HostedDB - Dedicated UNIX Servers
index_63
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 63   avoided.  If web-based administration is examined and found necessary for network operations, then its use should be restricted as follows. § Set up usernames and passwords for all administrators, as discussed in Section 4.1.  The router’s web server will use HTTP basic authentication to demand a username and password (unfortunately, Cisco IOS does not yet support the superior HTTP digest authentication standard).  If possible, use AAA user access control as described in Section 4.6; AAA will give more control and better audit. § Create and apply an IP access list to limit access to the web server.  Access lists are described in Section 4.3. § Enable syslog logging as described in Section 4.5.2. The example below illustrates each of these points.  Administrators will be allowed to connect from the 14.2.9.0 network and the host 14.2.6.18 only. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# ! Add web admin users, then turn on http auth Central(config)# username nzWeb priv 15 password 0 C5-A1rCarg0 Central(config)# ip http auth local Central(config)# ! Create an IP access list for web access Central(config)# no access-list 29 Central(config)# access-list 29 permit host 14.2.6.18 Central(config)# access-list 29 permit 14.2.9.0 0.0.0.255 Central(config)# access-list 29 deny any Central(config)# ! Apply the access list then start the server Central(config)# ip http access-class 29 Central(config)# ip http server Central(config)# exit Central#   Bootp Server Bootp is a datagram protocol that is used by some hosts to load their operating system over the network.  Cisco routers are capable of acting as bootp servers, primarily for other Cisco hardware.  This facility is intended to support a deployment strategy where one Cisco router acts as the central repository of IOS software for a collection of such routers.  In practice, bootp is very rarely used, and offers an attacker the ability to download a copy of a router’s IOS software.  To disable bootp service, use the commands shown below. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# no ip bootp server Central(config)# exit Central#