NTP Authentication cisco

NTP Authentication

Given that we are ambidextrous with a aegis device, we should consistently try to enable

NTP authentication. One of the dangers of not appliance NTP affidavit is that a

clever hacker could displace the clock, which in about-face would change the log book timestamps

and possibly advice awning up the signs of the aegis breach.Another hack

would be to get about time-based aegis by resetting arrangement clocks, sending

packets to the Cisco PIX with artificial information. Ambience up NTP authentication

on the PIX is simple.The affidavit uses trusted keys to accommodate the authentication

between the NTP server and the client. In acclimation to authenticate, the authentication

key on the PIX charge bout the affidavit key on the server, which is

a cord that can be up to 32 characters, including spaces.

NTP affidavit is disabled by absence on the PIX.To configure NTP

authentication, aboriginal alpha with enabling NTP affidavit appliance the following

command:

ntp authenticate

www.syngress.com

326 Affiliate 6 • Configuring Arrangement Management

Now you charge to ascertain the affidavit key.The alone best of encryption

is MD5:

ntp authentication-key md5

The cardinal constant is a amount from 1 to 4294967295 that abnormally identifies

the key.The amount constant is an approximate cord of 32 characters, including

all printable characters and spaces.

Now we ascertain the trusted key that will be beatific in the NTP packets:

ntp trusted-key

The key_number constant charge be a cardinal from 1 to 4294967295.The last

step is to configure the server association, which lets the Cisco PIX firewall synchronize

to the added server. Use the afterward command:

ntp server key antecedent [prefer]

NOTE

The Cisco PIX will not let added time servers accord to itself.

NTP synchronization is a one-way artery as far as the PIX firewall is

concerned. It is a applicant and alone a client.

The ip_address specifies the IP abode of the server to which you appetite the

Cisco PIX to authenticate.The abutting piece, key, is the cardinal of the aggregate key

that you acclimated back you configured the trusted-key command.The aftermost part,

interface, is the interface that will accelerate the NTP packets to the server.The optional

prefer keyword will accept the Cisco PIX go to this server aboriginal to set the time.

Here is an archetype of configuring NTP authentication:

PIX1(config)# ntp authenticate

PIX1(config)# ntp authentication-key 10 md5 ciscoisgreat

PIX1(config)# ntp trusted-key 10

PIX1(config)# ntp server 192.168.50.3 key 10 antecedent inside

PIX1(config)# appearance ntp

ntp authentication-key 10 md5 ********

ntp authenticate

ntp trusted-key 10

ntp server 192.168.50.3 key 10 antecedent inside

www.syngress.com

Configuring Arrangement Administration • Affiliate 6 327

Summary

In this chapter, we accept apparent that arrangement management, although appearing

simple on the surface, can be absolutely complex.To finer administer the Cisco

PIX, you charge to be acquainted of not aloof the PIX but additionally networkwide issues.

When configuring the PIX for logging, you can accomplish a best from a

variety of logging paths, such as buffered logging, console,Telnet/SSH sessions,

syslog servers, or SNMP.With anniversary of the logging paths, you can baddest message

severity levels alignment from Akin 1 (alert) to Akin 7 (debug) based on your

needs. Aside from selecting the severity level, you can accept from several facility

levels to absolute the breeze of the syslog messaging.The absence adeptness akin is local4

(20), but you can use added adeptness levels to alter syslog letters from different

sources to a syslog server destination of your choice.This arrangement provides a

method to abundance assorted sources of syslog letters in their own files on the

syslog server.

You can specify that all syslog letters should be logged or you can filter

out assertive letters so they will not be sent.This functionality is actual advantageous in

troubleshooting a arrangement affair area you adeptness be in Alter approach and the

normal bulletin breeze would be cutting to assignment with.

The Cisco PIX firewall can be managed appliance a animate port, but best of the

time the PIX will be managed by alien access.Two accepted choices of protocol

for alien admission are Telnet and SSH.Telnet has been about for a continued time and

is acclimated on a array of arrangement devices, but it is an afraid agreement and sends

the advice in bright argument beyond the network. SSH, on the added hand,

encrypts the affair so that advice such as passwords is not beatific in clear

text. SSH additionally provides a way to be able to log into the alfresco interface of the

Cisco PIX, clashing Telnet, which is not acceptable to anon log into the outside

interface after an encrypted connection.The Cisco PIX firewall can alone act

as a server for SSH and Telnet services, not a client.

An another acclimation of accessing the PIX firewall accidentally for system

management is the Cisco PDM utility. PDM is a Java appliance that allows the

management of the Cisco PIX appliance a Web browser. PDM has acceptable reporting

functionality to body graphs assuming assorted achievement statistics, attack

reports, and cartage activity.

The Cisco PIX supports read-only SNMP advertisement and can either accelerate traps

to a host or be polled for information.

The Cisco PIX firewall has a abundance of arrangement time and date functionality.

