Understanding CiscoWorks2000 Security

The CiscoWorks2000 Server software is not designed to be a fully secured environment in and of itself. It provides some of the security controls necessary for a web-based network management system but relies heavily on the end user's own security measures and control to provide a secure computing environment for CiscoWorks2000 applications. The CiscoWorks2000 Server provides and requires three levels of security:

General security that is partially implemented by the client components of CiscoWorks2000 and by the system administrator.
Server security that is partially implemented by the server components of CiscoWorks2000 and by the system administrator.
Application security implemented by the client and server components of the CiscoWorks2000 applications.

This section describes the general and server security levels. The application security levels are described in "Setting Up the CiscoWorks2000 Server".

General Security Concerns

The CiscoWorks2000 Server provides an environment that allows the deployment of web-based network management applications. Web access provides an easy to use and easy to access computing paradigm that is much harder to secure than the traditional style of computing that requires a login to an operating system before applications can be executed.

The CiscoWorks2000 Server provides the security mechanisms (authentication and authorization) needed to prevent unauthenticated access to the CiscoWorks2000 Server and unauthorized access to CiscoWorks2000 applications and data. Since the CiscoWorks2000 applications are capable of changing the behavior and security of your network devices, it is critical that access to the applications and servers be limited to those personnel who need access to applications or the data that the applications provide. Limit CiscoWorks2000 logins to just the systems administrator. Limit connectivity access to the CiscoWorks2000 Server by putting it behind a firewall.

Server Security

The following are two aspects of CiscoWorks2000 Server security:

Security imposed by the server components
Security imposed by the system administrator

The CiscoWorks2000 Server uses the basic security mechanisms of the UNIX operating system to protect the code and data files that reside on the server.

Server-Imposed Security

The CiscoWorks2000 Server provides the following security mechanisms:

Files, File Ownership, and Permissions

UNIX Systems---CiscoWorks2000 must be installed by a user with root privilege and is installed as the user bin. All files and directories are owned by bin with group also equal to bin. Temporary files are created as the user bin with permissions set to "read-write" for the user bin and "read" for members of group bin. The only exception to this rule is the log files created by the CiscoWorks2000 web server and diskwatcher. The CiscoWorks2000 web server and diskwatcher must be started as "root," therefore, their log files are owned by the user root with "group=bin."
Windows NT Systems---CiscoWorks2000 must be installed by the administrator and is installed as the user bin. The CiscoWorks2000 Server relies on the security mechanisms of the NTFS filesystem to provide access control on Windows NT systems. If CiscoWorks2000 is installed on a FAT filesystem, most of the security assumptions made about controlled access to files and network management data are not valid. The user bin is created at install time and given a random password. The CiscoWorks2000 Server uses the password but the bin user is never intended as a general user of the Windows NT system. No one should ever be required to log on the Windows NT system as bin. All files and directories are owned by bin read and write access to the user bin and the administrator. Temporary files are created as the user bin with permissions set to read-write for the user bin.

Runtime

UNIX Systems---Typically CiscoWorks2000 back-end processes are executed with permissions set to the user ID of the binary file (for example, if user "Joe" owns an executable file, it will be executed by the CiscoWorks2000 daemon manager under the user ID of "Joe").

: The exception is the root user ID. To prevent a potentially harmful program from being executed by the daemon manager with root permissions, the daemon manager will execute only a limited set of CiscoWorks2000 programs that need root privilege. This list is not documented to preclude any user from trying to impersonate these programs.
: CiscoWorks2000 foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web server's children processes or the servlet engine which all run as the user bin.
: CiscoWorks2000 uses standard UNIX tftp and rcp services and requires that access to the directories that these services read and write to for the user bin.
: The CiscoWorks2000 Server must allow the user bin to run "cron" and at jobs so that the Resource Manager Essentials Software Image Manager to run image download jobs.
: All back-end processes are executed with a umask value of 027, which means that all files created by these programs are created with permissions equal to "rwxr-x," with an owner and group of the user ID and group of the program that created it. Typically this will be "bin" and "group=bin."

Windows NT---CiscoWorks2000 back-end processes are executed with permissions set to the user bin. Some of the special CiscoWorks2000 Server processes are run as a Windows NT service under the "localsystem" user ID.

The following is a list of these processes:

Daemon manager
Web server
Servlet engine
Rcp/rsh service
Tftp service
Corba service
Database engine

CiscoWorks2000 foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web server and the servlet engine which all run as the user localsystem. The localsystem user has special permissions on the local Windows NT system but has no network permissions.

CiscoWorks2000 provides several services for RCP, TFTP communication with devices. These services are targeted for use by CiscoWorks2000 applications but can be used for purposes other than network management.

The CiscoWorks2000 Server uses the AT command to run software update jobs for the Resource Manager Essentials Software Image Manager application.

Off-machine Connectivity

UNIX Systems---The CiscoWorks2000 daemon manager will not respond to requests to start, stop, register, or show status for CiscoWorks2000 back-end processes from computers other than the CiscoWorks2000 Server.
Windows NT Systems---The CiscoWorks2000 daemon manager will not respond to requests to start, stop, register, or show status for CiscoWorks2000 back-end processes from computers other than the CiscoWorks2000 Server.

Access to Systems Other Than the CiscoWorks2000 Server

UNIX Systems---Systems used by the CiscoWorks2000 Server as remote sources of device information for importing into the Resource Manager Essentials Inventory Manager application, must allow the user bin to perform remote shell operations on the user that owns the device information.

: The UNIX user bin is a user ID that is not typically enabled for login. Using this user ID as the user ID under which to install the CiscoWorks2000 Server software makes the installation process easier and, in general, provides more limited access to the CiscoWorks2000 Server because bin is not a valid login ID as there is no password assigned to it. There are some issues to consider regarding the use of the user ID bin - the bin user on UNIX systems is capable of performing system and possibly network-wide operations that could be harmful to the system or the network. Because of this we recommend that the system administrator review and adopt the security recommendations in the System Administrator-Imposed Security section below.

Windows NT Systems---Systems used by the CiscoWorks2000 Server as remote sources of device information for importing into the Resource Manager Essentials Inventory Manager application, must allow the user bin to perform remote shell operations on the user that owns the device information.

: The user bin, created as part of the install process, has no special permissions or considerations on a Windows NT system so it is a "safe" user ID under which to execute the CiscoWorks2000 Server and application code. Since the localsystem user on Windows NT systems is capable of performing operations that could be harmful to the system, there are a few things to consider regarding the use of the localsystem user ID for running some of the backend processes. The localsystem user ID is not capable of network operations. Because of this we recommend that the system administrator review and adopt the security recommendations in the "System Administrator-Imposed Security"section.

System Administrator-Imposed Security

Web servers have a long history or being susceptible to break ins. The version of the Apache web server that is in the current release of the CiscoWorks2000 Server has had a lot of security related bug fixes. The CiscoWorks2000 Server development team knows of no specific ways to break into or back doors to the server but to maximize CiscoWorks2000 Server security, we suggest that you follow these guidelines:

Do not allow users other than the systems administrator to have a login on the CiscoWorks2000 Server.
Do not allow the CiscoWorks2000 Server file systems to be mounted remotely with NFS or any other file-sharing protocol.
Limit remote access (for example, FTP, RCP, RSH) to the CiscoWorks2000 Server to those users who are permitted to log in to the CiscoWorks2000 Server.
Place your network management servers behind firewalls to prevent access to the systems from outside of your organization.

Table of Contents