index_55
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
55
Central(config)# line vty 0 4
Central(config-line)# access-class 99 in
Central(config-line)# exec-timeout 5 0
Central(config-line)# login local
Central(config-line)# transport input telnet
Central(config-line)# exec
Central(config-line)# end
Central#
The access-list limits which hosts may connect to the router through the vty ports.
Additionally, the IP addresses which are allowed to connect must be on an internal
interface, see Figure 4-1 for example. For more details on access-lists see Section
4.3. The login local command requires a username and password be used for
access to the router, which is different for AAA mechanisms. Finally, the
transport input telnet command restricts the management interface to telnet
only. This is important because the other supported protocols, like rlogin and web,
are less secure and should be avoided.
4.1.6. Authentication, Authorization, and Accounting (AAA)
This is Ciscos new access control facility for controlling access, privileges, and
logging of user activities on a router. Authentication is the mechanism for
identifying users before allowing access to a network component. Authorization is
the method used to describe what a user has the right to do once he has authenticated
to the router. Accounting is the component that allows for logging and tracking of
user and traffic activities on the router which can be used later for resource tracking
or trouble shooting. Section 4.6 contains details on configuring AAA in an example
network.
4.1.7. Logistics for Configuration Loading and Maintenance
There are two basic approaches for configuration loading and maintenance: online
editing and offline editing. They each have advantages and disadvantages. Online
editing provides for syntax checking but provides limited editing capability and no
comments. Offline editing provides the ability to add comments, allows for the use
of better editors, and guarantees all settings will be visible, but provides no syntax
checking. With the online editing, the show run command will only show those
configuration settings which are different from the IOS defaults. Cisco configuration
save utilities will also not save default values. Because each Cisco IOS release
changes the default values for some of the commands, tracking the configuration can
become very difficult. But the offline method will leave passwords in the clear. The
recommended approach is a hybrid of the two, described below.
It is also important to keep the running configuration and the startup configuration
synchronized, so that if there is a power failure or some other problem the router will
restart with the correct configuration. If there is a need for old or alternative
configurations they should be stored offline. In this situation it is only necessary to
manage the startup configuration since the running configuration is identical. When
saving and loading configurations, always use the startup configuration to avoid