Security: Secure Sensitive Data Management
Configuration Files
NOTE
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Sensitive Data Zero-Touch Auto Configuration
SSD Zero-touch Auto Configuration is the auto configuration of target devices with
encrypted sensitive data, without the need to manually pre-configure the target
devices with the passphrase whose key is used to encrypted the sensitive data.
The device currently supports Auto Configuration, which is enabled by default.
When Auto Configuration is enabled on a device and the device receives DHCP
options that specify a file server and a boot file, the device downloads the boot
file (remote configuration file) into the Startup Configuration file from a file server,
and then reboots.
The file server may be specified by the bootp siaddr and sname
NOTE
fields, as well as DHCP option 150 and statically configured on the device.
The user can safely auto configure target devices with encrypted sensitive data,
by first creating the configuration file that is to be used in the auto configuration
from a device that contains the configurations. The device must be configured and
instructed to:
•
Encrypt the sensitive data in the file
•
Enforce the integrity of the file content
•
Include the secure, authentication configuration commands and SSD rules
that properly control and secure the access to devices and the sensitive
data
If the configuration file was generated with a user passphrase and SSD file
passphrase control is Restricted, the resulting configuration file can be auto-
configured to the desired target devices. However, for auto configuration to
succeed with a user-defined passphrase, the target devices must be manually
pre-configured with the same passphrase as the device that generates the files,
which is not zero touch.
If the device creating the configuration file is in Unrestricted passphrase control
mode, the device includes the passphrase in the file. As a result, the user can auto
configure the target devices, including devices that are out-of-the-box or in factory
default, with the configuration file without manually pre-configuring the target
devices with the passphrase. This is zero touch because the target devices learn
the passphrase directly from the configuration file.
Devices that are out-of-the-box or in factory default states use the default
anonymous user to access the SCP server.
21
451