© 2020 Cisco and/or its affiliates. All rights reserved.
Page 64 of 76
also be extended to provide RBAC for administrators through the use of AD groups. The use of an external
directory or data store can also provide a single point to grant or revoke credentials, not only for administrative
access control to multiple infrastructure devices, but for access to other resources within the organization.
Where possible, the selection of a strong password—consisting of
a minimum length, and combination of letters,
numbers, and/or special characters—should be enforced. Where possible, a maximum number of unsuccessful
attempts to access the device, before the account is disabled for a
period of time, should also be enforced.
Successful and unsuccessful attempts should be logged either locally or to a central logging server. This helps
mitigate against (and/or alert appropriate network operations staff about) brute force attempts to gain access to
infrastructure devices. Where multiple levels of administrative access are supported, it is recommended you
enforce them, with administrators having the minimum access level required for
performing their respective
tasks. It is also recommended that you limit the number of concurrent logins from a single username.
It may be advantageous to limit where access to the wireless infrastructure device is initiated from and what
protocols are allowed. You can accomplish this in multiple ways. For example, you can deploy the
management interface of WLAN controllers on a separate VLAN (and therefore a separate IP subnet) from
wireless client traffic. In such a deployment, an access-control list (ACL) deployed on the Layer 3 switch
adjacent to the WLAN controller can limit access to the management interface. This shifts
the CPU burden of an
ACL off the WLAN controller to the Layer 3 switch. Alternatively, you can configure a CPU ACL on the WLAN
controller to filter management protocols. You can also disallow management of the WLAN controller via a
wireless device, a method that may also provide additional security if the intention is to manage the wireless
infrastructure from a central network operations center.
Access to wireless infrastructure devices should be via secure protocols such as HTTPS and SSHv2 where
possible. Access via non-encrypted protocols such as HTTP and Telnet should be disabled where possible.
This protects the confidentiality of the information within the management session.
When using SNMP, it is
recommended that you enable SNMPv3 where possible. SNMPv2c relies on a shared community string that is
sent in clear text across the network. Take caution when using SNMPv2c, particularly when using SNMP for
read/write access. SNMPv3 uses unique credentials (userid/password) and can also provide encryption and
data authentication services to SNMP traffic.
Do'stlaringiz bilan baham: