Cisco ACS 4.2 and Cisco ACS 5.2 Best practices document

 

Table of Contents


 


1.1.       Introduction
1.2.       Cisco ACS software installation considerations and Server hardening
1.3.       Regularly Backup Cisco ACS Databases and Cisco ACS settings.
1.4.       Physical Security
1.5.       Secure the Access to the Cisco ACS server by using HTTPS connection
1.6.       Trusted hosts configuration
1.7.       Limit the Cisco ACS System Administrators
1.8.       Administrator Password complexity policy
1.9.       Cisco Failover and Replication caveats.
1.10.     Database Replication and Replication partners
1.11.     ACS certificate installation for security purposes
1.12.     Configuring Timeouts on the Administrative sessions
1.13.     User and Access Best practices guidelines.
1.14.     Configure multiple Syslog destinations
1.15.     Configure Critical Loggers for the local logs
1.16.     Configure Remote Login Agents
1.17.     Regularly review failed logins and see if there is an attack pattern emerging
1.18.     Tacacs + server hosts administration logs review
1.19.     Logical user access considerations and recommendations
1.20.     Cisco ACS Database Replication management

 

 

Introduction


 

The Cisco ACS appliances and software have been around for many years. The deployment base of that is still staggering. There has been a keen interest in providing a best practice document describing the best practices in terms of configuration migration replication and security. Most of the below recommendations can be applied to any version of Cisco ACS deployment and are considered best practices because they focus on the principle of securing a specific component in mind and don’t focus on the particulars of achieving the task. The tasks itself can be implemented by accessing different controls in the different versions of the ACS software .But if you keep in mind the spirit of the document you will be able to achieve a better security for your ACS software or ACS appliance .

 

Cisco ACS software installation considerations and Server hardening


 

Stringent security policy and server hardening guide can be used in order to limit the risk when installing Cisco ACS Software in a Windows environment .Please read this document that applies to Windows 2003 server hardening before installing your Cisco ACS software on a Windows 2003 Member server for more information.Its not exactly latest version but it has some useful guidlines to help you lock down your server environement. If you happen to be a Windows 2008 fan and have that already deployed on your site consider the below links in achiving some security for your server.

https://wikis.utexas.edu/display/ISO/Windows+2008R2+Server+Hardening+Checklist

http://www.petri.co.il/forums/showthread.php?t=31269

 

Regularly Backup Cisco ACS Databases and Cisco ACS settings.


 

Before performing any upgrade maintenance or any drastic changes, always back up the database via Web GUI interface. Make sure you create scheduled backups tasks and make backups of the backup directory to be stored of site.

 

Physical Security


 

Physical Security of the ACS-Cisco ACS server should be in a locked rack in a data centre
This link provides some guidelines how to go about that

 

Secure the Access to the Cisco ACS server by using HTTPS connection


 

That could be configured quite easily and it provides an extra layer of security that can make all the difference if somebody is using a local sniffer to copy network traffic and read the Cisco ACS passwords offline.

 

Trusted hosts configuration


 

Allow only certain hosts to connect to the Cisco ACS server by configuring trusted hosts enabled to administer the device. This way you make it a little harder for accidental discovery of the Cisco ACS login page and brute force attack on the ACS host.

Limit the Cisco ACS System Administrators


 

Only Have a few Systems Administrators and even with those regularly perform administration auditing to see what they did. Make use of the different levels of privileges for mundane tasks. Legate some responsibility to junior account administration that does not require full system administrator privileges to accomplish

 

Administrator Password complexity policy


 

Access policy Session policy and password policy must be tuned up in order to reflect your organization’s security policy requirements.

 

Cisco Failover and Replication caveats.


 

Cisco ACS 3.x and 4.x redundancy is somewhat imperfect. It functions in Active and a cold Standby failover configuration.That because with those versions there are quite a few parameters that cannot be shared and replicated properly between the ACS replication partners. Cisco has dealt away with that in ACS version 5 and above by creating a truly redundant ACS solution. If you are sitting on version 4.x or 3.x that’s of little help. The best advice for these solutions would be to deal away with the non-replica table items and then attempt the redundancy again. Another way of approaching this is to consider a hardware load balancer sitting in front of your Cisco ACS solution.But that usually requires a bit more research money and time -it is an alternative to the no replicatable items problem however.

 

Database Replication and Replication partners


 

In case you want to perform replication then there are a few things that you need to know about it.
When replication is performed, the services are stopped on the server. Therefore, the server does not perform authentication. To minimize the impact of this downtime, it is always a good idea to configure .the replication at night times when there is minimal amount of production traffic.

 

ACS certificate installation for security purposes


 

Installing ACS certificate by a third party trusted authority .VeriSign is first choice of course your in house Certificate Authority server can do just fine as well.

 

Configuring Timeouts on the Administrative sessions


 

Configure automatic timeouts on the admin sessions for extra layer of security.

 

User and Access Best practices guidelines.


