UCS-TME-MARS-A# show security detail Security mode: Password Strength Check: Yes Current Task:
The Password Strength option is enabled by default. Strong passwords must meet the following requirements:
Additional password profile options:
Administrators should control access to resources or devices. When a request for access to a resource or device is received, the request is challenged for verification of the password and identity, and access can be granted, denied, or limited based on the result. Cisco UCS Manager Software provides tools to allow for multiple levels of permissions using the concepts of task and user groups. User groups are defined to have access to a certain set of capabilities. Some of these capabilities are debug commands, show commands, and configuration commands. Different user groups have configuration access to different parts of the Cisco UCS.
Managed servers do one-time authentication to the Fabric Interconnect every time a user logs in to the Cisco Integrated Management Controller (CIMC) of the device for accessing like IP-KVM or vMedia. These requests all use the standard role-based access control (RBAC); however, the Intelligent Platform Management Interface (IPMI) user list is downloaded to each blade on startup of the CIMC and registers with the Fabric Interconnect. This user list is separate from the normal RBAC, and IPMI privileges must be assigned separately.
Per Account Properties
For more information on RBAC, see the Configuring Role-Based Access Control guide.
Management sessions allow administrators to view and collect information about a Cisco UCS device and its operations. If this information is disclosed to a malicious user, the device can become the target of an attack or used as a source of additional attacks. Anyone with privileged access to a Cisco UCS device has the capability for full administrative control of the device. It is imperative to secure management sessions to prevent information disclosure and unauthorized access.
As a security best practice, administrators should disable unnecessary services. Most services are disabled by default in Cisco UCS Manager Software; however, these services can be enabled by issuing their respective configuration commands.
Devised to prevent unauthorized direct communication to network devices, infrastructure ACLs (iACL) are a critical security control mechanisms that can be implemented in the network.
An iACL is applied to specify necessary connections between hosts or networks and network devices. Common examples of these types of connections are SMTP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is explicitly permitted.
The protection provided by ACLs is relevant to both the management and control planes. The implementation of ACLs can be made easier with distinct addressing for network infrastructure devices.
The following ACL configuration example illustrates the structure that is required as a basis for starting the ACL implementation process:
In this example, 192.168.10.0 is the trusted source and 192.168.1.1 is the management interface on the Cisco UCS server. The iACL will be attached to a router upstream of the Cisco UCS system.
In this example, the iACL will be implemented on an upstream Cisco IOS router running Cisco IOS Software Release 15.2(1).
ipv4 access-list ACL-INFRASTRUCTURE-IN ! access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.1 any eq 443 access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.1 eq smtp access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.1 eq pop3 access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.1 eq 21 access-list 102 permit tcp 192.168.10.0 0.0.0.255 host 192.168.1.1 eq 20
When created, the iACL must be applied to all interfaces that face non-infrastructure devices, including interfaces that connect to other organizations, remote access segments, user segments, and segments in data centers.
Because information can be disclosed during an interactive management session, traffic must be encrypted so that a malicious user cannot read the data that is being transmitted. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in plain text, an attacker could obtain sensitive information about the device and the network.
Telnet is not a secure protocol, and administrators of Cisco UCS devices are advised not to use Telnet, but use use SSHv2.
SSHv2 Enabled is enabled by default using TCP port 22. Key strengths options are RSA 768-2048, DSA 1024 with Ciphers of 3des-cbc, aes-128-cbc, aes-192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, cast128-cbc. There can be a 32 maximum of SSHv2 concurrent sessions
Client to Cisco UCS Manager should use SSL3.1 or TLS1.0. The suggested key length is 1024 or higher using a cipher of AES-128 and SHA-1.
The Cisco Internet services process daemon, Cinetd, which is similar to the UNIX daemon, inetd, is a multithreaded server process that is started by the system manager after the system has booted. Cinetd listens on a well-known port on behalf of the server program. When a service request is received on the particular port, Cinetd notifies the server program that is associated with the service request. By default, Cinetd is not configured to listen for any services.
The Telnet service is disabled by default on Cisco UCS devices. If telnet is enabled, issue the disable telnet-server command to disable the Telnet service on a Cisco UCS device.
UCS-A# scope system UCS-A /system # scope services UCS-A /services # disable telnet-server UCS-A /services* # commit-buffer UCS-A /services #
The administrator account is created by default and cannot be deleted. Use a strong password chosen at Cisco UCS Manager installation. The system does not ship with a predefined default password.
Clearing password history requires the user to use new passwords and not reuse old passwords. Users not actively administrating should have their Account Status in a status inactive. Accounts can be set to expire at certain time intervals using the Expire Account Timeframe configuration option. This allows the administrator to selectively expire accounts that may be setup for short durations. Figure 3 shows how to expire the account at a certain date.
Figure 3. Expiration Date
User roles are assigned privileges that define what that user can do on the system. Multiple privileges can be assigned to a single user. Additionally, locales (UCS domains) can be assigned to users to manage different locations.
For locally authenticated accounts, for maximum security, configure SSH for encrypted sessions. There are two public key formats—OpenSSH and SECSH. Both provide good security.
You can limit the number of login sessions each user is permitted to have. It is suggested to limit the session to one.
Password Strength option is used to require strong passwords. Use the Password Strength Option Enabled, which is enabled by default. Strong passwords must meet the following requirements:
Additional password profile options:
Local Authentication is enabled by default. Use SSH for maximum security when accessing the Cisco UCS device. Numerous authentication methods provide enhanced security. There is a maximum of 48 local user accounts. Remote authentication uses LDAP, RADIUS and TACACS+ with a maximum of 16 TACACS+ servers, 16 RADIUS servers, and 16 LDAP providers for a total of 48 providers.
