In the last issue of The Network Monitor, we introduced CiscoSecure UNIX Server as the complete network access security solution. CiscoSecure has been touted mainly as a dial-up access solution, but it offers other features as well. In this article, we will explore applications of CiscoSecure other than for dial-up access security. The following is only a preliminary list of CiscoSecure features and applications.
Router Security.CiscoSecure can play a major role in managing security on a router network by centrally locating all pertinent router security information. Centralized control simplifies management and helps ensure easy, safe, and consistent administration of policy. Security controls include specifying commands that users and groups are allowed to execute. For example, unauthorized users are blocked from tampering with router management and configuration, while network administrators can still make changes after they have been authenticated by CiscoSecure.
Audit Trails. CiscoSecure can keep track of what has been done to which routers by whom. This is useful in case something should happen in the network and a router configuration has changed.
Network managers can get a detailed analysis of usersÕ activities on the network, including the network access server (NAS) name and port used, timestamp, and IP address.
Accounting. For large sites, accounting becomes important for billing purposes. The NAS can be configured to send CiscoSecure information pertaining to length of time a user was connected and the number of bytes he or she used, as well as the NAS name and port on which the user connected.This information can be used to bill a user for connection time. In addition, by examining accounting records, system administrators will be able to tell if a user logged in more than once, which is useful for making sure users do not share their accounts with their friends. CCCI is currently developing an add-on to CiscoSecure that will perform automatic multiple login detection. (See side bar.)
CiscoSecure writes all accounting information as text to a file specified in the control file. CCCI is currently developing an add-on program that will convert the existing accounting information into Comma Separated Value (CSV) format, which can be easily imported into most spreadsheet and DBMS applications. (See side bar.) The network administrator can configure how often CiscoSecure should update the accounting file.
Encryption.CiscoSecure supplements its AAA security features with encryption. The protocol transactions are encrypted so passwords are never subject to unauthorized monitoring. Currently, CiscoSecure uses Message Digest 5 (MD5) to encrypt entire packets.
Grouping Users.CiscoSecure allows grouping of users similar to UNIX grouping. Users can be assigned to groups and then group privileges assigned. This makes the task of managing large networks with lots of users much easier. Groups can be members of other groups, also simplifying the network management task. Using the CiscoSecure GUI, group attributes can be set up with a few clicks of the mouse.
For more information on CiscoSecure,
contact Renee Harris at 1-800-447-5967, extension 3009.