DOCSLIB.ORG

System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.X

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.X System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x First Published: 2020-01-20 Last Modified: 2020-11-30 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2020 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE Preface xiii Changes to This Document xiii Communications, Services, and Additional Information xiii CHAPTER 1 New and Changed Feature Information 1 System Security Features Added or Modified in IOS XR Release 7.1.x 1 CHAPTER 2 Configuring AAA Services 3 Information About Configuring AAA Services 4 User, User Groups, and Task Groups 4 User Categories 4 User Groups 5 Task Groups 6 Cisco IOS XR Software Administrative Model 7 Administrative Access 7 AAA Database 8 Remote AAA Configuration 8 AAA Configuration 9 Authentication 10 Password Types 12 Type 8 and Type 9 Passwords 13 Type 10 Password 13 AAA Password Security for FIPS Compliance 13 AAA Password Security Policies 14 Minimum Password Length for First User Creation 16 Task-Based Authorization 17 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x iii Contents Task IDs 17 General Usage Guidelines for Task IDs 17 Task IDs for TACACS+ and RADIUS Authenticated Users 18 Task Maps 18 Privilege Level Mapping 20 XML Schema for AAA Services 21 About RADIUS 21 Network Security Situations in Which RADIUS is Unsuitable 22 RADIUS Operation 23 Differentiated Services Code Point (DSCP) Marking support for TACACS packets 23 How to Configure AAA Services 24 Prerequisites for Configuring AAA Services 24 Restrictions for Configuring AAA Services 24 Configuring Task Groups 24 Task Group Configuration 24 Configuring User Groups 26 Configure First User on Cisco Routers 27 Configuring Users 29 Configure Type 8 and Type 9 Passwords 31 Configure Type 10 Password 31 Backward Compatibility for Password Types 33 Configure AAA Password Policy 33 Configuring Router to RADIUS Server Communication 35 Configuring RADIUS Dead-Server Detection 38 Configuring Per VRF AAA 40 New Vendor-Specific Attributes (VSAs) 40 Configuring a TACACS+ Server 42 Configuring RADIUS Server Groups 44 Configuring TACACS+ Server Groups 46 Configure Per VRF TACACS+ Server Groups 48 Configuring AAA Method Lists 50 Configuring Authentication Method Lists 50 Configuring Authorization Method Lists 52 Configuring Accounting Method Lists 56 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x iv Contents Generating Interim Accounting Records 58 Applying Method Lists for Applications 60 Enabling AAA Authorization 60 Enabling Accounting Services 61 Configuring Login Parameters 62 Configuration Examples for Configuring AAA Services 63 Configuring AAA Services: Example 63 Command Accounting 65 Model-based AAA 66 Prerequisites for Model Based AAA 66 Initial Operation 66 NACM Configuration Management and Persistence 67 Overview of Configuring NACM 67 NACM Rules 68 Enabling NACM 71 Verify the NACM Configurations 71 Disabling NACM 72 Additional References 73 CHAPTER 3 Implementing Certification Authority Interoperability 75 Prerequisites for Implementing Certification Authority 76 Restrictions for Implementing Certification Authority 76 Information About Implementing Certification Authority 76 Supported Standards for Certification Authority Interoperability 76 Certification Authorities 77 Purpose of CAs 77 IPSec Without CAs 78 IPSec with CAs 78 IPSec with Multiple Trustpoint CAs 78 How IPSec Devices Use CA Certificates 78 CA Registration Authorities 79 How to Implement CA Interoperability 79 Configuring a Router Hostname and IP Domain Name 79 Generating an RSA Key Pair 80 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x v Contents Importing a Public Key to the Router 81 Declaring a Certification Authority and Configuring a Trusted Point 82 Authenticating the CA 83 Requesting Your Own Certificates 84 Configuring Certificate Enrollment Using Cut-and-Paste 85 Configuration Examples for Implementing Certification Authority Interoperability 86 Configuring Certification Authority Interoperability: Example 86 Expiry Notification for PKI Certificate 88 Learn About the PKI Alert Notification 88 Enable PKI Traps 90 Regenerate the Certificate 90 Integrating Cisco IOS XR and Crosswork Trust Insights 91 How to Integrate Cisco IOS XR and Crosswork Trust Insights 92 Generate Key Pair 94 Generate System Trust Point