Management Plane Security
Chapter 6 — Access Control, AAA, Logging, and Configuration Hardening
The management plane encompasses all functions that allow administrators to monitor, configure, and control the router. Securing the management plane is arguably the most critical security objective: a compromised management plane gives an attacker complete control over the device, including the ability to disable all other security controls. This chapter covers the complete set of management plane security controls, from physical console access to remote SSH sessions, AAA integration, logging, and configuration hardening.
6.1 Management Access Control
Management access must be restricted to explicitly authorized sources, protocols, and methods. The principle of least privilege applies: each administrator should have access only to the commands and interfaces required for their specific role. All management traffic must be isolated from production traffic using a dedicated management VRF and, where possible, a physically separate OOB network.
| Access Method | Required Configuration | Must Be Disabled | Source Restriction |
|---|---|---|---|
| SSH v2 | ssh version 2; crypto key generate rsa modulus 4096; ip ssh time-out 60; ip ssh authentication-retries 3 | SSH v1, Telnet | ACL: OOB mgmt subnet only |
| HTTPS (Web UI) | ip http secure-server; ip http tls-version TLSv1.2; ip http authentication aaa | HTTP (cleartext) | ACL: OOB mgmt subnet only |
| NETCONF | netconf-yang; netconf max-sessions 4; netconf lock-time 10 | SNMP v1/v2c write | ACL: automation subnet only |
| SNMPv3 | snmp-server group READONLY v3 priv; snmp-server user MONITOR READONLY v3 auth sha <key> priv aes 128 <key> | SNMP v1, SNMP v2c | ACL: monitoring subnet only |
| Console | line con 0; exec-timeout 5 0; login authentication LOCAL-FALLBACK; logging synchronous | No-password console | Physical access control required |
Management VRF Configuration
All management interfaces and services must be bound to a dedicated management VRF, ensuring that management traffic is completely isolated from production routing. The management VRF must have its own routing table with only the routes necessary for management access (OOB network, AAA servers, NTP servers, syslog servers). No production routes should be present in the management VRF.
! Management VRF Definition vrf definition MGMT rd 65000:999 address-family ipv4 exit-address-family ! ! Management Interface Assignment interface GigabitEthernet0 vrf forwarding MGMT ip address 172.16.1.10 255.255.255.0 no shutdown ! ! SSH bound to Management VRF ip ssh source-interface GigabitEthernet0 ! ! TACACS+ via Management VRF ip tacacs source-interface GigabitEthernet0
6.2 AAA Configuration (Authentication, Authorization, Accounting)
AAA provides the framework for controlling who can access the router (authentication), what they can do (authorization), and recording what they did (accounting). All three components must be configured and operational. TACACS+ is the preferred protocol for network device AAA because it separates authentication, authorization, and accounting into independent transactions and supports per-command authorization. RADIUS is acceptable for environments where TACACS+ is not available.
| AAA Component | Configuration Requirement | Fallback Policy | Verification |
|---|---|---|---|
| Authentication | Primary: TACACS+ server group; Secondary: RADIUS server group; Last resort: local (break-glass only) | Local account permitted only if AAA servers unreachable; break-glass account must trigger alert | test aaa group TACACS+ user <test> |
| Authorization | Per-command authorization via TACACS+; privilege levels mapped to roles (NOC=1, Engineer=7, Admin=15) | If TACACS+ unreachable, deny all commands except pre-approved emergency command list | show aaa method-lists; show privilege |
| Accounting | Command accounting (all levels) and exec accounting to TACACS+; local buffer as backup | If TACACS+ unreachable, log to local buffer; alert NOC; do not block access | show accounting; show aaa accounting |
Role-Based Access Control (RBAC) Privilege Levels
| Role | Privilege Level | Permitted Commands | Prohibited Commands |
|---|---|---|---|
| Read-Only / NOC | Level 1 | show *, ping, traceroute | All configuration commands |
| Network Engineer | Level 7 | show *, ping, traceroute, debug (limited), interface shutdown/no shutdown | Global config, AAA config, user management |
| Senior Engineer | Level 10 | All Level 7 + routing config, ACL config, BGP config | AAA config, user management, crypto config |
| Administrator | Level 15 | All commands | None (full access) |
6.3 Logging & Monitoring
Comprehensive logging is essential for both security incident detection and post-incident forensics. All security-relevant events must be logged with accurate timestamps, source identification, and sufficient context to reconstruct the sequence of events. Logs must be sent to a remote syslog server in real time and retained for a minimum of 12 months. The router's local log buffer serves only as a short-term backup, not as the primary log store.
| Log Category | Severity Level | Must Be Logged | Retention |
|---|---|---|---|
| Authentication Events | Informational (6) | All login attempts (success and failure), logout, session timeout | 12 months minimum |
| Authorization Events | Informational (6) | All commands executed (TACACS+ accounting), privilege escalation | 12 months minimum |
| Configuration Changes | Notification (5) | All configuration changes with user ID, timestamp, and changed content | 24 months minimum |
| Routing Protocol Events | Warning (4) | BGP session state changes, OSPF neighbor changes, route flaps, max-prefix exceeded | 6 months minimum |
| Security Events | Warning (4) / Error (3) | ACL deny hits (sampled), CoPP drops, uRPF failures, crypto errors | 12 months minimum |
| System Events | Error (3) / Critical (2) | Interface state changes, hardware errors, process restarts, memory warnings | 6 months minimum |
6.4 Configuration Hardening Checklist
The following checklist covers all management plane hardening items that must be verified on every router deployment. Each item should be checked against the running configuration and the result documented in the deployment record. Items marked as Critical must be resolved before the device is placed into production service.
| Item | Priority | Verification Command | Expected Result |
|---|---|---|---|
| Telnet disabled on all VTY lines | Critical | show run | section line vty |
transport input ssh only |
| SSH v2 only | Critical | show ip ssh |
SSH Enabled - version 2.0 |
| HTTP server disabled | Critical | show run | include ip http |
no ip http server present |
| SNMP v1/v2c disabled | Critical | show run | include snmp-server community |
No community strings configured |
| AAA authentication configured | Critical | show aaa method-lists |
TACACS+ primary, local fallback |
| AAA accounting configured | Critical | show aaa accounting |
Commands and exec accounting active |
| NTP authentication enabled | High | show ntp status; show ntp associations detail |
Synchronized, authenticated |
| Syslog configured to remote server | High | show logging |
Remote syslog host configured, active |
| Login banner configured | High | show run | section banner |
Authorized use only banner present |
| Exec timeout configured | High | show run | section line |
exec-timeout 5 0 or less |
| Unused interfaces shutdown | Medium | show interfaces | include line protocol |
All unused interfaces administratively down |
| CDP/LLDP disabled on external interfaces | Medium | show cdp neighbors; show lldp neighbors |
No neighbors on external interfaces |