Detections
Analytics

4.2 Configure a Remote Backup Schedule

Information

NX-OS can be configured to initiate remote backups using scheduled jobs. This recommendation can also be satisfied (and likely satisfied better) using a host based backup tool, using SSH or SCP.

Rationale:

Remote backups are preferred over local backups, as an attacker that has compromised a device also has full access to any locally stored files (which local backups are). In that situation, an attacker can modify or delete the stored backups, impeding any recovery or remediation efforts.

Impact:

A host-based backup solution is preferred over one implemented locally. Locally configured backups have several security issues. By protocol, they are:

TFTP - cleartext, which is susceptible to interception or modification over the wire and the target filesystem allows unauthenticated writes (and usually unauthenticated reads)

FTP or HTTP - cleartext, which is susceptible to interception or modification over the wire. Credentials are embedded in the job configuration

HTTPS, SCP, SFTP: encrypted, but credentials are still embedded in the job configuration

Solution

Note that this first example job uses tftp for backups. The risk here is that the backup is sent in clear-text, so can be intercepted and/or modified in transit.

switch(config)# Scheduler job name [backup-cfg]
switch(config-job)copy running-config tftp://1.2.3.4/$(SWITCHNAME)-cfg.$(TIMESTAMP) vrf management

This example job uses SCP. The risk here is that the credentials need to be embedded in the configuration, so can be recovered if the backup repository is compromised. As this is true for all local passwords, the risk may be deemed low in some organizations.

switch(config)# scheduler aaa-authentication username <username> password <some complex password>

switch(config)# Scheduler job name <backup-cfg>
switch(config-job)copy running-config scp://1.2.3.4/$(SWITCHNAME)-cfg.$(TIMESTAMP) vrf management

Whatever the protocol, set timetable for this backup

switch(config)# scheduler schedule name [backups]
switch(config-schedule)# schedule name [backups]
switch(config-schedule)# job name <backup-cfg>
switch(config-schedule)# time weekly [day 00:00]

While this can certainly work, if the backup server IP should ever change, the effort to fix this across multiple switches can be both error-prone and time-intensive. It is normally recommended to backup configurations from the backup server to the NX-OS switch over SSH or SCP, rather than from the switch to the host. As this config (host to switch) resides on the remote host, it cannot be audited from the switch.

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING

References: 800-53|CM-3, 800-53|CP-9, CSCv7|10.2, CSCv7|11.3

Plugin: Cisco

Control ID: e3575824adb5b1372b54c26aa0f76f4e3e8e3e744c8529ed88acf05e7e67e5e4