Security Overview
This chapter provides an overview of the following security features used with the Cisco Nexus 1000V:
•User Accounts
•Virtual Service Domain
•Authentication, Authorization, and Accounting (AAA)
•RADIUS Security Protocol
•TACACS+ Security Protocol
•SSH
•Telnet
•Access Control Lists (ACLs)
•Port Security
•DHCP Snooping
•Dynamic ARP Inspection
•IP Source Guard
User Accounts
Access to the Cisco Nexus 1000V is accomplished by setting up user accounts that define the specific actions permitted by each user. You can create up to 256 user accounts. For each user account, you define a role, user name, password, and expiration date. For information about configuring and managing user accounts, see Chapter 2, "Managing User Accounts."
Virtual Service Domain
A virtual service domain (VSD) allows you to classify and separate traffic for network services, such as firewalls, traffic monitoring, and those in support of compliance goals such as Sarbanes Oxley. For information about configuring and managing VSD, see Chapter 3, "Configuring VSD."
Authentication, Authorization, and Accounting (AAA)
AAA, called Triple A, is an architectural framework for configuring a set of three independent, consistent, and modular security functions.
•Authentication—Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption. Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods and then applying that list to various interfaces.
•Authorization—Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared with the information contained in a database for a given user, and the result is returned to AAA to determine the user's actual capabilities and restrictions.
•Accounting—Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables you to track the services that users are accessing, as well as the amount of network resources that they are consuming.
Note You can configure authentication outside of AAA. However, you must configure AAA if you want to use RADIUS or TACACS+, or if you want to configure a backup authentication method.
For information about configuring AAA, see Chapter 4, "Configuring AAA."
RADIUS Security Protocol
AAA establishes communication between your network access server and your RADIUS security server.
RADIUS is a distributed client/server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
For information about configuring RADIUS, see Chapter 5, "Configuring RADIUS."
TACACS+ Security Protocol
AAA establishes communication between your network access server and your TACACS+ security server.
TACACS+ is a security application implemented through AAA that provides a centralized validation of users who are attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon that usually runs on a UNIX or Windows NT workstation. TACACS+ provides separate and modular authentication, authorization, and accounting facilities.
For information about configuring TACACS+, see Chapter 6, "Configuring TACACS+."
SSH
You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection to a device. SSH uses strong encryption for authentication. The SSH server can operate with publicly and commercially available SSH clients.
The SSH client works with publicly and commercially available SSH servers.
For information, see the Chapter 7, "Configuring SSH."
Telnet
You can use the Telnet protocol to set up TCP/IP connections to a host. Telnet allows a person at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address. For information, see the Chapter 8, "Configuring Telnet.".
Access Control Lists (ACLs)
An ACL is an ordered set of rules for filtering traffic. When the device determines that an ACL applies to a packet, it tests the packet against the rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies a default rule. The device processes packets that are permitted and drops packets that are denied.
ACLs protect networks and specific hosts from unnecessary or unwanted traffic. For example, ACLs can disallow HTTP traffic from a high-security network to the Internet. ACLs also allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an IP ACL.
For more information, see the following:
•Chapter 9, "Configuring an IP ACL"
•Chapter 10, "Configuring a MAC ACL"
Port Security
Port security lets you configure Layer 2 interfaces permitting inbound traffic from a restricted and secured set of MAC addresses. Traffic from a secured MAC address is not allowed on another interface within the same VLAN. The number of MAC addresses that can be secured is configured per interface.
For more information, see Chapter 11, "Configuring Port Security."
DHCP Snooping
DHCP snooping provides a mechanism to prevent a malicious host masquerading as a DHCP server from assigning IP addresses (and related configuration) to DHCP clients. In addition, DHCP snooping prevents certain denial of service attacks on the DHCP server.
DHCP snooping requires you to configure a trust setting for ports, which is used to differentiate between trusted and untrusted DHCP servers.
In addition, DHCP snooping learns IP addresses assigned by the DHCP server, so that other security features (for example, Dynamic ARP inspection and IP source guard) can function when DHCP is used to assign IP addresses to interfaces.
For more information, see Chapter 12, "Configuring DHCP Snooping."
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) ensures that only valid ARP requests and responses are relayed by intercepting all ARP requests and responses on untrusted ports and verifying that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination. When this feature is enabled, invalid ARP packets are dropped.
For more information, see Chapter 13, "Configuring Dynamic ARP Inspection."
IP Source Guard
IP Source Guard is a per-interface traffic filter that permits IP traffic only when the packet IP address and MAC address match one of the following:
•The IP address and MAC address in the DHCP snooping binding
•The static IP source entries that you configure
For more information, see Chapter 14, "Configuring IP Source Guard."