HostedDB - Dedicated UNIX Servers

index_55
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 55   Central(config)# line vty 0 4 Central(config-line)# access-class 99 in Central(config-line)# exec-timeout 5 0 Central(config-line)# login local Central(config-line)# transport input telnet Central(config-line)# exec Central(config-line)# end Central# The access-list limits which hosts may connect to the router through the vty ports.   Additionally, the IP addresses which are allowed to connect must be on an internal interface, see Figure 4-1 for example.  For more details on access-lists see Section 4.3.  The login local command requires a username and password be used for access to the router, which is different for AAA mechanisms.  Finally, the transport input telnet command restricts the management interface to telnet only.  This is important because the other supported protocols, like rlogin and web, are less secure and should be avoided. 4.1.6.    Authentication, Authorization, and Accounting (AAA) This is Cisco’s new access control facility for controlling access, privileges, and logging of user activities on a router.  Authentication is the mechanism for identifying users before allowing access to a network component.  Authorization is the method used to describe what a user has the right to do once he has authenticated to the router.  Accounting is the component that allows for logging and tracking of user and traffic activities on the router which can be used later for resource tracking or trouble shooting.  Section 4.6 contains details on configuring AAA in an example network. 4.1.7.    Logistics for Configuration Loading and Maintenance There are two basic approaches for configuration loading and maintenance: online editing and offline editing.  They each have advantages and disadvantages.  Online editing provides for syntax checking but provides limited editing capability and no comments.  Offline editing provides the ability to add comments, allows for the use of better editors, and guarantees all settings will be visible, but provides no syntax checking.  With the online editing, the  show run command will only show those configuration settings which are different from the IOS defaults.  Cisco configuration save utilities will also not save default values.  Because each Cisco IOS release changes the default values for some of the commands, tracking the configuration can become very difficult.  But the offline method will leave passwords in the clear.  The recommended approach is a hybrid of the two, described below. It is also important to keep the running configuration and the startup configuration synchronized, so that if there is a power failure or some other problem the router will restart with the correct configuration.  If there is a need for old or alternative configurations they should be stored offline.  In this situation it is only necessary to manage the startup configuration since the running configuration is identical.  When saving and loading configurations, always use the startup configuration to avoid