Securing the CacheFlow Management Console

book

Article ID: 166879

calendar_today

Updated On:

Products

CacheFlow Appliance Software CF-5000 CF-500

Issue/Introduction

Best practices for securing the CacheFlow Management Console.

Resolution

1. Configure a separate interface on the CacheFlow that is specifically used for management access and is only accessible from a management network. This would be considered out of band management access.

#conf t
#(config)interface 1:0
#(config interface 1:0)ip-address 10.10.10.2 255.255.255.0

 

2. Modify the management services (SSH, HTTPS and SNMP) to only listen on the configured management IP and port. Attempts to access the other IP addresses configured on the CacheFlow will result in them being reset.

#conf t
#(config)management-services
#(config management-services)edit SSH-Console
#(config SSH-Console)add 10.10.10.2 22
#(config SSH-Console)remove all 22
#(config SSH-Console)exit

#(config management-services)edit HTTPS-Console
#(config HTTPS-Console)add 10.10.10.2 8082
#(config HTTPS-Console)remove all 8082
#(config HTTPS-Console)exit

#(config management-services)edit SNMP
#(config SNMP)remove all 161
#(config SNMP)add 10.10.10.2 161
#(config SNMP)exit

3. Modify the HTTPS-Console to only use TLSv1.1 or TLSv1.2 and Medium to High strength ciphers.

#conf t
#(config)management-services
#(config management-services)edit HTTPS-Console
#(config HTTPS-Console)attribute ssl-versions tlsv1.1 tlsv1.2
#(config HTTPS-Console)attribute cipher-suite
Cipher#  Use              Description          Strength
  -------    ---   -----------------------        --------
      1      yes                  RC4-MD5          Medium
      2      yes                  RC4-SHA          Medium
      3      yes             DES-CBC3-SHA           High
      4       no              DES-CBC-SHA           Low
      5       no              EXP-RC4-MD5          Export
      6       no          EXP-RC2-CBC-MD5          Export
      7       no          EXP-DES-CBC-SHA          Export
      8      yes               AES128-SHA          Medium
      9      yes               AES256-SHA          High


Select cipher numbers to use, separated by commas: 1,2,3,4,6,7,9,10,11

 

4. Configure an Access-List on the CacheFlow to only accept management-service connections from authorized IP addresses and enable it.

#conf t
#(config)security allowed-access add 10.10.1.0 255.255.255.0
#(config)security enforce-acl enable

5. Configure an Access-List on the CacheFlow to only accept SNMP connections from authorized IP addresses and enable it. See KB article 000011030 for SNMP configuration details.

#conf t
#(config)snmp
#(config snmp)edit community test
#(config snmp community test)authorization access-list
#(config snmp community access test)add 10.10.10.2.0 255.255.255.0
#(config snmp community access test)enable
#(config snmp community access test)exit
#(config snmp community test)exit
#(config snmp)exit

6. Configure inline static routes. This step is necessary to route management traffic back to the desired gateway.

#inline static-route-table <eof>
10.10.2.0 255.255.255.0 10.10.10.1
10.10.1.0 255.255.255.0 10.10.10.1
<eof>

7. Modify the default ssl-device-profile to only use TLSv1.1 or TLSv1.2 and Medium to High strength ciphers.

#conf t
#(config)ssl
#(config ssl)edit ssl-device-profile default
#(config device-profile default)protocol tlsv1.1 tlsv1.2
#(config device-profile default)cipher-suite
Cipher#  Use        Description        Strength
-------  ---  -----------------------  --------
      1   no  ECDHE-RSA-AES128-SHA256      High
      2   no  ECDHE-RSA-AES128-GCM-SHA256      High
      3   no     ECDHE-RSA-AES128-SHA      High
      4   no     ECDHE-RSA-AES256-SHA      High
      5   no        ECDHE-RSA-RC4-SHA    Medium
      6   no            AES128-SHA256      High
      7   no            AES256-SHA256      High
      8  yes               AES128-SHA    Medium
      9  yes               AES256-SHA      High
     10   no       DHE-RSA-AES128-SHA      High
     11   no       DHE-RSA-AES256-SHA      High
     12  yes             DES-CBC3-SHA       Low
     13  yes                  RC4-SHA    Medium
     14  yes                  RC4-MD5    Medium
     15   no              DES-CBC-SHA       Low


Select cipher numbers to use, separated by commas: 1,2,3,4,6,7,9,10,11

8. As an additional security measure, Blue Coat highly recommends that you secure the CacheFlow appliance's serial console port during initial configuration.

Additional Information

As of May 1st, 2020 some services now require TLSv1.2 connections.

In order to use TLSv1.2 the Cacheflow must be running version 3.4.2.5 or later.