Skip to content

Latest commit

 

History

History
92 lines (68 loc) · 3.65 KB

01-Harden_Services.md

File metadata and controls

92 lines (68 loc) · 3.65 KB

Harden IOS XE SSH & HTTPS Services

Now it's time to run some Ansible Playbooks and Reduce the Attack Surface of the IOS XE box!

The SSH server on IOS XE supports several cryptographic primitives for compatibility reasons. As security-minded network engineers, we must recognize that some are less secure than others. In this task, we will run a playbook that will modify the SSH server to only use highly secure cryptographic primitives. Modern versions of the popular SSH clients (e.g., OpenSSH, putty, SecureCRT) support these primitives.

Enable Only Secure Cryptographic Primers on the IOS XE SSH Service

  1. View the Cat9K SSH Status.
    2. Observe the large number of cryptographic primitives that are options for each algorithm.
    show ip ssh

    SSH Server Configuration Status


  2. View the SSH Hardening Playbook using cat.
    3. Note the following things in the Playbook
    • Call to the encrypted vault for authentication credentials
    • Usage of cisco.ios.ios_config: and lines:
    • IOS XE commands to force SSH to use strong primers

    cat playbooks/01a-config-hard-ssh.yaml

    Playbook that Hardens IOS XE SSH Server


  3. Now run the playbook.
    4. This playbook will ensure that each algorithm uses highly secure primitives. You will be prompted for the vault password, the password is abcd9876.
    ansible-playbook -i inventories/devnet-switches.yaml playbooks/01a-config-hard-ssh.yaml --ask-vault-pass

    Playbook Ran Successfully


  4. View the Cat9K SSH Status After Hardening.
    5. Note that the number of enabled cryptographic primitives for each algorithm has significantly decreased compared to the previous configuration. This change has been made on the Cat9K device to ensure that only the strong algorithms are enabled.
    show ip ssh

    SSH Server Configuration Status


    Enable Only Secure Ciphersuites on the IOS XE HTTPS Service

  5. View the Cat9K HTTPS Status.
    6. Notice that there are a large number of cipher suites enabled. Please note that the enabled cipher suites have of various categories: 'Recommended', 'Secure', and 'Weak'.
    sh ip http server status | sec secure

    HTTPS Server Configuration Status


  6. View the HTTPS Hardening Playbook using cat.

    7. cat playbooks/01b-config-hard-https.yaml

    Playbook that Hardens IOS XE HTTPS Server


  7. Run the Harden HTTPs playbook.

    8. ansible-playbook -i inventories/devnet-switches.yaml playbooks/01b-config-hard-https.yaml --ask-vault-pass

    Playbook Ran Successfully


  8. View the Cat9K HTTPS Status After Hardening.
    9. Notice that the number of CipherSuites is much less than when we started. Now the ciphersuites we have enabled are 'Recommended' or 'Secure'.
    sh ip http server status | sec secure

    Hardened HTTPS Server Configuration Status


Click here to move on to the next section. Optimizing Local Authentication.