 

  1. Time-of-Day Access you can define the allowed time during which users can access the network.
  2. Network Access Restrictions a Network Access Restriction (NAR) is a definition, which you make in Cisco Secure ACS, of additional conditions that must be met before a user can access the network. Cisco Secure ACS applies these conditions by using information from attributes that your AAA clients sent. Although you can set up NARs in several ways, they are all based on matching attribute information that an AAA client sent. Therefore, you must understand the format and content of the attributes that your AAA clients send if you want to employ effective NARs
  3. Separating Device Administration Users and General Network Users It is important to keep general network users from accessing network devices. Even though a general user might not intend to disrupt the system, inadvertent access may cause accidental disruption to network access. Separating general users from administrative users falls into the realm of AAA and the Cisco Secure ACS.
  4. Make use of user Changeable Passwords Software .this is a small  piece of software dependant on the Cisco ACS version of software that interacts with the server to perform user password changes and thus to offload the admin burden of your system admins. More information on that can be found here
  5. Web Interface Security Accessing the web interface requires a valid administrator name and password. The Cisco Secure ACS Login page encrypts the administrator credentials before sending them to Cisco Secure ACS.

 

Configure multiple Syslog destinations


 

This will improve the chances of retaining the logs in case of a syslog server failure etc.

 

Configure Critical Loggers for the local logs


 

You can configure a critical logger for accounting logs to guarantee delivery of these logs to at least one logger.
When you configure a critical logger, the reply that ACS sends to an authenticating device depends on the success or failure of logging the relevant message to the critical logger only. ACS sends the message to other loggers off-stream, (best effort but not guaranteed), which does not affect the authentication result. (For all other AAA-related reports, such as failed attempts, passed authentications and TACACS+ administration, logging is done off-stream, and does not affect the authentication attempt result.)
You can configure a different critical logger for each accounting report; the default critical logger for each report is the local CSV log. If you do not select a critical logger, delivery of accounting messages is not guaranteed.

 

Configure Remote Login Agents


 

Cisco Secure ACS Remote Agent for Windows and Cisco Secure ACS Remote Agent for windows are applications that support Cisco Secure ACS Appliance for remote logging. Forwarding all accounting data from an appliance to a remote agent preserves disk space on the appliance. It also improves AAA performance by eliminating the frequent and time-consuming disk writes required for local logging on an appliance.

 

Regularly review failed logins and see if there is an attack pattern emerging


This is critical for keeping intruders at bay.

 

Tacacs + server hosts administration logs review


 

Regularly review the TACACS+ authorization commands issued to see who performed network changes and whether there was a raised change controls for that

 

Logical user access considerations and recommendations


 

1. Logical access and permissions to IT services must be granted on a least privilege basis

2. Review user accounts and access privileges for their users to ensure segregation of duties or roles
3. Uniform Named user accounts - Accountability as all user accounts must be unique and accountable to a specific individual

4. Streamlined revocation of user Logical access to IT systems etc must be performed when users get decommissioned or need to have reduced privileges

5. Unauthorized access activity, including failed logins must be recorded
This log must indicate the user who performed the change/creation/deletion, a timestamp for the action and what was changed

6. Privileged /Service /Support /Application accounts must be subject to additional controls
To conform with existing security policies and future audits
- Audit trail to determine actions by a user following operational use of an IT service
-Audit compliance in terms of support user access
-Failed user login attempts across the board correlation of these failed user accounts needs to be done in order to assess the risk
-All changes including elevation of access rights, must be logged.This log must indicate the user who performed the change/creation/deletion, a timestamp for the action and what was changed.

7. Shared user accounts used by individuals must be avoided wherever possible
2 factor authentications may be necessary if shared user accounts are an issue

8. Uniform accounts expiry date enforcement

9. Default users names needs to be removed or renamed

10. Develop a security policy in regards to user and password creation including enforced password complexity
11. Logical user access request form needs to be created and maintained in order to grant access

 

Cisco ACS Database Replication management


 

The below items for database replication are availible in Cisco Secure ACS:

  1. Configuration components for replication: What is replicated?
  2. Replication scheduling: When replication takes place
  3. Replication frequency: How often systems are replicated
  4. Replication partners: Which systems are replicated
  5. Secondary server configuration: How the client is to be configured Reports and event (error) handling:
  6. Replication Timeout The timer for the replication process on the Cisco Secure ACS primary system controls the entire replication process starting from queuing the first secondary Cisco Secure ACS system until the primary completes sending the transfer file to the last Cisco Secure ACS secondary system. Note that the timer does not run while the primary is building the transfer files This means that the timeout must be long enough from the first queuing to the end of the last transfer. 
  7. Cisco ACS 4.2 Database Replication Partners configuration example can be found here

 

 

Replication Caveats  


There are a few considerations when it comes to replication .The official document from cisco can be found here

The following may slow down replication:

    • Slow or busy network link between the primary and the secondary. This will affect only the primary and the secondary on the slow link.
    •  Busy primary, usually indicated by high CPU usage. This may be caused by high authentication usage or by another process running on the server. This will affect the entire replication process from the primary side.
    •  Busy secondary, usually indicated by high CPU usage. This may be caused by high authentication usage or by another process running on the server. This will only affect the primary for the specific secondary replication.

The following items cannot be replicated: