HostedDB - Dedicated UNIX Servers
index_139
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 139   4.6.  Security for Router Network Access Services Security for Network Access Services deals primarily with controlling remote users who are accessing local resources.  An Internet Service Provider would be a good example of this.  Cisco provides this security with their authentication, authorization, and accounting (AAA) services.  The sub-section below dealing with dial-in users will give an introduction to controlling remote users accessing network resources.   But the majority of this section will cover using Cisco’s AAA services for controlling access to a router and the security server protocols. 4.6.1.    Overview, Basic Concepts, and Support Mechanisms  Cisco’s authentication, authorization, and accounting services provide critic al security functions necessary for providing remote access to routers and network resources.   AAA is the mechanism Cisco recommends for access control.  AAA is designed to allow the administrator to configure its services globally or by line and interface.  Configuration is performed by using method lists as described later. When AAA services are enabled on a Cisco router, the older forms of access control are disabled.  This means that you can no longer access the commands to configure the older protocols (including login local and login commands).  Where the older access control mechanisms dealt almost solely with user authentication, AAA also has the ability to control each user’s access to resources and provides additional accounting capabilities beyond the router’s logging facilities.  AAA allows you to employ the following sources of user information:  RADIUS, TACACS+, Kerberos, the local database, enable, and line passwords.    By using AAA along with a security server you can control access to routers and other network services from a centralized location.  This allows for easier management of user accounts and privileges, and provides additional capabilities for auditing of network service usage.  When using the local database instead of a security server AAA is very limited in it's authorization capabilities and provides no mechanism for accounting.  RADIUS, TACACS+, and Kerberos security servers provide the services required for AAA, except Kerberos does not accept accounting records.  Communications with the three remote security servers are protected, but the initial login still allows the password to traverse the network in the clear.  So the remote terminal should be located on the internal network to remotely access the router (see section 4.1.5).  There are three conditions when using a security server can be very effective: 1.     when flexible authorization capabilities are required, 2.     when accounting is required and, 3.     when there a large number of routers so that centralized administration becomes advantageous.