Cisco: We made UCS secure but need your help to finish the job
New hardening guide suggests shutting old services, expiring admins and locking logs
Cisco has released a hardening guide for its unified computing system (UCS) that reveals the company's servers do most things right - all manner of potentially-insecure services are off by default - but also offers plenty of suggestions to make sure risks don't increase during production.
The document centres on hardening the three network planes of management, control, and data including access rights through the UCS client manager, deploying encryption and secure logging including nvram and system event logs.
Information from management sessions pertaining to UCS devices could make the system a target of attacks or source for further attacks. Cisco noted that privileged access of UCS devices granted full administrative control and recommended management sessions be locked down.
Unused services that are deliberately enabled but since left to linger should be shut down as part of security best practice, while access control lists should be flicked on for routers and firewalls as a "critical security control".
Traffic from interactive management sessions must be encrypted to prevent attackers nabbing sensitive information about devices and networks, the guide said.
The un-deleteable admin account must have a strong passwords while other administrative accounts should have expire dates set.
While admins were plucking accounts, Cisco recommended they limit the number of login sessions to one and to turn on ad configure SSH.
It pointed out that UCS server logging over UDP was unencrypted meaning admins should be careful about where the logs were stored, using crypto when the information was sent to remote destinations. System event logs could be exported with Secure Copy Protocol and Secure File Transfer Protocol, the guide noted.
System event log passwords should be different from that used on corporate accounts as should those used to protect intelligent platform management interface access.
"Implementing the hardening best practices discussed in this document will increase the security of the UCS system thus increasing overall security to the network the UCS is located in," Cisco wrote. ®