,

Simple Netconf Security Configurations for Cisco Devices

Published by

Sam Swinson

on

Introduction

In this post, we are going to go over some simple configuration you can implement on any Cisco networking device that have Netconf enabled.

Section I – Why Bother?

As part of Defence in Depth we should be thinking of how can we add layers to the security of all of the devices and services that we are running on our systems/networks.

When we approach our security in this layered approach it means that if one of the layers happens to disappear we are not completely exposed.

When you enable Netconf on a Cisco device you are opening the door for both reading and writing to an Application Programmable Interface on that device. This means if it isn’t secure someone could make unexpected configuration changes to your devices and cause havoc.

Section II – Solutions

The 2 solutions for simple ways to protect Netconf on your Cisco devices I am presenting here are not revolutionary. However, they are things I implement when I am using Netconf yang within my environments.

Section II – A – Access Control List

The first method is to set up and Access Control List.

This way we can set up what devices are able to communicate with our device utilising Netconf.

For example, if I have a specific server that I am expecting to communicate with my device I can put in an ACL entry for specifically.

All ACLs within Cisco products have an implicit deny all rule at the end, however, it is good practise to put in your own deny all at the end of the ACL so that you can log the denies.

ip access-list extended NETCONF_RESTRICT
    10 permit tcp host (server) host (device)
    20 deny ip any any log

With the ACL created it just need to be applied to the Netconf service.

netconf-yang ssh ipv4 access-list name NETCONF_RESTRICT

Section II – B – AAA Login

Another method is to use Authentication Authorisation and Accounting or AAA so that you can use credentials from a central controller for example an Active Directory Domain Controller in order to authenticate to the device via Netconf.

This will give you better control of accounts that have access to the device.

An example of AAA configuration is in the code block below.

aaa new-model
  !
  aaa group server radius AAA
   server-private <IP> key <Shared Secret>
   ip radius source-interface <Interface>
  !
  aaa authentication login default group AAA local

The advantage of using a central authentication server is both the network device itself as well as the central authentication server can log when accounts are having repeated authentication failures. This can help you detect things like Brute Force Attacks.

Leave a comment

Previous Post
Next Post