index_139
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
139
4.6. Security for Router Network Access Services
Security for Network Access Services deals primarily with controlling remote users
who are accessing local resources. An Internet Service Provider would be a good
example of this. Cisco provides this security with their authentication, authorization,
and accounting (AAA) services. The sub-section below dealing with dial-in users
will give an introduction to controlling remote users accessing network resources.
But the majority of this section will cover using Ciscos AAA services for controlling
access to a router and the security server protocols.
4.6.1. Overview, Basic Concepts, and Support Mechanisms
Ciscos authentication, authorization, and accounting services provide critic al
security functions necessary for providing remote access to routers and network
resources. AAA is the mechanism Cisco recommends for access control. AAA is
designed to allow the administrator to configure its services globally or by line and
interface. Configuration is performed by using method lists as described later.
When AAA services are enabled on a Cisco router, the older forms of access control
are disabled. This means that you can no longer access the commands to configure
the older protocols (including login local and login commands). Where the
older access control mechanisms dealt almost solely with user authentication, AAA
also has the ability to control each users access to resources and provides additional
accounting capabilities beyond the routers logging facilities. AAA allows you to
employ the following sources of user information: RADIUS, TACACS+, Kerberos,
the local database, enable, and line passwords.
By using AAA along with a security server you can control access to routers and
other network services from a centralized location. This allows for easier
management of user accounts and privileges, and provides additional capabilities for
auditing of network service usage. When using the local database instead of a
security server AAA is very limited in it's authorization capabilities and provides no
mechanism for accounting. RADIUS, TACACS+, and Kerberos security servers
provide the services required for AAA, except Kerberos does not accept accounting
records. Communications with the three remote security servers are protected, but
the initial login still allows the password to traverse the network in the clear. So the
remote terminal should be located on the internal network to remotely access the
router (see section 4.1.5). There are three conditions when using a security server
can be very effective:
1. when flexible authorization capabilities are required,
2. when accounting is required and,
3. when there a large number of routers so that centralized administration
becomes advantageous.