Security: Secure Sensitive Data Management
Configuration Files
Cisco Small Business 200 Series Smart Switch Administration Guide 301
22
A user can display, copy, and upload the complete mirror and backup configuration files, subject to SSD
read permission, the current read mode in the session, and the file SSD indicator in the source file as
follows:
• If there is no file SSD indicator in a mirror or backup configuration file, all users are allowed to access
the file.
• A user with Both read permission can access all mirror and backup configuration files. However, if the
current read mode of the session is different than the file SSD indicator, the user is presented with a
prompt indicating that this action is not allowed.
• A user with Plaintext Only permission can access mirror and backup configuration files if their file
SSD Indicator shows Exclude or Plaintext Only sensitive data.
• A user with Encrypted Only permission can access mirror and backup configuration files with their
file SSD Indicator showing Exclude or Encrypted sensitive data.
• A user with Exclude permission cannot access mirror and backup configuration files with their file
SSD indicator showing either encrypted or plaintext sensitive data.
The user should not manually change the file SSD indicator that conflicts with the sensitive data, if any, in the
file. Otherwise, plaintext sensitive data may be unexpectedly exposed.
Sensitive Data Zero-Touch Auto Configuration
SSD Zero-touch Auto Configuration is the auto configuration of target devices with encrypted sensitive
data, without the need to manually pre-configure the target devices with the passphrase whose key is used
to encrypted the sensitive data.
The device currently supports Auto Configuration, which is enabled by default. When Auto Configuration is
enabled on a device and the device receives DHCP options that specify a file server and a boot file, the
device downloads the boot file (remote configuration file) into the Startup Configuration file from a file
server, and then reboots.
NOTE The file server may be specified by the bootp siaddr and sname fields, as well as DHCP option
150 and statically configured on the device.
The user can safely auto configure target devices with encrypted sensitive data, by first creating the
configuration file that is to be used in the auto configuration from a device that contains the configurations.
The device must be configured and instructed to:
• Encrypt the sensitive data in the file
• Enforce the integrity of the file content
• Include the secure, authentication configuration commands and SSD rules that properly control and
secure the access to devices and the sensitive data
To Next Page
Loading...
Need help?
General