Protect management plane
The management plane traffic is the traffic that flows from the administrator’s workstation when a Cisco IOS device is being remotely managed. If a failure occurs in this plane, the ability to remotely manage a network device using SSH or Telnet might be lost. Here are some of the security measures you can use to protect the management plane:
- password policy – the password policy should enforce features such as the minimum password length and the maximum number of login attempts.
- role-based access control (RBAC) – roles should be created for various job functions. Roles can then be assigned to the specific users to perform specific functions.
- AAA services – using AAA (Authentication, Authorization and Accounting) services, a network device can interact with a centralized server before allowing any access or any command to be entered, and tracking who has logged in and what commands they have executed.
- NTP – using NTP (Network Time Protocol) you can synchronize computer clock times in a network of computers.
- ACLs – you can control which IP addresses are allowed to initiate management sessions with the network device using ACLs (Access Control Lists).
- encypted remote sessions – you should use remote management protocols (such as SSH) that encrypt all traffic between your workstation and a remote device. The protocols that send clear-text data over the network (such as Telnet) should not be used.
- VLANs – it is recommended to use the separate VLANs for data and management traffic.