HostedDB - Dedicated UNIX Servers

index_153
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 153   The Message of the Day should be used to provide the legal document for controlling access to the device and allowing for monitoring.  This message should be generic and hopefully the same on all of your routers, firewalls, servers, workstations, etc. Next configure the security server and turn on AAA mechanisms.  Since the shared secret to the TACACS+ server is stored in the clear do not use the same shared secret for the router with any other device.  Since communications to the security server are protected and the connection does not go outside the corporate boundary it is acceptable to allow communications to the server outside the router. With the aaa authentication login command make sure local is in the list as described earlier.  Notice that the default accounting for exec is set to start-stop and that a named list was created for wait-start.  This way by applying the named list to external connections and allowing the default list to automatically apply to console you will not be locked out of the router.  Use connection accounting to track outbound connections generated by users logged onto the router, these should be minimal.  Also, include system and commands 15 accounting since this router is providing protection to a special enclave. As before, create and apply an access-list to the vty's to limit remote access to internal networks only and if possible limit the remote hosts by actual host IP addresses instead of a network address.  Issue the login local command on the console and vty's incase AAA services get turned off.  This will continue to allow limited remote access based upon the local database and will be ignored while AAA mechanisms are still running.  Also limit remote access to telnet only and limit the connection idle time to 5 minutes.  The auxiliary port is disabled in this example. If a RADIUS server was used in this example instead of the TACACS+ server then system and command accounting would not be specified. 4.6.3.    Dial-In Users  AAA services were designed with remote network access in mind.  This includes remote access to routers as well as to network services like PPP.  AAA using RADIUS is one of the primary means by which this is accomplished by Internet Service Providers (ISP's).  Controlling access for dial-in users is similar to controlling access to the router but there are different protocols that are used.   Additionally, although it is not shown, it is highly recommended that when dial-in access to the network or router is in use, that AAA services should be used in conjunction with a one-time password or similar token technology.  Some important commands for controlling dial-in users are: § aaa authentication ppp {default | list-name} <method-list> is used to specify PPP authentication method lists. § aaa authorization {network | exec | commands level | reverse- access} {default | list-name} <method-list> turns on AAA authorization for the specified type and designates the order in which