The default (local) authentication and the console authentication can utilize different providers. Furthermore, authentication grouping uses a maximum of 16 groups and a maximum 8 providers per group. The provider authentication ordering method provides flexibility on what providers use and what backups will be in place. The default authentication ports are configurable.
Default roles include AAA, Admin, Facility-manager, Network, Operations, Read-only, Server-equipment, Server-profile, Server-security, and Storage. Additionally, roles can be customized by creating new roles and assigning privileges.
The locales are used to define one or more organizations a user is allowed to access.
Cisco UCS ships with a self-signed certificate using a default 1024 length key pair. To employ a more secure method, use trusted third-party certificates from a trusted source that affirms the identity of the Cisco UCS device.
Event logging provides visibility into the operation of the Cisco UCS device and how it is related to the network. Cisco UCS logging provides flexible logging options. Logging from the Cisco UCS server is done by UDP and is not encrypted. Therefore, administrators should take care in selecting the destination and use encryption to encrypt the transfer of the logs if they are sent to a remote destination over a public or untrusted network.
Fault conditions are logged, cleared, or stored for a configurable interval. When the retention interval field is set, then this configures the length of time the system retains the fault in memory on the Cisco UCS fabric. It can be forever or a set amount of time. Figure 4 shows the Global Fault Policy settings.
Figure 4. Global Fault Policy
Administrators are advised to use the syslog feature to report faults. Up to three destinations can be defined. The severity of the logs is selected with a range from the least severe (emergency) to most severe (debugging).
The system event log (SEL) resides on the CIMC in NVRAM. This log records the most server events including temperature, fan, BIOS, and more. The limit is 40KB in size. When the backup feature is used to send the events to a remote server, the system can be configured to clear the NVRAM log after export. Additionally, the events can be exported using Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) for more secure transfers.
Unsecured protocols are disabled by default. These include Telnet and HTTP. HTTP requests will be redirected to HTTPS when HTTPS is enabled, which is the default setting.
SNMP is disabled by default. UCS supports SNMP versions 1, 2, and 3. Use SNMPv3 and implement the authPriv method because it provides HMAC-MD5 or HMAC-SHA authentication and data encryption based on DES 56 bit with authentication based on Cipher Block Chaining (DES-56).
Note: Cisco UCS is not able to configure SNMP community strings with ACLs to limit what trusted IP addresses have access to the SNMP services. This filtering should be done on an upstream router or firewall using iACLs.
Serial over LAN (SOL) can be set up to use encryption. Use the CLI to enable the feature.
SSH to the Cisco UCS device and set the encryption to enabled:
UCS_Server# scope kvm UCS_Server/kvm# set encrypted yes UCS/kvm # show detail KVM Settings: Encryption Enabled: yes Max Sessions: 4 Local Video: yes Active Sessions: 0 Enabled: yes KVM Port: 2068
Cisco UCS image transfers should be done using the supported secure transfer methods, SCP or SFTP, even though clear text protocols, FTP and TFTP, are available.
The client accessing the Cisco UCS Manager should use SSL3.1 or TLS1.0. The suggested key length is 2048 or higher using a cipher of AES-128 and SHA-1.
The web client will automatically reconnect after a break in communications to the Cisco UCS Manager. The Cisco UCS Manager has a web session refresh period and a web session timeout period. The web session refresh period kicks off when the client becomes inactive for 600 seconds, which is the default setting. The session is considered inactive, but the session is not terminated. A web session timeout period should be used to terminate these stale sessions. The default is 7200 seconds.
The login banner should be used to properly identify the system. It should provide a definitive warning to anyone accessing the system that illegal activities may not be performed and will be reported to law enforcement. Important elements of a login banner include the following notices:
Web session limits are configurable for the entire system and per user. The default for the system is 256 and 256 for each user. It is suggested to have a limit on the number of user sessions (1–2) and a limit for the maximum amount of connections for the total system based on how many users there are. You do not want one user to be able to take complete control of access to the system.
The SEL resides on the CIMC in NVRAM. It records physical events and is mainly used for troubleshooting hardware issues. Administrators should use SCP or SFTP to transfer the log entries to a secure storage device and use the option to clear the SEL after the transfer is complete.
IPMI allows administrators to access system hardware, control system components, and retrieve logs. IPMI operates independently of the CIMC operating system. The admin account has full access to the baseboard management controller (BMI) where the read-only account is only able to view the configurations. For the standalone C-Series, there are three user privileges: admin, user, and read-only. Admin is the equivalent of IPMI administrator. User is the equivalent of IPMI operator, and a read-only user is the lowest IPMI privilege level.
Suggested best practices:
In addition, use Serial over LAN Policy. The virtual console emulates direct keyboard, video, and mouse (KVM) to the server. The service uses self-signed certificates so the user must allow an exception for the certificate in the browser cache. The default, and only, access protocol is HTTPS. KVM management is encrypted using RC4 and should not be disabled.
There are also front panel security options in the BIOS setup:
Figure 5. USB Non Bootable
This document provides methods to harden Cisco UCS features. We focused on the management plane with hardening techniques that highlight securing user access through the UCS client manager and using strong encryption methods. Furthermore, provided techniques on secure logging techniques dealing with nvram logging and using the system event log. Implementing the hardening best practices discussed in this document will increase the security of the UCS system thus increasing overall security to the network the UCS is located in.
Cisco Unified Computing System
Cisco UCS Manager CLI Configuration Guide, Release 2.0
Open Source Used in UCS 2.0(1)
IPMI Security Vulnerabilities
Common Criteria EAL4 Certification (Applies to UCS 1.4x, 2.x Certification in Progress)
Cisco Security Advisories
Cisco Guide to Harden Cisco IOS Devices
Cisco Guide to Securing Cisco NX-OS Software Devices
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.