Белая книга для Cisco Cisco IPS 4520 Sensor
17
Firewall
August 2012 Series
17
transport preferred none
snmp-server community
cisco
RO
snmp-server community
cisco123
RW
Step 10: (Optional)
In networks where network operational support is cen-
tralized, you can increase network security by using an access list to limit
the networks that can access your device. In this example, only devices on
the 10.4.48.0/24 network will be able to access the device via SSH or SNMP.
the networks that can access your device. In this example, only devices on
the 10.4.48.0/24 network will be able to access the device via SSH or SNMP.
access-list 55 permit 10.4.48.0 0.0.0.255
line vty 0 15
access-class 55 in
!
snmp-server community
cisco
RO 55
snmp-server community
cisco123
RW 55
Step 11:
Configure DNS for host lookup.
ip name-server 10.4.48.10
Step 12:
Configure local login and password.
username admin password
c1sco123
enable secret
c1sco123
service password-encryption
aaa new-model
Step 13: (Optional)
Configure centralized user authentication.
As networks scale in the number of devices to maintain, it poses an opera-
tional burden to maintain local user accounts on every device. A centralized
authentication, authorization, and accounting (AAA) service reduces opera-
tional tasks per device and provides an audit log of user access, for security
compliance and root cause analysis. When AAA is enabled for access
control, all management access to the network infrastructure devices (SSH
and HTTPS) is controlled by AAA.
tional burden to maintain local user accounts on every device. A centralized
authentication, authorization, and accounting (AAA) service reduces opera-
tional tasks per device and provides an audit log of user access, for security
compliance and root cause analysis. When AAA is enabled for access
control, all management access to the network infrastructure devices (SSH
and HTTPS) is controlled by AAA.
The AAA server used in this architecture is the Cisco
Authentication Control Server. For details about ACS configu-
ration, see the Cisco SBA—Borderless Networks LAN and
Authentication Control Server. For details about ACS configu-
ration, see the Cisco SBA—Borderless Networks LAN and
Wireless LAN 802.1x Authentication Deployment Guide.
Reader Tip
TACACS+ is the primary protocol used to authenticate management logins
on the infrastructure devices to the AAA server. In Step 12, a local AAA user
database is also defined on each network infrastructure device in order to
provide a fallback authentication source in case the centralized TACACS+
server is unavailable.
on the infrastructure devices to the AAA server. In Step 12, a local AAA user
database is also defined on each network infrastructure device in order to
provide a fallback authentication source in case the centralized TACACS+
server is unavailable.
tacacs server
TACACS-SERVER-1
address ipv4
10.4.48.15
key
SecretKey
!
aaa group server tacacs+
TACACS-SERVERS
server name
TACACS-SERVER-1
!
aaa authentication login default group
TACACS-SERVERS
local
aaa authorization exec default group
TACACS-SERVERS
local
aaa authorization console
ip http authentication aaa
Step 14:
Configure a synchronized clock.
ntp server
10.4.48.17
!
clock timezone
PST -8
clock summer-time
PDT
recurring
!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime