Manual de instrucciones de Cisco Systems OL-5650-02

Resumen del contenido incluido en la página 1

Cisco Content Services Switch
Security Configuration Guide
Software Version 7.50
March 2005
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-5650-02

Resumen del contenido incluido en la página 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE

Resumen del contenido incluido en la página 3

CONTENTS Preface xi Audience xii How to Use This Guide xii Related Documentation xiii Symbols and Conventions xvi Obtaining Documentation xvii Cisco.com xvii Documentation DVD xviii Ordering Documentation xviii Documentation Feedback xviii Cisco Product Security Overview xix Reporting Security Problems in Cisco Products xix Obtaining Technical Assistance xx Cisco Technical Support Website xx Submitting a Service Request xxi Definitions of Service Request Severity xxii Obtaining Additional Publ

Resumen del contenido incluido en la página 4

Contents Controlling Administrative Access to the CSS 1-10 Enabling Administrative Access to the CSS 1-10 Disabling Administrative Access to the CSS 1-11 Controlling CSS Network Traffic Through Access Control Lists 1-12 ACL Overview 1-13 ACL Configuration Quick Start 1-15 Creating an ACL 1-17 Deleting an ACL 1-18 Configuring Clauses 1-19 Adding a Clause When ACLs are Globally Enabled 1-25 Deleting a Clause 1-26 Applying an ACL to a Circuit or DNS Queries 1-27 Removing an ACL from Circuits or D

Resumen del contenido incluido en la página 5

Contents Configuring SSHD in the CSS 2-3 Configuring SSHD Keepalive 2-3 Configuring SSHD Port 2-4 Configuring SSHD Server-Keybits 2-4 Configuring SSHD Version 2-5 Configuring Telnet Access When Using SSHD 2-6 Showing SSHD Configurations 2-6 CHAPTER 3 Configuring the CSS as a Client of a RADIUS Server 3-1 RADIUS Configuration Quick Start 3-3 Configuring a RADIUS Server for Use with the CSS 3-4 Configuring Authentication Settings 3-5 Configuring Authorization Settings 3-5 Specifying a Primary RA

Resumen del contenido incluido en la página 6

Contents Setting the Global TACACS+ Keepalive Frequency 4-7 Defining a TACACS+ Server 4-8 Setting TACACS+ Authorization 4-11 Sending Full CSS Commands to the TACACS+ Server 4-12 Setting TACACS+ Accounting 4-13 Showing TACACS+ Server Configuration Information 4-14 CHAPTER 5 Configuring Firewall Load Balancing 5-1 Overview of FWLB 5-2 Firewall Synchronization 5-3 Configuring FWLB 5-3 Configuring a Keepalive Timeout for a Firewall 5-4 Configuring an IP Static Route for a Firewall 5-5 Configuring

Resumen del contenido incluido en la página 7

FI G U R E S Figure 1-1 CSS Directory Access Privileges 1-5 Figure 1-2 ACLs Enabled on the CSS 1-14 Figure 5-1 Example of FWLB 5-9 Figure 5-2 FWLB with VIP/Interface Redundancy Configuration 5-11 Cisco Content Services Switch Security Configuration Guide OL-5650-02 vii

Resumen del contenido incluido en la página 8

Figures Cisco Content Services Switch Security Configuration Guide OL-5650-02 viii

Resumen del contenido incluido en la página 9

TABLES Table 1-1 ACL Configuration Quick Start 1-16 Table 1-2 Clause Command Options 1-21 Table 1-3 Field Descriptions for the show acl Command Output 1-31 Table 1-4 Field Descriptions for the show nql Command Output 1-38 Table 2-1 Field Descriptions for the show sshd config Command 2-6 Table 2-2 Field Descriptions for the show sshd sessions Command 2-8 Table 3-1 RADIUS Configuration Quick Start 3-3 Table 3-2 Field Descriptions for the show radius config Command 3-10 Table 3-3 Field Descriptio

Resumen del contenido incluido en la página 10

Tables Cisco Content Services Switch Security Configuration Guide OL-5650-02 x

Resumen del contenido incluido en la página 11

Preface This guide provides instructions for configuring the security features of the Cisco 11500 Series Content Services Switches (CSS). Information in this guide applies to all CSS models except where noted. The CSS software is available in a Standard or optional Enhanced feature set. Proximity Database and Secure Management, which includes Secure Shell Host and SSL strong encryption for the Device Management software, are optional features. This preface contains the following major sec

Resumen del contenido incluido en la página 12

Preface Audience Audience This guide is intended for the following trained and qualified service personnel who are responsible for configuring the CSS:  Web master  System administrator  System operator How to Use This Guide This guide is organized as follows: Chapter Description Chapter 1, Control access to the CSS including user Controlling CSS Access and network traffic access. Chapter 2, Configure Secure Shell Daemon (SSHD) Configuring the Secure Shell protocol to provide secure encr

Resumen del contenido incluido en la página 13

Preface Related Documentation Related Documentation In addition to this guide, the Content Services Switch documentation includes the following publications. Document Title Description Release Note for the This release note provides information on Cisco 11500 Series operating considerations, caveats, and command Content Services Switch line interface (CLI) commands for the Cisco 11500 series CSS. Cisco 11500 Series This guide provides information for installing, Content Services Switch ca

Resumen del contenido incluido en la página 14

Preface Related Documentation Document Title Description Cisco Content Services This guide describes how to perform administrative Switch Administration tasks on the CSS, including upgrading your CSS Guide software and configuring the following:  Logging, including displaying log messages and interpreting sys.log messages  User profile and CSS parameters  SNMP  RMON  XML documents to configure the CSS  CSS scripting language  Offline Diagnostic Monitor (Offline DM) menu Cisco Con

Resumen del contenido incluido en la página 15

Preface Related Documentation Document Title Description Cisco Content Services This guide describes how to perform CSS content Switch Content load-balancing configuration tasks, including: Load-Balancing  Flow and port mapping Configuration Guide  Services  Service, global, and script keepalives  Source groups  Loads for services  Server/Application State Protocol (SASP)  Dynamic Feedback Protocol (DFP)  Owners  Content rules  Sticky parameters  HTTP header load balancing  Co

Resumen del contenido incluido en la página 16

Preface Symbols and Conventions Document Title Description Cisco Content Services This guide describes how to perform CSS SSL Switch SSL Configuration configuration tasks, including: Guide  SSL certificate and keys  SSL termination  Back-end SSL  SSL initiation Cisco Content Services This reference provides an alphabetical list of all Switch Command CLI commands including syntax, options, and Reference related commands. Cisco Content Services This guide describes how to use the Device

Resumen del contenido incluido en la página 17

Preface Obtaining Documentation Courier text indicates text that appears on a command line, including the CLI prompt. Courier bold text indicates commands and text you enter in a command line. Italics text indicates the first occurrence of a new term, book title, emphasized text, and variables for which you supply values. 1. A numbered list indicates that the order of the list items is important. a. An alphabetical list indicates that the order of the secondary list items is important.  A

Resumen del contenido incluido en la página 18

Preface Documentation Feedback Documentation DVD Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit. Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Mark

Resumen del contenido incluido en la página 19

Preface Cisco Product Security Overview You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address: Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.ht ml

Resumen del contenido incluido en la página 20

Preface Obtaining Technical Assistance  Nonemergencies—psirt@cisco.com Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x. Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key ser