index_54
Router Security Configuration Guide
UNCLASSIFIED
54
UNCLASSIFIED
Version 1.0g
3. Remote Internal only administration can be performed on the router
from the internal network only.
4. Remote External with AAA administration can be performed with both
internal and external connections and uses AAA for access control.
5. Remote External administration can be performed with both internal
and external connections.
As discussed in Section 4.1.3, remote administration is inherently dangerous. When
you use remote administration, anyone with a network sniffer and access to the right
LAN segment can acquire the router account and password information. This is why
remote administration security issues center around protecting the paths which the
session will use to access the router. The five regimes listed above are listed in the
order that best protects the router and allows for accounting of router activities.
Section 4.6 will discuss remote access with AAA. This section will discuss remote
internal only access without AAA. Section 4.6 will also discuss Remote External
connections using AAA and an IPSec Tunnel (see Section 5.2). Remote external
access should not be used either with or without AAA unless the traffic is protected
since the username password will travel the network in clear text form otherwise.
So the security of remote administration can be enhanced by using a security
protocol. Cisco is beginning to add support for the Secure Shell (SSH) protocol to
IOS; once it is available, SSH will also be a good choice for securing administrative
connections.
The Auxiliary Port
As discussed in Section 4.1.3 the aux port should be disabled. Only if absolutely
required should a modem be connected to the aux port as a backup or remote access
method to the router. Attackers using simple war-dialing software will eventually
find the modem, so it is necessary to apply access controls to the aux port. As
discussed earlier, all connections to the router should require authentication (using
individual user accounts) for access. This can be accomplished by using login
local (see next sub-section for example) or AAA (see section 4.6). For better
security, IOS callback features should be used. A detailed discussion on setting up
modems is beyond the scope of this document. See the Cisco IOS Release 12.0 Dial
Solutions Configuration Guide for a complete discussion of connecting modems and
configuring IOS callback features.
Network Access
Remote network connections use the vtys to connect to the router. To configure the
vtys for remote access do the following:
Central(config)# access-list 99 permit 14.2.9.1 log
Central(config)# access-list 99 permit 14.2.6.6 log
Central(config)# access-list 99 deny any log