HostedDB - Dedicated UNIX Servers
index_54
Router Security Configuration Guide UNCLASSIFIED 54 UNCLASSIFIED Version 1.0g 3.     Remote Internal only – administration can be performed on the router from the internal network only. 4.     Remote External with AAA – administration can be performed with both internal and external connections and uses AAA for access control. 5.     Remote External – administration can be performed with both internal and external connections. As discussed in Section 4.1.3, remote administration is inherently dangerous.  When you use remote administration, anyone with a network sniffer and access to the right LAN segment can acquire the router account and password information.  This is why remote administration security issues center around protecting the paths which the session will use to access the router.  The five regimes listed above are listed in the order that best protects the router and allows for accounting of router activities.   Section 4.6 will discuss remote access with AAA.  This section will discuss remote internal only access without AAA.  Section 4.6 will also discuss Remote External connections using AAA and an IPSec Tunnel (see Section 5.2).  Remote external access should not be used either with or without AAA unless the traffic is protected since the username password will travel the network in clear text form otherwise. So the security of remote administration can be enhanced by using a security protocol.  Cisco is beginning to add support for the Secure Shell (SSH) protocol to IOS; once it is available, SSH will also be a good choice for securing administrative connections. The Auxiliary Port As discussed in Section 4.1.3 the aux port should be disabled.  Only if absolutely required should a modem be connected to the aux port as a backup or remote access method to the router.  Attackers using simple war-dialing software will eventually find the modem, so it is necessary to apply access controls to the aux port.  As discussed earlier, all connections to the router should require authentication (using individual user accounts) for access.  This can be accomplished by using login local (see next sub-section for example) or AAA (see section 4.6).  For better security, IOS callback features should be used.  A detailed discussion on setting up modems is beyond the scope of this document.  See the Cisco IOS Release 12.0 Dial Solutions Configuration Guide for a complete discussion of connecting modems and configuring IOS callback features. Network Access Remote network connections use the vtys to connect to the router.  To configure the vty’s for remote access do the following: Central(config)# access-list 99 permit 14.2.9.1 log Central(config)# access-list 99 permit 14.2.6.6 log Central(config)# access-list 99 deny any log