for the Leaf and Root Certificate 95 Generate Root and Leaf Certificates 96 System Certificates Expiry 98 Collect Data Dossier 99 Procedure to Test Key Generation and Data-signing with Different Key Algorithm 102 Where to Go Next 102 Additional References 102 CHAPTER 4 Implementing Keychain Management 105 Prerequisites for Configuring Keychain Management 105 Restrictions for Implementing Keychain Management 105 Information About Implementing Keychain Management 105 Lifetime of Key 106 How to Implement Keychain Management 106 Configuring a Keychain 107 Configuring a Tolerance Specification to Accept Keys 108 Configuring a Key Identifier for the Keychain 109 Configuring the Text for the Key String 110 Determining the Valid Keys 111 Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic 112 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x vi Contents Configuring the Cryptographic Algorithm 113 Configuration Examples for Implementing Keychain Management 115 Configuring Keychain Management: Example 115 Additional References 116 CHAPTER 5 Configure MACSec 119 Understanding MACsec Encryption 120 Advantages of Using MACsec Encryption 121 Types of MACsec Implementation 121 MKA Authentication Process 122 MACSec Support on Line Cards and Routers 123 MACSec Limitations for Cisco ASR 9901 Routers 124 MACsec PSK 124 Fallback PSK 124 Configuring and Verifying MACSec Encryption 125 Creating a MACsec Key Chain 128 Prerequisites for Configuring MACSec on Bundle Member Interfaces 131 Creating a User-Defined MACsec Policy 132 MACsec SAK Rekey Interval 135 Applying MACsec Configuration on an Interface 135 MACsec Policy Exceptions 136 How to Create MACsec Policy Exception 136 Verifying MACsec Encryption on IOS XR 136 Verifying MACsec Encryption on ASR 9000 149 Configuring and Verifying MACsec Encryption as a Service 153 Configuring MACsec as a Service 155 Configuring MACsec Service for L2VPN Network 156 Configuring MACsec Service for L3VPN Network 157 Applying MACsec Service Configuration on an Interface 159 Verifying MACsec Encryption on IOS XR 160 Verifying MACsec Encryption on ASR 9000 173 Global MACsec Shutdown 177 Configure MACsec Shutdown 177 Verify MACsec Shutdown 178 System Security
Load more

Recommended publications
  • Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 5.3.X
    Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, Release 5.3.x First Published: 2015-01-12 Last Modified: 2015-08-27 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Human Resources Directorate Service Management (HRD
    U.S. Department of the Interior PRIVACY IMPACT ASSESSMENT Introduction The Department of the Interior requires PIAs to be conducted and maintained on all IT systems whether already in existence, in development or undergoing modification in order to adequately evaluate privacy risks, ensure the protection of privacy information, and consider privacy implications throughout the information system development life cycle. This PIA form may not be modified and must be completed electronically; hand-written submissions will not be accepted. See the DOI PIA Guide for additional guidance on conducting a PIA or meeting the requirements of the E-Government Act of 2002. See Section 6.0 of the DOI PIA Guide for specific guidance on answering the questions in this form. NOTE: See Section 7.0 of the DOI PIA Guide for guidance on using the DOI Adapted PIA template to assess third-party websites or applications. Name of Project: Human Resources Directorate Service Management (HRD SM) Bureau/Office: Interior Business Center Date: May 14, 2018 Point of Contact: Name: Teri Barnett Title: Departmental Privacy Officer Email: [email protected] Phone: (202) 208-1605 Address: 1849 C Street NW, Room 7112, Washington, DC 20240 Section 1. General System Information A. Is a full PIA required? ☒ Yes, information is collected from or maintained on ☐ Members of the general public ☒ Federal personnel and/or Federal contractors ☐ Volunteers ☐ All ☐ No: Information is NOT collected, maintained, or used that is identifiable to the individual in this system. Only sections 1 and 5 of this form are required to be completed. B. What is the purpose of the system? Human Resources Directorate Service Management (HRD SM) system is an IT Service Management (ITSM) commercial product with multiple modules and is a Cloud Software-as-a- Service solution hosted by the vendor ServiceNow, Inc.
