Securing SSH Admin Access Cisco Live 2014 4/25/2017 Securing SSH Admin Access Pragma Systems Fortress SSH Cisco Enterprise Routing Products
NEW Only from Cisco and Pragma The Threat: Unauthorized access to command line Stolen passwords Revoked / Expired Public Keys Spoofing the client X.509 certificate with RFC 6187 (single factor) Server side certificate validation CAC/smartcard with RFC 6187 (2 factor) Most secure authentication – Sever side certificate and PIN NEW Only from Cisco and Pragma
First end-to-end solution with Cisco and Pragma Systems Most secure Government Certified Standard RFC-6187 First end-to-end solution with Cisco and Pragma Systems For customers that need: Secure access to command line With two factor authentication Authenticate with X.509 certificate & PIN Many government , financial and healthcare institutions have significant regulatory compliance, governance and secure file access and sharing restrictions. Today’s security environment requires multi factor and secure authentication to our organizations’ most trusted secrets and data. Cisco Systems have partnered to provide the *only* government approved and FIPS certified SSH solution that provides remote and secure access to Cisco routers and switches for the ultimate in relability, access and control. Only RFC compliant solution. Before – only keys Now -- RFC 6187 -- SSH authentication with X.509 certificates. Metadata can be used -- Check Revocation, Expiration, EKU(e.g., a role) Combined with a CAC/smartcard, this permits secure 2-factor authentication and allows the server to validate certificate metadata
SSH Access with DoD Common Access Cards X.509 Authentication SSH Session Establishment Cisco SSH Server Feature Pragma Fortress CL SSH Client CAC card reader
Demonstration
To reach the router or switch, End-user starts SSH session on their PC Start SSH from “Fortress CL” Icon. Fortress CL Client
User inserts Smart Card Smart card has the user’s credentials Using CAC cards with Pragma FortressCL Card gets loaded into machine store.
User now clicks “connect button”. Start SSH from “Fortress CL” Icon.
User enters User-ID; Selects Smart Card / CAC button Click on ellipsis button
If end-user has more than one credential, he selects the certificate that he wants to use. Certificates are stored on the smart-card.
Click on connect David.S.Kulwin
End-user enters PIN. Router now has: Certificate and PIN User name SSH handshake now proceeds
SSH session starts from end-user PC to Cisco Router.
Easy to use two-factor authentication X.509 Certificates for SSH For Secure Access: Easy to use two-factor authentication X.509 Certificates for SSH Standards Compliant FIPS certified
For Further Information: Contact your Pragma representative for a demonstration or 30 day trial version Sales@pragmasys.com Contact your Cisco Systems sales representative.
4/25/2017 Cisco Live 2014