index_36
Router Security Configuration Guide
UNCLASSIFIED
36
UNCLASSIFIED
Version 1.0g
3.3. Managing the Router
3.3.1. Access Mechanisms for Administrators
Determining access to the routers by administrators is an important issue. There are
two types of access: local and remote. Local access usually involves a direct
connection to a console port on the router with a dumb terminal or a laptop computer.
Remote access typically involves allowing telnet or SNMP connections to the router
from some computer on the same subnet or a different subnet. It is recommended to
only allow local access because during remote access all telnet passwords or SNMP
community strings are sent in the clear to the router. If an attacker can collect
network traffic during remote access then he can capture passwords or community
strings. However, there are some options if remote access is required.
1. Establish a dedicated management network. The management network
should include only identified administration hosts and a spare interface
on each router. Figure 3-3 shows an example of this.
Figure 3-3: Using a Management LAN for Administration
2. Another method is to encrypt all traffic between the administrators
computer and the router. In either case a packet filter can be configured
to only allow the identified administration hosts access to the router.
(Section 5.2 shows an example of doing this with a Cisco router and
Windows 2000.)
In addition to how administrators access the router, there may be a need to have more
than one level of administrator, or more than one administrative role. Define clearly
the capabilities of each level or role in the router security policy. For example, one
role might be network manager, and administrators authorized to assume that role
may be able to view and modify the configuration settings and interface parameters.
Another role might be operators, administrators authorized to assume that role
might be authorized only to clear connections and counters. In general, it is best to
keep the number of fully privileged administrators to a minimum.
Internet
Router
LAN 1
Firewall
Router
LAN 2
Management
LAN
Administration Host
Logging Host