index_63
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
63
avoided. If web-based administration is examined and found necessary for network
operations, then its use should be restricted as follows.
§ Set up usernames and passwords for all administrators, as discussed in
Section 4.1. The routers web server will use HTTP basic authentication
to demand a username and password (unfortunately, Cisco IOS does not
yet support the superior HTTP digest authentication standard). If possible,
use AAA user access control as described in Section 4.6; AAA will give
more control and better audit.
§ Create and apply an IP access list to limit access to the web server. Access
lists are described in Section 4.3.
§ Enable syslog logging as described in Section 4.5.2.
The example below illustrates each of these points. Administrators will be allowed
to connect from the 14.2.9.0 network and the host 14.2.6.18 only.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# ! Add web admin users, then turn on http auth
Central(config)# username nzWeb priv 15 password 0 C5-A1rCarg0
Central(config)# ip http auth local
Central(config)# ! Create an IP access list for web access
Central(config)# no access-list 29
Central(config)# access-list 29 permit host 14.2.6.18
Central(config)# access-list 29 permit 14.2.9.0 0.0.0.255
Central(config)# access-list 29 deny any
Central(config)# ! Apply the access list then start the server
Central(config)# ip http access-class 29
Central(config)# ip http server
Central(config)# exit
Central#
Bootp Server
Bootp is a datagram protocol that is used by some hosts to load their operating
system over the network. Cisco routers are capable of acting as bootp servers,
primarily for other Cisco hardware. This facility is intended to support a deployment
strategy where one Cisco router acts as the central repository of IOS software for a
collection of such routers. In practice, bootp is very rarely used, and offers an
attacker the ability to download a copy of a routers IOS software. To disable bootp
service, use the commands shown below.
Central# config t
Enter configuration commands, one per line. End with
CNTL/Z.
Central(config)# no ip bootp server
Central(config)# exit
Central#