Configuring Security Settings

This chapter describes how to configure security settings for the system. It includes the following sections:

• Configuring General Security Settings

• Managing User Permissions

• Configuring RADIUS Server Authentication

• Configuring TACACS+ Server Authentication

• Configuring Management ACL Rules

• Configuring Web Settings

Configuring General Security Settings

You can prioritize local RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Administration > Security: General Settings page.

Note: Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and so forth, until all the methods have been attempted.

Note: To set TACACS+ authorization levels (admin or read-only) to allow certain members of a group to log in, add the following attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = "monitor"
}
where you replace monitor with admin for write access.

For details about setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide.

To set general security settings

1. Choose Administration > Security: General Settings to display the General Security Settings page.

Figure: General Security Settings Page

2. Under Authentication Methods, complete the configuration as described in this table.

Control	Description
Authentication Methods	Specify an authentication method from the drop-down list. The methods are listed in the order in which they occur. If authorization fails on the first method, the next method is attempted, and so forth, until all the methods have been attempted.
For RADIUS/TACACS+, fallback only when servers are unavailable	When checked, indicates fallback to a RADIUS or TACACS+ server only when all of the other servers have not responded. This is the default setting. When this feature is disabled, the SteelHead Interceptor does not fall back to the RADIUS or TACACS+ servers. If it exhausts the other servers and does not get a response, it returns a server failure.
Authorization Policy	Appears only for some Authentication Methods. Optionally, select one of these policies from the drop-down list: • Remote First - Check the remote server first for an authentication policy, and only check locally if the remote server does not have one set. This is the default behavior. • Remote Only - Only checks the remote server. • Local Only - Only checks the local server. All remote users are mapped to the user specified. Any vendor attributes received by an authentication server are ignored.
Default User	Appears only for some Authentication Methods. Specify the default user. Select one of these choices (admin or monitor) from the drop-down list.
Apply	Applies your settings to the running configuration.

3. Click Save to save your settings permanently.

Managing User Permissions

You can check or modify the admin and monitor user accounts in the User Permissions page.

The administrator user has full privileges in the SteelHead Interceptor. For example, as an administrator you can set and modify configuration settings, restart the Interceptor service, reboot the appliance, and create and display performance and system reports.

A monitor user can display Interceptor reports and system logs; a monitor user cannot make configuration changes to the SteelHead Interceptor.

Note: The default administrator password is password.

You can change the administrator or monitor passwords, and define role-based users in the Administration > Security: User Permissions page.

The system has two accounts that determine what actions the user can take:

• Admin - The administrator user has full privileges. For example, as an administrator you can set and modify configuration settings, add and delete users, restart and reboot Interceptor services, and create and view performance and system reports.

• Monitor - A monitor user can view reports. A monitor user cannot make configuration changes or change his or her password.

To set the administrator or monitor password

1. Choose Administration > Security: User Permissions to display the User Permissions page.

Figure: User Permissions Page

2. Under Capability Based Accounts, complete the configuration as described in this table.

Control	Description
admin/monitor	Click one of the usernames to manage either the administrator or monitor account password.
Clear Login Failure Details	Click Clear Login Failure Details to reset the password and unlock the account. When the user logs into their account successfully, RiOS resets the login failure count. The password reset feature is separate from the account lockout feature.
Change Password	Select the check box to change the password. • New Password - Specify the new password. • New Password Confirm - Confirm the new password.
Enable Account	Select or clear this option to enable or disable the administrator or monitor account.

3. Click Apply.

4. Click Save to save your settings permanently.

Configuring RADIUS Server Authentication

You set up RADIUS server authentication in the Administration > Security: RADIUS page.

RADIUS is an access control protocol that uses a challenge and response method for authenticating users. Setting up RADIUS server authentication is optional.

For details about setting up RADIUS and TACACS+ servers, see the SteelHead Deployment Guide.

Enabling this feature is optional.

To set RADIUS server authentication

1. Choose Administration > Security: RADIUS to display the RADIUS page.

Figure: RADIUS Page

2. Under Default RADIUS Settings, complete the configuration as described in this table.

Control	Description
Set a Global Default Key	Enables a global server key for the RADIUS server.
Global Key	Specify the global server key.
Confirm Global Key	Confirm the global server key.
Timeout (seconds)	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication (0 to 5). The default value is 1.

3. Click Apply to apply the settings to the current configuration.

4. Under RADIUS Servers, complete the configuration as described in this table.

Control	Description
Add a RADIUS Server	Displays the controls for defining a new RADIUS server.
Hostname or IP Address	Specify the server IP address.
Authentication Port	Specify the port for the server. The default value is 1812.
Authentication Type	Select either PAP or CHAP as the authentication type.
Override the Global Default Key	Overrides the global server key for the server.
	Server Key - Specify the override server key.
	Confirm Server Key - Confirm the override server key.
Timeout (seconds)	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are 0 to 5. The default value is 1.
Enabled	Enables the new server.
Add	Adds the RADIUS server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

Note: If you add a new server to your network and you do not specify these settings at that time, the global settings are applied automatically.

