintain keychains, which are sequences of keys (sometimes called shared secrets). You can use keychains with features that secure communications with other devices by using key-based authentication. The device allows you to configure multiple keychains. Some routing protocols that support key-based authentication can use a keychain to implement a…
ACI Microsegmentation with VMs in Different Application EPGs – Cisco Network Security
For this next example, let’s assume that you need to deploy a three-tier web application. The application is built on VMs that run different operating systems and different versions of the same operating system. For example, the VMs might run Linux, Windows 2012 R2, and Windows 2016. The application is distributed, so the company has divided the VMs into three different EPGs: EPG_Web, EPG_App, and EPG_DB. Because of a recent vulnerability in the Windows 2012 R2 operating system, your company’s security team decided to quarantine VMs running Windows 2012 R2 in case those VMs are compromised. The security team also decided to upgrade all Windows 2012 R2 VMs to Windows 2016. It also wants to microsegment all production VMs across all EPGs and restrict external connectivity to those VMs. To meet this requirement, you can configure a uSeg EPG in the Cisco APIC. The attribute would be Operating System, and…
ACI Microsegmentation with VMs from a Single Application EPG – Cisco Network Security
You can use microsegmentation with Cisco ACI to create new uSeg EPGs to contain VMs from a single application EPG. By default, VMs within an application EPG can communicate with each other; however, you might want to prevent communication between groups of VMs if VRF is in enforced mode and there is no contract between uSeg EPGs. For this example, let’s assume that you need to deploy a virtual desktop infrastructure (VDI) for the Human Resources, Finance, and Operations departments. The VDI virtual desktop VMs are part of a single application EPG called EPG_VDI with identical access requirements to the rest of the application EPGs. Service contracts are built in such a way that the EPG-VDI has access to Internet resources and internal resources. But at the same time, the company must ensure that each of the VM groups—Human Resources, Finance, and Operations—cannot access the others even though they belong…