    [Show full text]
  • Tinkertool System 7 Reference Manual Ii
    Documentation 0642-1075/2 TinkerTool System 7 Reference Manual ii Version 7.5, August 24, 2021. US-English edition. MBS Documentation 0642-1075/2 © Copyright 2003 – 2021 by Marcel Bresink Software-Systeme Marcel Bresink Software-Systeme Ringstr. 21 56630 Kretz Germany All rights reserved. No part of this publication may be redistributed, translated in other languages, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written permission of the publisher. This publication may contain examples of data used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. The publisher may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Make sure that you are using the correct edition of the publication for the level of the product. The version number can be found at the top of this page. Apple, macOS, iCloud, and FireWire are registered trademarks of Apple Inc. Intel is a registered trademark of Intel Corporation. UNIX is a registered trademark of The Open Group. Broadcom is a registered trademark of Broadcom, Inc. Amazon Web Services is a registered trademark of Amazon.com, Inc.
    [Show full text]
  • ® Apple® A/UXTM Release Notes Version 1.0 Ii APPLE COMPUTER, INC
    .® Apple® A/UXTM Release Notes Version 1.0 Ii APPLE COMPUTER, INC. UNIBUS, VAX, VMS, and VT100 are trademarks of Digital © Apple Computer, Inc., 1986 Equipment Corporation. 20525 Mariani Ave. Cupertino, California 95014 Simultaneously published in the (408) 996-1010 United States and Canada. Apple, the Apple logo, APPLE'S SYSTEM V AppleTalk, ImageWriter, IMPLEMENTATION A/UX LaserWriter, Macintosh, RELEASE 1.0 RUNNING ON A MacTerminal, and ProDOS are MACINTOSH II COMPUTER registered trademarks of Apple HAS BEEN TESTED BY THE Computer, Inc. AT&T-IS' SYSTEM V VERIFICATION SUITE AND Apple Desktop Bus, A!UX, CONFORMS TO ISSUE 2 OF EtherTalk, and Finder are AT&T-IS' SYSTEM V trademarks of Apple Computer, INTERFACE DEFINITION Inc. BASE PLUS KERNEL Ethernet is a registered EXTENSIONS. trademark of Xerox Corporation. IBM is a registered trademark, and PC-DOS is a trademark, of International Business Machines, Inc. - ITC Avant Garde Gothic, ITC Garamond, and ITC Zapf Dingbats are registered trademarks of International Typeface Corporation. Microsoft and MS-DOS are registered trademarks of Microsoft Corporation. NFS is a registered trademark, and Sun Microsystems is a trademark, of Sun Microsystems, Inc. NuBus is a trademark of Texas Instruments. POSTSCRIPT is a registered trademark, and TRANSCRIPT is a trademark, of Adobe Systems Incorporated. UNIX is a registered trademark of AT&T Information Systems. Introduction to A/UX Release Notes, Version 1.0 These release notes contain late-breaking information about release 1.0 of the A!UXI'M software for the Apple® Macintosh® II computer. This package contains two kinds of materials: o Specific information that was not available in time to be incorporated into the printed manuals.
    [Show full text]
  • Chapter 1. Origins of Mac OS X
    1 Chapter 1. Origins of Mac OS X "Most ideas come from previous ideas." Alan Curtis Kay The Mac OS X operating system represents a rather successful coming together of paradigms, ideologies, and technologies that have often resisted each other in the past. A good example is the cordial relationship that exists between the command-line and graphical interfaces in Mac OS X. The system is a result of the trials and tribulations of Apple and NeXT, as well as their user and developer communities. Mac OS X exemplifies how a capable system can result from the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and, of course, individuals. Apple has been around since 1976, and many accounts of its history have been told. If the story of Apple as a company is fascinating, so is the technical history of Apple's operating systems. In this chapter,[1] we will trace the history of Mac OS X, discussing several technologies whose confluence eventually led to the modern-day Apple operating system. [1] This book's accompanying web site (www.osxbook.com) provides a more detailed technical history of all of Apple's operating systems. 1 2 2 1 1.1. Apple's Quest for the[2] Operating System [2] Whereas the word "the" is used here to designate prominence and desirability, it is an interesting coincidence that "THE" was the name of a multiprogramming system described by Edsger W. Dijkstra in a 1968 paper. It was March 1988. The Macintosh had been around for four years.