5. Click Apply to apply the settings to the current configuration.

6. Click Save to save your settings permanently.

Configuring TACACS+ Server Authentication

You set up TACACS+ server authentication in the TACACS+ page.

Enabling this feature is optional.

TACACS+ is an authentication protocol that allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system.

For details about configuring RADIUS and TACACS+ servers to accept login requests from the SteelHead, see the SteelHead Deployment Guide.

To set a TACACS+ server

1. Choose Administration > Security: TACACS+ to display the TACACS+ page.

Figure: TACACS+ Page

2. Under Default TACACS+ Settings, complete the configuration as described in this table.

Control	Description
Set a Global Default Key	Specify this option to enable a global server key for the server.
Global Key	Specify the global server key.
Confirm Global Key	Confirms the global server key.
Timeout (seconds)	Specify the time-out period in seconds (1 to 60). The default value is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are 0 to 5. The default is 1.

3. Click Apply to apply the settings to the current configuration.

4. Under TACACS+ Servers, complete the configuration as described in this table.

Control	Description
Add a TACACS+ Server	Displays the controls for defining a new TACACS+ server, as described in this table.
Hostname or IP Address	Specify the server IP address.
Authentication Port	Specify the port for the server. The default value is 49.
Authentication Type	Select either PAP or ASCII as the authentication type.
Override the Global Default Key	Select this option to override the global server key for the server.
Server Key	Specify the override server key.
Confirm Server Key	Confirm the override server key.
Timeout (seconds)	Specify the time-out period in seconds (1 to 60). The default is 3.
Retries	Specify the number of times you want to allow the user to retry authentication. Valid values are 0 to 5. The default is 1.
Enabled	Enables the new server.
Add	Adds the TACACS+ server to the list.
Remove Selected	Select the check box next to the name and click Remove Selected.

5. If you add a new server to your network and you do not specify these fields at that time, the global settings are applied automatically.

6. Click Save to save your settings permanently.

Configuring Management ACL Rules

You can secure access to a SteelHead Interceptor using an internal management Access Control List (ACL) in the Administration > Security: Management ACL page.

SteelHead Interceptors are subject to the network policies defined by a corporate security policy, particularly in large networks. Using an internal management ACL, you can complete the following tasks:

• Restrict access to certain interfaces or protocols of a SteelHead Interceptor.

• Restrict inbound IP access to a SteelHead Interceptor, protecting it from access by hosts that do not have permission without using a separate device (such as a router or firewall).

• Specify which hosts or groups of hosts can access and manage a SteelHead Interceptor by IP address, simplifying the integration of SteelHead Interceptors into your network.

The Management ACL provides the following safeguards to prevent accidental disconnection from the SteelHead Interceptor:

• It detects the IP address you are connecting from and displays a warning if you add a rule that denies connections to that address.

• It converts well-known port and protocol combinations such as SSH, Telnet, HTTP, HTTPS, SNMP, and SOAP into their default management service and protects these services from disconnection. For example, if you specify protocol 6 (TCP) and port 22, the management ACL converts this port and protocol combination into SSH and protects it from denial.

• It tracks changes to default service ports and automatically updates any references to changed ports in the access rules.

To set up a management ACL

1. Choose Administration > Security: Management ACL to display the Management ACL page.

Figure: Management ACL Page

2. Under Management ACL Settings, complete the configuration as described in this table.

Control	Description
Enable Management ACL	Secures access to a SteelHead Interceptor using a management ACL.

3. Click Apply to apply your changes to the running configuration.

4. Click Save to save your settings permanently.

Caution: If you add, delete, edit, or move a rule that could disconnect connections to the SteelHead Interceptor, a warning message appears. Click Confirm to override the warning and allow the rule definition anyway. Use caution when overriding a disconnect warning.

To add an ACL management rule

1. Under Add a New Rule, complete the configuration as described in this table.

Control	Description
Add a New Rule	Displays the controls for adding a new rule.
Action	Select one of the following rule types from the drop-down list: • Allow - Allows a matching packet access to the SteelHead Interceptor. This is the default action. • Deny - Denies access to any matching packets.
Service	Select All, or select a specific protocol (such as HTTP, HTTPS, SOAP, SNMP, SSH or Telnet) from the drop-down list. When a specific protocol is selected, the Protocol and Destination Port fields are unavailable.
Protocol	(Appears only when Service is set to All.) Select All, TCP, UDP, or ICMP from the drop-down list. The default setting is All. When set to All or ICMP, the Destination Port is unavailable.
Destination Port	(Appears only when the Protocol is set to UDP or TCP.) Specify the destination port of the inbound packet, either a single port value or a port range of port1-port2, where port1 must be less than port2. Leave it blank to specify all ports.
Source Network	Optionally, specify the source subnet of the inbound packet; for example, 1.2.3.0/24.
Interface	Optionally, select an interface type from the drop-down list. Select All to specify all interfaces.
Description	Optionally, describe the rule to facilitate administration.
Rule Number	Optionally, select a rule number from the drop-down list (Start, 1, or End). By default, the rule goes to the end of the table (just above the default rule). SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule; for example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. Note: The default rule, Allow, which allows all remaining traffic from everywhere that has not been selected by another rule, cannot be removed and is always listed last.
Log Packets	Tracks denied packets in the log. By default, packet logging is enabled.
Add	Adds the rule to the list. The Management Console displays the Rules table and applies your modifications to the running configuration, which is stored in memory.
Remove Selected	Select the check box next to the name and click Remove Selected.
Move Selected	Moves the selected rules. Click the arrow next to the desired rule position; the rule moves to the new position.

