Security: Secure Sensitive Data Management
Configuration Files
453 Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3
23
• A user with Exclude permission cannot access mirror and backup
configuration files with their file SSD indicator showing either encrypted or
plaintext sensitive data.
The user should not manually change the file SSD indicator that conflicts with the
sensitive data, if any, in the file. Otherwise, plaintext sensitive data may be
unexpectedly exposed.
Sensitive Data Zero-Touch Auto Configuration
SSD Zero-touch Auto Configuration is the auto configuration of target devices with
encrypted sensitive data, without the need to manually pre-configure the target
devices with the passphrase whose key is used to encrypted the sensitive data.
The device currently supports Auto Configuration, which is enabled by default.
When Auto Configuration is enabled on a device and the device receives DHCP
options that specify a file server and a boot file, the device downloads the boot
file (remote configuration file) into the Startup Configuration file from a file server,
and then reboots.
NOTE The file server may be specified by the bootp siaddr and sname
fields, as well as DHCP option 150 and statically configured on the device.
The user can safely auto configure target devices with encrypted sensitive data,
by first creating the configuration file that is to be used in the auto configuration
from a device that contains the configurations. The device must be configured and
instructed to:
• Encrypt the sensitive data in the file
• Enforce the integrity of the file content
• Include the secure, authentication configuration commands and SSD rules
that properly control and secure the access to devices and the sensitive
data
If the configuration file was generated with a user passphrase and SSD file
passphrase control is Restricted, the resulting configuration file can be auto-
configured to the desired target devices. However, for auto configuration to
succeed with a user-defined passphrase, the target devices must be manually
pre-configured with the same passphrase as the device that generates the files,
which is not zero touch.
To Next Page
Loading...
Need help?
General