    [Show full text]
  • Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide Cisco IOS XR Release 3.7.2 March 2009
    Cisco ASR 9000 Series Aggregation Services Router MPLS Configuration Guide Cisco IOS XR Release 3.7.2 March 2009 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: OL-17241-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • Media Composer V8.5 Readme
    Avid® Editing Application ReadMe for Media Composer® v8.5 Revision History Date Description 3/14/2016 Added note concerning Windows 10 and QuickTime. See “Compatibility Chart” on page 25. 2/9/2016 Updated “Compatibility Chart” on page 25 to reflect that QuickTime v7.7.9 is supported for Windows. 2/2/2016 Updated “Qualified Hardware and Operating Systems” on page 13 and “Shared Storage Support” on page 33 and “Compatibility Chart” on page 25. 1/29/2016 Updated “Qualified Workstations and Laptops” on page 14 to include support for Late 2015 iMac Retina 5K system. IMPORTANT: Avid periodically makes software updates available for download on Avid.com at the following location:www.avid.com/us/support/downloads. Please check the above site regularly for information on available downloads for your product. Important Information Avid® recommends that you read all the information in this ReadMe file thoroughly before installing or using any new software release. Important: Search the Avid Knowledge Base for the most up-to-date ReadMe file, which contains the latest information that might have become available after the documentation was published. This document describes compatibility issues with previous releases, software installation instructions, hardware and software requirements, and summary information on system and memory requirements. This document also lists hardware and software limitations. Symbols and Conventions Contents If You Need Help. 3 Notes on Windows. 9 Notes on Software Licensing. 12 Qualified Hardware and Operating Systems . .13 Compatibility Chart . 25 Setting up the NVIDIA Card . 31 Shared Storage Support . 33 Feature Performance . 23 Limitations. 33 Symbols and Conventions Avid documentation uses the following symbols and conventions: Symbol or Convention Meaning or Action n A note provides important related information, reminders, recommendations, and strong suggestions.
    [Show full text]
  • Cisco Services Cisco Service Provider Architecture Applications
    Security at the Speed of the Network: Automating and Accelerating Security Through SDN and NfV BRKSEC-2760 Hantzley Tauckoor – CISSP #472723, CCDE #2015::43 Consulting Systems Engineer – MANO & Programmability Global Virtual Engineering, Cisco Systems ./about_me Hantzley Tauckoor Consulting Systems Engineer – MANO & Programmability Global Virtual Engineering, Cisco Systems linkedin.com/in/hantzley Twitter: @hantzley [email protected] Agenda • Security from the Service Provider perspective • Putting SDN/NFV to work – DDoS • Automating Security in the SP Data Centre • Generating new revenue streams with hosted security services • SDN & NFV Infrastructure Security • Summary Agenda • Security from the Service Provider perspective • Putting SDN/NFV to work - DDoS • Automating Security in the SP Data Centre • Generating new revenue streams with hosted security services • SDN & NFV Infrastructure Security • Summary Security from the Service Provider Perspective Trends: New Opportunities … The world has gone mobile Traffic growth, driven by video 120,000 Other (43%, 25%) 10XDynamic Mobile Traffic Growth Threat100,000 LandscapeInternet Video (57%, 75%) From 2013-2019 80,000 Changing 23% Global Customer 60,000 CAGR 40,000 2013- 2018 Expectations Ubiquitous Access to Apps & Services 20,000 Petabytes Petabytes per Month 0 2013 2014 2015 2016 2017 2018 Rise of cloud computingIncreasing ThreatMachine Sophistication-to-Machine Risks to Service ProvidersEmergence of the Internet of Everything Soon to and Their Customers Change SP Architectures/ Changing
    [Show full text]
  • Cisco IOS XR Software Release
    CISCO CRAFT WORKS INTERFACE QUICK START GUIDE Cisco IOS XR Software Release 3.5 1 Introduction 2 About CWI 3 Prerequisites 4 Configuring the Router and CWI Client 5 Installing, Launching, and Uninstalling CWI 6 Getting Started with CWI 7 Reference Information 8 Obtaining Documentation, Obtaining Support, and Security Guidelines 1 Introduction This document introduces Craft Works Interface (CWI) that supports Cisco IOS XR Software Release 3.5. Note This document refers to CWI managing devices. For Cisco IOS XR software, the devices can be any or all of the secure domain routers (SDRs) of which your Cisco IOS XR system is composed. Related Documentation See the following list for related documents that may be useful: • Cisco Craft Works Interface User Guide • Cisco Craft Works Interface Online Help Intended Audience This document is intended for experienced service provider administrators, Cisco telecommunication management engineers, and third-party field service technicians who have completed the required Cisco router training sessions. 2 About CWI CWI is a powerful, session-based tool that allows you to manage, monitor, and configure a single device or a network of devices. CWI is designed to operate in as many situations as possible. Using CWI you can: • Connect to the devices in several ways through a serial port, a terminal server, or an IP-based method, such as Telnet, SSH, or CORBA. • Run Windows, Macintosh, and Linux clients. • Connect to devices with or without XML or command-line interface (CLI) capabilities. • Display both the administrative (admin) plane and device plane for Cisco IOS XR devices. CWI offers a selection of CLI- and graphic-based tools from which you can perform management tasks.
