Hardening Guidelines

This appendix contains the following section:

Hardening Guidelines

If you consider hardening the system, you should consider the following hardening guidelines:

  • Refer to the host platform's hardening guides. For example:


    Note


    The above links reference external websites and Cisco is not responsible for keeping them up-to-date. They are provided for reference only. If you find that the content is outdated or if you cannot access the links, please contact the website owner for updated information.


  • Disable or block the ports that are not used by Cisco Prime Network Registrar. The Cisco Prime Network Registrar documentation outlines the port usage and also the issues with using firewall items, such as connection tracking.

    • For a list of ports used by Cisco Prime Network Registrar, see the "Default Ports for Cisco Prime Network Registrar Services" section in the Cisco Prime Network Registrar 11.0 Administration Guide. Note that some are defaults and may have been changed during install or configuration.

    • For connection tracking related issues, see the "DNS Performance and Firewall Connection Tracking" section in the Cisco Prime Network Registrar 11.0 Administration Guide.

  • Install Cisco Prime Network Registrar using the non-root account and use the security features (that is, https and require secure SCP sessions).

  • Confirm that any product directories (primarily, /opt/nwreg2/* and /var/nwreg2/*) are locked down as appropriate. Note that you may need to adjust the protection based on your needs (such as for performing offline backups and viewing logs).

  • DNS specific considerations include:

    • Use DNS Security Extensions (DNSSEC):

      DNSSEC provides origin authority, data integrity, and authenticated denial of existence. With DNSSEC, the DNS protocol is much less susceptible to certain types of attacks, particularly DNS spoofing attacks. DNSSEC provides protection against malicious or forged answers by adding digital signatures into DNS data, so each DNS response can be verified for integrity and authenticity.

      Cisco Prime Network Registrar 9.0 and earlier Authoritative DNS Server do not support signing of zones. Starting from Cisco Prime Network Registrar 10.0, Authoritative DNSSEC support adds authentication and integrity to DNS zones. With this support, Cisco Prime Network Registrar DNS server is able to support both secure and unsecure zones. For more information, see the "Managing Authoritative DNSSEC" section in the Cisco Prime Network Registrar 11.0 Authoritative and Caching DNS User Guide.

    • Secure DNS server activity with ACLs:

      • Restricting Zone Queries—The restrict-query-acl attribute on the DNS server serves as a default value for zones that do not have restrict-query-acl explicitly set.

      • Restricting Zone Transfer Requests—Use the restrict-xfer-acl attribute to filter the zone transfer request to the known secondary servers.

      • Restricting DDNS Updates—Use the update-acl attribute to filter DDNS packet from the known DHCP servers.

    • Secure zone transfers and DNS updates using TSIG or GSS-TSIG:

      Zone transfer in secure mode supports both HMAC-MD5 based TSIG and GSS-TSIG. You can add an optional TSIG key or GSS-TSIG keys (see the "Transaction Security" or "GSS-TSIG " sections in the Cisco Prime Network Registrar 11.0 DHCP User Guide) to the primary server address by hyphenating the entry in the format addresskey. For each entry, click Add IP Key.

      For more information, see the "Creating a Zone Distribution" section in the Cisco Prime Network Registrar 11.0 Authoritative and Caching DNS User Guide

    • Randomize Query IDs and Source Ports.

    • DNS Rate Limiting—See the "Managing Caching Rate Limiting" section in the Cisco Prime Network Registrar 11.0 Authoritative and Caching DNS User Guide.

    • Separate Recursive Server and Authoritative Server roles.

  • DHCP specific considerations include:

  • Consider using external user authentication as password rules (that is, change frequency, length, and difficulty checks) can typically be implemented for Active Directory (LDAP) and RADIUS users. See the "External Authentication Servers" section in the Cisco Prime Network Registrar 11.0 Administration Guide.