Résumé du contenu de la page N° 1
Cisco Content Services Switch
Security Configuration Guide
Software Version 7.50
March 2005
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-5650-02
Résumé du contenu de la page N° 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE
Résumé du contenu de la page N° 3
CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.com xvii Documentation DVD xviii Ordering Documentation xviii Documentation Feedback xviii Cisco Product Security Overview xix Reporting Security Problems in Cisco Products xix Obtaining Technical Assistance xx Cisco Technical Support Website xx Submitting a Service Request xxi Definitions of Service Request Severity xxii Obtaining Additional Publ
Résumé du contenu de la page N° 4
Contents Controlling Administrative Access to the CSS 1-10 Enabling Administrative Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Creating an ACL 1-17 Deleting an ACL 1-18 Configuring Clauses 1-19 Adding a Clause When ACLs are Globally Enabled 1-25 Deleting a Clause 1-26 Applying an ACL to a Circuit or DNS Queries 1-27 Removing an ACL from Circuits or D
Résumé du contenu de la page N° 5
Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Client of a RADIUS Server 3-1 RADIUS Configuration Quick Start 3-3 Configuring a RADIUS Server for Use with the CSS 3-4 Configuring Authentication Settings 3-5 Configuring Authorization Settings 3-5 Specifying a Primary RA
Résumé du contenu de la page N° 6
Contents Setting the Global TACACS+ Keepalive Frequency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Accounting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 Configuring Firewall Load Balancing 5-1 Overview of FWLB 5-2 Firewall Synchronization 5-3 Configuring FWLB 5-3 Configuring a Keepalive Timeout for a Firewall 5-4 Configuring an IP Static Route for a Firewall 5-5 Configuring
Résumé du contenu de la page N° 7
FI G U R E S Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled on the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 vii
Résumé du contenu de la page N° 8
Figures Cisco Content Services Switch Security Configuration Guide OL-5650-02 viii
Résumé du contenu de la page N° 9
TABLES Table 1-1 ACL Configuration Quick Start 1-16 Table 1-2 Clause Command Options 1-21 Table 1-3 Field Descriptions for the show acl Command Output 1-31 Table 1-4 Field Descriptions for the show nql Command Output 1-38 Table 2-1 Field Descriptions for the show sshd config Command 2-6 Table 2-2 Field Descriptions for the show sshd sessions Command 2-8 Table 3-1 RADIUS Configuration Quick Start 3-3 Table 3-2 Field Descriptions for the show radius config Command 3-10 Table 3-3 Field Descriptio
Résumé du contenu de la page N° 10
Tables Cisco Content Services Switch Security Configuration Guide OL-5650-02 x
Résumé du contenu de la page N° 11
Preface This guide provides instructions for configuring the security features of the Cisco 11500 Series Content Services Switches (CSS). Information in this guide applies to all CSS models except where noted. The CSS software is available in a Standard or optional Enhanced feature set. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features. This preface contains the following major sec
Résumé du contenu de la page N° 12
Preface Audience Audience This guide is intended for the following trained and qualified service personnel who are responsible for configuring the CSS: Web master System administrator System operator How to Use This Guide This guide is organized as follows: Chapter Description Chapter 1, Control access to the CSS including user Controlling CSS Access and network traffic access. Chapter 2, Configure Secure Shell Daemon (SSHD) Configuring the Secure Shell protocol to provide secure encr
Résumé du contenu de la page N° 13
Preface Related Documentation Related Documentation In addition to this guide, the Content Services Switch documentation includes the following publications. Document Title Description Release Note for the This release note provides information on Cisco 11500 Series operating considerations, caveats, and command Content Services Switch line interface (CLI) commands for the Cisco 11500 series CSS. Cisco 11500 Series This guide provides information for installing, Content Services Switch ca
Résumé du contenu de la page N° 14
Preface Related Documentation Document Title Description Cisco Content Services This guide describes how to perform administrative Switch Administration tasks on the CSS, including upgrading your CSS Guide software and configuring the following: Logging, including displaying log messages and interpreting sys.log messages User profile and CSS parameters SNMP RMON XML documents to configure the CSS CSS scripting language Offline Diagnostic Monitor (Offline DM) menu Cisco Con
Résumé du contenu de la page N° 15
Preface Related Documentation Document Title Description Cisco Content Services This guide describes how to perform CSS content Switch Content load-balancing configuration tasks, including: Load-Balancing Flow and port mapping Configuration Guide Services Service, global, and script keepalives Source groups Loads for services Server/Application State Protocol (SASP) Dynamic Feedback Protocol (DFP) Owners Content rules Sticky parameters HTTP header load balancing Co
Résumé du contenu de la page N° 16
Preface Symbols and Conventions Document Title Description Cisco Content Services This guide describes how to perform CSS SSL Switch SSL Configuration configuration tasks, including: Guide SSL certificate and keys SSL termination Back-end SSL SSL initiation Cisco Content Services This reference provides an alphabetical list of all Switch Command CLI commands including syntax, options, and Reference related commands. Cisco Content Services This guide describes how to use the Device
Résumé du contenu de la page N° 17
Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and text you enter in a command line. Italics text indicates the first occurrence of a new term, book title, emphasized text, and variables for which you supply values. 1. A numbered list indicates that the order of the list items is important. a. An alphabetical list indicates that the order of the secondary list items is important. A
Résumé du contenu de la page N° 18
Preface Documentation Feedback Documentation DVD Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit. Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Mark
Résumé du contenu de la page N° 19
Preface Cisco Product Security Overview You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.ht ml
Résumé du contenu de la page N° 20
Preface Obtaining Technical Assistance Nonemergencies—psirt@cisco.com Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key ser