Chapter 6: - About Support Tools Security

Using IPSecurity with Support Tools

Using IPSecurity with Support Tools

Optionally, you can use IPSecurity to secure communication between the Support Tools Server and Support Tools Nodes. Authentication occurs at the Node when the Support Tools Server makes a request. As such, an IPSec-secured Support Tools Server can make requests to an unsecured Node, but a secured node will not accept requests from an unsecured server.

The Support Tools Server uses a client-policy with a filter that requests security. The Support Tools Node uses a client-policy that requires security. The filter does not monitor one-to-one connections. Instead, the filter monitors all incoming IP traffic that uses the default Support Tools TCP Port (39100). The Support Tools Server, by requesting but not requiring IPSEC from each Node, does not deny traffic from a Node that is unable to use IPSEC.

Support Tools uses the ESP protocol (Encapsulating Security Payload) for authentication but does not use encryption. ESP is used to authenticate instead of the AH protocol (Authentication Header) for the ability to support NAT.

Support Tools uses SHA1 for the integrity algorithm in ESP. The policy uses preshared keys.

Automated IPSec Implementation

On Windows 2003 Server machines, Support Tools gives you the option of using an automated implementation of IPSec.

Support Tools implements IPSec as follows:

You specify the IPSec preshared authentication key to use during Support Tools Server and Node installation. Keys are case-sensitive and limited to 256 characters. Any character except single and double quotation marks, back slash, and pipe can be used.

Note: For Cisco Unified products that include a bundled install of the Support Tools Node (e.g., CVP 4.0), leaving the IP Shared Key value unspecified during installation may cause Support Tools to install disabled. When this occurs, to enable the node you must manually start the Node Agent Service on the target machine.

Authentication occurs at the Node when the Support Tools Server makes a request. As such, an IPSec-secured Support Tools Server can make requests to an unsecured Node, but a secured node will not accept requests from an unsecured server.

During installation, Support Tools only prompts for a preshared key when a security policy can be created and assigned. Support Tools creates a security policies subject to these conditions:

If a Cisco policy already exists on the target machine (whether assigned or not) Support Tools will not create a new policy.

If a non-Cisco policy already exists on the target machine and is assigned, Support Tools will not create or assign a Cisco policy.

Cisco Support Tools User Guide for Cisco Unified Software Release 2.1(1)

44

Page 58
Image 58
Cisco Systems 2.1(1) manual Using IPSecurity with Support Tools, Automated IPSec Implementation