CISCO Security Configuration Guide

CorporateHeadquartersCiscoSystems,Inc.170WestTasmanDriveSanJose,CA95134-1706USA(6387)Fax:408526-4100CiscoContentServicesSwitchSecurityConfigurationGuideSoftwareVersion8.10November2005TextPartNumber:OL-8242-01THESPECIFICATIONSANDINFORMATIONREGARDINGTHEPRODUCTSINTHISMANUALARESUBJECTTOCHANGEWITHOUTNOTICE.ALLSTATEMENTS,INFORMATION,ANDRECOMMENDATIONSINTHISMANUALAREBELIEVEDTOBEACCURATEBUTAREPRESENTEDWITHOUTWARRANTYOFANYKIND,EXPRESSORIMPLIED.USERSMUSTTAKEFULLRESPONSIBILITYFORTHEIRAPPLICATIONOFANYPRODUCTS.THESOFTWARELICENSEANDLIMITEDWARRANTYFORTHEACCOMPANYINGPRODUCTARESETFORTHINTHEINFORMATIONPACKETTHATSHIPPEDWITHTHEPRODUCTANDAREINCORPORATEDHEREINBYTHISREFERENCE.IFYOUAREUNABLETOLOCATETHESOFTWARELICENSEORLIMITEDWARRANTY,CONTACTYOURCISCOREPRESENTATIVEFORACOPY.TheCiscoimplementationofTCPheadercompressionisanadaptationofaprogramdevelopedbytheUniversityofCalifornia,Berkeley(UCB)aspartofUCB’spublicdomainversionoftheUNIXoperatingsystem.Allrightsreserved.Copyright©1981,RegentsoftheUniversityofCalifornia.NOTWITHSTANDINGANYOTHERWARRANTYHEREIN,ALLDOCUMENTFILESANDSOFTWAREOFTHESESUPPLIERSAREPROVIDED“ASIS”WITHALLFAULTS.CISCOANDTHEABOVE-NAMEDSUPPLIERSDISCLAIMALLWARRANTIES,EXPRESSEDORIMPLIED,INCLUDING,WITHOUTLIMITATION,THOSEOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITATION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHISMANUAL,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.CiscoContentServicesSwitchSecurityConfigurationGuideCopyright©2005,CiscoSystems,Inc.Allrightsreserved.CCSP,CCVP,theCiscoSquareBridgelogo,FollowMeBrowsing,andStackWisearetrademarksofCiscoSystems,Inc.;ChangingtheWayWeWork,Live,Play,andLearn,andiQuickStudyareservicemarksofCiscoSystems,Inc.;andAccessRegistrar,Aironet,ASIST,BPX,Catalyst,CCDA,CCDP,CCIE,CCIP,CCNA,CCNP,Cisco,theCiscoCertifiedInternetworkExpertlogo,CiscoIOS,CiscoPress,CiscoSystems,CiscoSystemsCapital,theCiscoSystemslogo,CiscoUnity,EmpoweringtheInternetGeneration,Enterprise/Solver,EtherChannel,EtherFast,EtherSwitch,FastStep,FormShare,GigaDrive,GigaStack,HomeLink,InternetQuotient,IOS,IP/TV,iQExpertise,theiQlogo,iQNetReadinessScorecard,LightStream,Linksys,MeetingPlace,MGX,theNetworkerslogo,NetworkingAcademy,NetworkRegistrar,Packet,PIX,Post-Routing,Pre-Routing,ProConnect,RateMUX,ScriptShare,SlideCast,SMARTnet,StrataViewPlus,TeleRouter,TheFastestWaytoIncreaseYourInternetQuotient,andTransPathareregisteredtrademarksofCiscoSystems,Inc.and/oritsaffiliatesintheUnitedStatesandcertainothercountries.AllothertrademarksmentionedinthisdocumentorWebsitearethepropertyoftheirrespectiveowners.TheuseofthewordpartnerdoesnotimplyapartnershiprelationshipbetweenCiscoandanyothercompany.(0502R)iiiCiscoContentServicesSwitchSecurityConfigurationGuideOL-8242-01CONTENTSPrefacexiAudiencexiiHowtoUseThisGuidexiiRelatedDocumentationxiiiSymbolsandConventionsxviObtainingDocumentationxviiCisco.comxviiProductDocumentationDVDxviiOrderingDocumentationxviiiDocumentationFeedbackxviiiCiscoProductSecurityOverviewxixReportingSecurityProblemsinCiscoProductsxxObtainingTechnicalAssistancexxCiscoTechnicalSupport&DocumentationWebsitexxiSubmittingaServiceRequestxxiDefinitionsofServiceRequestSeverityxxiiObtainingAdditionalPublicationsandInformationxxiiiCHAPTER1ControllingCSSAccess1-1ChangingtheAdministrativeUsernameandPassword1-2CreatingUsernamesandPasswords1-3ControllingRemoteUserAccesstotheCSS1-6ConfiguringVirtualAuthentication1-7ConfiguringConsoleAuthentication1-8ContentsivCiscoContentServicesSwitchSecurityConfigurationGuideOL-8242-01ControllingAdministrativeAccesstotheCSS1-10EnablingAdministrativeAccesstotheCSS1-10DisablingAdministrativeAccesstotheCSS1-11ControllingCSSNetworkTrafficThroughAccessControlLists1-12ACLOverview1-13ACLConfigurationQuickStart1-15CreatinganACL1-17DeletinganACL1-18ConfiguringClauses1-19AddingaClauseWhenACLsareGloballyEnabled1-25DeletingaClause1-26ApplyinganACLtoaCircuitorDNSQueries1-27RemovinganACLfromCircuitsorDNSQueries1-28EnablingACLsontheCSS1-29DisablingACLsontheCSS1-30ShowingACLs1-30SettingtheShowACLCounterstoZero1-32LoggingACLActivity1-32ACLExample1-34ConfiguringNetworkQualifierListsforACLs1-35CreatinganNQL1-36DescribinganNQL1-36AddingNetworkstoanNQL1-36AddinganNQLtoanACLClause1-38ShowingNQLConfigurations1-38CHAPTER2ConfiguringtheSecureShellDaemonProtocol2-1EnablingSSH2-2ConfiguringSSHAccess2-3vCiscoContentServicesSwitchSecurityConfigurationGuideOL-8242-01ContentsConfiguringSSHDintheCSS2-3ConfiguringSSHDKeepalive2-3ConfiguringSSHDPort2-4ConfiguringSSHDServer-Keybits2-4ConfiguringSSHDVersion2-5ConfiguringTelnetAccessWhenUsingSSHD2-6ShowingSSHDConfigurations2-6CHAPTER3ConfiguringtheCSSasaClientofaRADIUSServer3-1RADIUSConfigurationQuickStart3-3ConfiguringaRADIUSServerforUsewiththeCSS3-4ConfiguringAuthenticationSettings3-5ConfiguringAuthorizationSetti