    [Show full text]
  • Solaris Powerpc Edition: Installing Solaris Software—May 1996 What Is a Profile
    SolarisPowerPC Edition: Installing Solaris Software 2550 Garcia Avenue Mountain View, CA 94043 U.S.A. A Sun Microsystems, Inc. Business Copyright 1996 Sun Microsystems, Inc., 2550 Garcia Avenue, Mountain View, California 94043-1100 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Portions of this product may be derived from the UNIX® system, licensed from Novell, Inc., and from the Berkeley 4.3 BSD system, licensed from the University of California. UNIX is a registered trademark in the United States and other countries and is exclusively licensed by X/Open Company Ltd. Third-party software, including font technology in this product, is protected by copyright and licensed from Sun’s suppliers. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. Sun, Sun Microsystems, the Sun logo, Solaris, Solstice, SunOS, OpenWindows, ONC, NFS, DeskSet are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.
    [Show full text]
  • Cisco CRS-1 SIP and SPA Configuration Guide Cisco IOS XR Software Release 3.3
    R3.3 Beta Draft—Cisco Confidential Information Cisco CRS-1 SIP and SPA Configuration Guide Cisco IOS XR Software Release 3.3 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-7110-03 R3.3 Beta Draft—Cisco Confidential Information THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
    [Show full text]
  • Cisco IOS XR Memory Forensics Analysis
    Cisco IOS XR memory forensics analysis Solal Jacob Agence Nationale de la Sécurité des Systèmes d’Information 2019 TOC I I- IOS XR internals & forensics analysis I II - Attack simulation I III - Detection ANSSI Cisco IOS XR memory forensics analysis 2/33 I- IOS XR internals & forensics analysis I We would like to be able to analyze a router to know if it was compromised I For that we want to develop memory forensics tools to detect advanced attack I IOS XR is an exotic system used on core routers ANSSI Cisco IOS XR memory forensics analysis 3/33 IOS XR I Used in Cisco routers (12000, ASR9000, ...) I 32 bits version only I Based on QNX 6.4 ANSSI Cisco IOS XR memory forensics analysis 4/33 QNX I Microkernel released in 1982, now part of Blackberry I Used in embedded system : Routers, Infotainment, Telematics (Westing House, AECL, Air traffic Control, General Electric) I Source was released then closed again ANSSI Cisco IOS XR memory forensics analysis 5/33 QNX architecture I Fault tolerant I Reduced kernel attack surface I Conforms to posix standard I Customizable by OEM ANSSI Cisco IOS XR memory forensics analysis 6/33 QNX Security & Forensics I Some CVEs I No hardening before 6.6 I Troopers 2016, QNX : ”99 Problems but a Microkernel ain’t one !” (Vuln in message passing & IPC) I Recon 2018, ”Dissecting QNX” (Mitigation & PRNG) I No forensics papers or presentations ANSSI Cisco IOS XR memory forensics analysis 7/33 QNX startup I The IPL, Inital Program Loader, initializes the hardware, configures the memory controller, loads the system image
    [Show full text]