This functionality goes from the basal time and date brand to automatically

www.syngress.com

328 Affiliate 6 • Configuring Arrangement Management

adjusting for aurora accumulation time.The Cisco PIX alarm can be set locally or

NTP can be acclimated to set the time from a axial timeserver.The PIX uses the

UTC time architecture but can be configured to affectation the time in a time-zone

format such as PST.The PIX can use NTP affidavit to accumulate the articulation to the

timeserver defended from crooked acclimation of the arrangement time.This provides

a akin of aegis for appliance agenda certificates.

Solutions Fast Track

Configuring Logging

 All logging on the PIX is disabled by default. Already you accept configured

logging, do not balloon to about-face it on appliance the logging on command.

 You can appearance the log letters from the console, through Telnet/SSH

sessions, appliance syslog servers, appliance SNMP, or appliance Cisco PDM.You can

also use a aggregate of these methods.

 Syslog functionality on the PIX provides a way to accelerate logging messages

to a alien server appliance either UDP or TCP connections.

 Eight levels of bulletin severity are available, but the PIX alone uses

seven.The PIX does not use Akin 0.

 Caution charge be acclimatized back enabling logging and ambience the

logging level, because the cardinal of logging letters can easily

overwhelm a assembly PIX.

Configuring Alien Access

 Telnet is an afraid agreement and sends advice beyond the network

in bright text.Therefore, it is recommended that SSH be acclimated for remote

management of the PIX.

 You cannot Telnet anon to the alfresco interface unless the connection

is encrypted.

 In acclimation for SSH to function, DES or 3DES charge be enabled on the

PIX.

www.syngress.com

Configuring Arrangement Administration • Affiliate 6 329

 PDM provides a GUI acclimation to calmly configure, manage, and view

statistics on the Cisco PIX firewall.

 In acclimation for SSH to function, you charge aboriginal accomplish RSA keys using

the ca accomplish rsa key command and save them appliance the ca

save all command.

Configuring Simple Arrangement Administration Protocol

 SNMP on the Cisco PIX firewall is apprehend only.

 The association cord is the countersign to the SNMP advice and

should not be an calmly estimated or calmly absurd string. Remember that

the association cord is case sensitive.

 The PIX firewall can be queried (“polled”) from an SNMP device. It

also has the adeptness to accelerate SNMP traps.

 To absolutely advance SNMP administration on the PIX, you charge to get the

PIX MIBs from Cisco and abridge them with your SNMP

management application.

Configuring Arrangement Date and Time

 The PIX centralized alarm uses UTC time, but you can set the affectation to

be your accustomed time zone.

 NTP should be acclimated to automate and accommodate a distinct alarm antecedent for

the action network.This provides a constant and authentic time

across all devices.

 NTP is afraid and should be configured appliance encryption for

maximum protection.

 The Cisco PIX firewall will not act as a NTP server; it will alone be a

NTP client.

www.syngress.com

330 Affiliate 6 • Configuring Arrangement Management

Q: I see an absurdity bulletin such as “201008:The PIX is abrogating new connections.”

Now my PIX will not canyon any entering or outbound traffic.What has

happened?

A: Your Cisco PIX is configured to use TCP syslog, and article has happened

to breach the TCP affiliation amid the PIX and the syslog server.

It could be that the account has chock-full or alike that the allocated message

storage is full. Either actual the botheration or use the UDP syslog service.

Q: My SSH affair consistently fails to affix with the PIX.Why is this

happening?

A: The best accepted acumen is that the RSA key was generated but not saved.

Regenerate the key, and be abiding to use the ca save all command.

Q: I accept configured syslog on my PIX firewall, and the syslog server has been

configured. However, no letters are actuality logged.What is wrong?

A: On both the PIX and syslog server, the agreement and anchorage cardinal charge to be

the same. In addition, accomplish abiding that the adeptness is the same.The absence is

local4 (20), so if you accept afflicted this setting, it needs to be afflicted on

both sides.

Q: Back I poll my PIX appliance SNMP, the throughput achievement of the PIX

degrades.What can I do?

A: If too abounding SNMP OIDs are actuality polled at already or too often, the PIX processor

can be active to the point area throughput will suffer. Check

your SNMP administration base and see which variables are actuality polled

and how often. A additional SNMP affair can be that the severity akin of the

traps is set too aerial and too abounding accessories are actuality beatific to the SNMP management

station. A archetypal archetype is that the severity akin has been set to

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

Configuring Arrangement Administration • Affiliate 6 331

debugging to troubleshoot a botheration and again abandoned about until a

performance abasement is noticed.

Q: Back I use PDM to appearance graphs beneath the Monitoring tab, the time is

incorrect.

A: PDM assumes that the PIX alarm is set to UTC format. PDM again adds or

subtracts the aberration amid the UTC and your time zone.The resulting

time is what is acclimated on the graphs.This bearings is calmly adapted appliance the

clock command.

Q: I accept configured my PIX firewall to use accurate NTP, but I cannot

connect to the timeserver.Why not?

A: Encrypted NTP requires the use of affidavit keys.These keys must

match on the PIX and the NTP server. If they do not match, the PIX will

not be able to affix to the NTP server and accept updates.