Cisco Cisco IPS 4520 Sensor Libro bianco
12
Firewall
August 2012 Series
12
The AAA server used in this architecture is the Cisco Secure
Authentication Control Server (ACS). Configuration of Cisco
Secure ACS is discussed in the Cisco SBA—Borderless
Authentication Control Server (ACS). Configuration of Cisco
Secure ACS is discussed in the Cisco SBA—Borderless
Networks LAN and Wireless LAN 802.1x Authentication
Deployment Guide.
Reader Tip
TACACS+ is the primary protocol used to authenticate management logins
on the infrastructure devices to the AAA server. A local AAA user database
was defined already to provide a fallback authentication source in case the
centralized TACACS+ server is unavailable.
on the infrastructure devices to the AAA server. A local AAA user database
was defined already to provide a fallback authentication source in case the
centralized TACACS+ server is unavailable.
Step 1:
Configure the TACACS+ server.
aaa-server
AAA-SERVER
protocol tacacs+
aaa-server
AAA-SERVER
(inside) host
10.4.48.15
SecretKey
Step 2:
Configure the appliance’s management authentication to use the
TACACS+ server first and then the local user database if the TACACS+
server is unavailable.
server is unavailable.
aaa authentication enable console
AAA-SERVER
LOCAL
aaa authentication ssh console
AAA-SERVER
LOCAL
aaa authentication http console
AAA-SERVER
LOCAL
aaa authentication serial console
AAA-SERVER
LOCAL
Step 3:
Configure the appliance to use AAA to authorize management
users.
aaa authorization exec authentication-server
User authorization on the Cisco ASA firewall does not automati-
cally present the user with the enable prompt if they have a
privilege level of 15, unlike Cisco IOS devices.
cally present the user with the enable prompt if they have a
privilege level of 15, unlike Cisco IOS devices.
Tech Tip
Procedure 5
Configure NTP and logging
Logging and monitoring are critical aspects of network security devices in
order to support troubleshooting and policy-compliance auditing.
order to support troubleshooting and policy-compliance auditing.
The Network Time Protocol (NTP) is designed to synchronize time across a
network of devices. An NTP network usually gets its time from an authorita-
tive time source, such as a radio clock or an atomic clock attached to a time
server. NTP then distributes this time across the organization’s network.
network of devices. An NTP network usually gets its time from an authorita-
tive time source, such as a radio clock or an atomic clock attached to a time
server. NTP then distributes this time across the organization’s network.
Network devices should be programmed to synchronize to a local NTP
server in the network. The local NTP server typically references a more
accurate clock feed from an outside source.
server in the network. The local NTP server typically references a more
accurate clock feed from an outside source.
There is a range of detail that can be logged on the appliance. Informational-
level logging provides the ideal balance between detail and log-message
volume. Lower log levels produce fewer messages, but they do not produce
enough detail to effectively audit network activity. Higher log levels produce
a larger volume of messages but do not add sufficient value to justify the
number of messages logged.
level logging provides the ideal balance between detail and log-message
volume. Lower log levels produce fewer messages, but they do not produce
enough detail to effectively audit network activity. Higher log levels produce
a larger volume of messages but do not add sufficient value to justify the
number of messages logged.
Step 1:
Configure the NTP server.
ntp server
10.4.48.17
Step 2:
Configure the time zone.
clock timezone
PST -8
clock summer-time
PDT
recurring
Step 3:
Configure which logs to store on the appliance.
logging enable
logging buffered informational
Procedure 6
Configure device-management protocols
Cisco ASDM requires that the appliance’s HTTPS server be available. Be
sure that the configuration includes networks where administrative staff
has access to the device through Cisco ASDM; the appliance can offer
controlled Cisco ASDM access for a single address or management subnet
(in this case, 10.4.48.0/24).
sure that the configuration includes networks where administrative staff
has access to the device through Cisco ASDM; the appliance can offer
controlled Cisco ASDM access for a single address or management subnet
(in this case, 10.4.48.0/24).