Cisco security guides

Working on security aspects for the moment. I am looking for security improvements on the datacenter network. I actually found very interesting guides. Here are some that I recommend:

Cisco IOS Security Configuration Guide, covers general security with cisco devices. It includes explanation and configuration for AAA (authentication, authorization, accounting), security servers (radius and TACACS+), filtering (ACLs, TCP intercept, CBAC, IDS), IP security (IPsec, IKE) and various advices on password, privileges levels and SSH.

Cisco Guide to Harden Cisco IOS Devices, a very comprehensive guide, which gives advices point per point, separating management, control and data planes. It goes over: AAA, logging, ACLs, securing SNMP, securing sessions (console and remote), protecting CPU, securing BGP and IGPs, anti-spoofing techniques (uRPF) and much more.

SANS Policy Primer, which gives you hints on writing a security policy.

NSA Router security configuration guide, contains good guide, but somewhat outdated.

Cisco ACE config guide

Got a laptop and password but still waiting for my access card. Had a quick look now on the Application Control Engine confiuration guides (admin, routing and bridging, load-balancing). ACE is the next generation load-balancer from Cisco, superseding the CSM. ACE is very similar to the CSM, both are load-balancers. They are nevertheless some differences that should be noted.

First, while CSM is simply running on top of IOS, sharing the same config file as the switch, ACE runs in its very own module and OS.

Since ACE is running in its very own module, the config file is not the startup-config. ACE propose a configuration system where you can checkpoint an rollback.

CSM is a monolithic system. Like FWSM, the ACE is virtualized, meaning it can run different contexts.

ACE has also hardware acceleration, very useful to ease the CPU on SSL connections.

The configuration logic and the traffic flow has also been changed since CSM.

Cisco CSM config guide

Still waiting for passwords and access, still reading config guides. This time, it is 6500’s Content Switch Module‘s turn. Behind this obscure name, you’ll actually find a load balancer.

Using a predictor, that is a function, and weight for each server, denoting the share of load to put on that server, the connections are balanced on multiple servers.

Even if http is supposed to be stateless, connections from a client sometimes need to stay on the same server. sticky to achieve this session persistance.

Health monitoring to check if servers are still alive and able to handle the work. Active probes (customized), inband monitoring (L3), or HTTP return code checking. TCL scripting is also available for custom probes.