2. Click Save to save your settings permanently.

Configuring Web Settings

You can modify web user interface and certificate settings in the Administration > Security: Web Settings page.

To modify web settings

1. Choose Administration > Security: Web Settings to display the Web Settings page.

Figure: Web Settings Page

2. Under Web Settings, complete the configuration as described in this table.

Control	Description
Default Web Login ID	Specify the username that appears on the authentication page. The default value is admin.
Web Inactivity Timeout (minutes)	Specify the number of idle minutes before the session times out. The default value is 15. A value of 0 disables this feature.
Allow Session Timeouts When Viewing Auto-Refreshing Pages	By default, session time-out is enabled, which stops the automatic updating of the report pages when the session times out. Clear this box to disable the session time-out, remain logged-in indefinitely, and automatically refresh the report pages. Caution: Disabling this feature poses a security risk.

3. Click Apply to apply the settings to the current configuration.

4. Click Save to save your settings permanently.

Managing Web SSL Certificates

You manage SSL certificates used by the Interceptor Management Console web user interface using HTTPS:

• Generate the certificate and key pairs.

• Create certificate signing requests from the certificate and key pairs.

• Replace a signed certificate.

To modify web certificates

1. Choose Administration > Security: Web Settings to display the Web Settings page.

2. Under Web Certificate, select the Details tab.

Detail	Description
Issued To/Issued By	Common Name - Displays the common name of the certificate authority. Email - Displays the email of the appliance administrator. Organization - Displays the organization name (for example, the company). Locality - Displays the city. State - Displays the state. Country - Displays the country.
Validity	Issued On - Displays the date the certificate was issued. Expires On - Displays the date the certificate expires.
Fingerprint	Displays the SSL fingerprint.
Key	Type - Displays the key type. Size - Displays the size in bytes.

3. Under Web Certificate, select the PEM tab to view the certificate details.

4. Under Web Certificate, select the Replace tab and complete the configuration using the controls described in this table.

Control	Description
Import Certificate and Private Key	Select this option if the CA-signed certificate and the existing private key and are located in two files. Under Certificate, use the controls to browse to the certificate (in PKCS-12, PEM, or DER formats) or use the text box to copy and paste the certificate (PEM format only). Under Private Key, select one of the following options: • The Private Key is in a separate file (see below) - you can either upload it or copy and paste it. • This file includes the Certificate and Private Key • The Private Key for this Certificate was created with a CSR generated on this appliance
	Separate Private Key - (Available only if the private key is in a separate file.) Use the controls to browse to and upload the private key (PEM or DER formats only) or use the text box to copy and paste the private key (PEM format only).
	Decryption Password - (Available only if you are importing a CA-signed certificate and private key). Enter the decryption password. The password is required for PKCS-12 files.
	Import Certificate And Key - Imports certificate and key.
Generate Self-Signed Certificate and New Private Key	Select this option to generate a self-signed certificate and a new private key.
	Under Self-Signed Certificate, enter the following information: • Organization Name - Specify the organization name (for example, the company). • Organization Unit Name - Specify the organization unit name (for example, the section or department). • Locality - Specify the city. • State - Specify the state. • Country - Specify the country (two-letter code). • Email Address - Specify the email address of the contact person. • Validity Period (Days) - Specify how many days the certificate is valid. The range is from 60 to 3650 days. The default value is 730.
	Private Key - Specify the cipher bits for the private key.
	Generate Certificate And Key - Generates the certificate and private key.

5. Under Web Certificate, select the Generate CSR tab and complete the configuration using the controls described in this table.

Control	Description
Common Name	Specify the common name (hostname).
Organization Name	Specify the organization name (for example, the company).
Organization Unit Name	Specify the organization unit name (for example, the section or department).
Locality	Specify the city.
State	Specify the state. Do not abbreviate.
Country	Specify the country (two-letter code).
Email Address	Specify the email address of the contact person.
Generate CSR	Generates the Certificate Signing Request.

6. Click Apply to apply your changes to the running configuration.

7. Click Save to save your settings permanently.