Network Protocols And Cryptographic Settings; Remote Administration Protocols - Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures
Aggregation services router
Hide thumbs
Also See for ASR 1000 Series:
- Software configuration manual (602 pages) ,
- Configuration manual (442 pages) ,
- Replacing (120 pages)
Table of Contents
Advertisement
3.3 Network Protocols and Cryptographic Settings
3.3.1
Remote Administration Protocols
All TOE administration must be performed through an IPsec tunnel. However, it is
recommended that the interactive interface be over SSH. The following method is used to
configure SSH for use in a secure manner.
To only allow ssh for remote administrator sessions, use the transport input ssh command.
This command disables telnet by only allowing ssh connections for remote administrator access.
Steps to configure SSH on router:
3.3.1.1
Guides
1. Generate RSA or ECDSA key material– choose a longer modulus length for the
evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):
TOE-common-criteria(config)# crypto key generate rsa
or
TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]
RSA and ECDSA keys are generated in pairs—one public key and one private key. This
command is not saved in the router configuration; however, the keys generated by this
command are saved in the private configuration in NVRAM (which is never displayed to
the user or backed up to another device) the next time the configuration is written to
NVRAM.
Note: Only one set of keys can be configured using the crypto key generate command at
a time. Repeating the command overwrites the old keys.
Note: If the configuration is not saved to NVRAM with a "copy run start", the generated
keys are lost on the next reload of the router.
Note: If the error "% Please define a domain-name first" is received, enter the command
'ip domain-name [domain name]'.
Note: to delete a key, an administrator may use the crypto key zeroize <label> command.
2. Enable ssh
TOE-common-criteria# ip ssh authentication-retries 2
3. Configure –ssh timeout
TOE-common-criteria# ip ssh time-out 60
4. Set to use SSH v2
TOE-common-criteria# ip ssh version 2
5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key
exchange using the following command 'ip ssh dh min size 2048':
TOE-common-criteria(config)# ip ssh dh min size 2048
How many bits in the modulus [512]: 2048
[10] Cisco IOS Security Command Reference
Page 19 of 72
Hide quick links:
Advertisement
Table of Contents
