Security Overview - Dynamic Access Lists
(Page 8 of 8 )
Access lists are normally used to filter traffic at the packet level. In other words, when a connection is attempted through a router interface, packet headers are inspected for prohibited IP addresses or application port numbers, and traffic is passed or blocked. These are
TACACS+ AV Pair | Description |
service=x | Specifies the connection service to be authorized or accounted. For example, aaa authorization service=ppp would be used to authorize a person to make a remote PPP connection to a device. Another example would be |
| service=shell to let an administrator get into a device’s |
| Privileged EXEC command mode. |
protocol=x | A protocol is a subset of a service. For example, a PPP connection might use TN3270, VINES, Telnet, or other protocols. A key protocol nowadays is VPDN (Virtual Private Dialup Network). The AV pair protocol=vpdn would let a remote dial-in user establish an encrypted connection to the enterprise’s VPN network. |
routing=x | Specifies whether routing updates may be propagated through the interface used for the connection. |
priv-lvl=x | Specifies the IOS command mode the person may use. For this to work, commands must first be grouped using the level command. |
acl=x | Restricts connection access lists on a device. Connection |
| access lists are also called reflexive access lists, and are used |
| to track sessions. |
inacl=x, inacl#=x, | Four AV pairs restricting access to per-user inbound and |
outacl=x, outacl#=x | outbound access lists placed on an interface. |
tunnel-id | Specifies a username for establishing remote VPN connections. |
gw-password=x | Specifies the password placed on the home gateway into the VPN. Must be used where service=ppp and |
| protocol=vpdn. |
Table 8-9. TACACS+ Authentication and Authorization AV Pairs |
called extended access lists, and they’re discussed in Chapter 9. To review here, such access lists are extended in that they can filter based on network application port numbers instead of just addresses. They’re also called static extended access lists, because the permit and deny commands are blindly enforced, regardless of the user. To make an exception for a particular person, an administrator would need to go into the router’s config file and edit the list for that interface.
Dynamic access lists are configured using so-called lock-and-key commands. By employing these, a user who would otherwise be blocked can be granted temporary access to a network or subnet via a Telnet session over the Internet.
The Telnet session is opened to a router configured for lock-and-key. The dynamic access list prompts the user for authentication information. As with other user-based security protocols, lock-and-key can be configured to check against a user database on the router itself (local), or against a user database maintained on a TACACS+ or RADIUS server. If authenticated, the user is automatically logged out of the Telnet session and can start a normal application such as a browser.
Lock-and-Key Using a Local User Database
The following sequence of code snippets shows how lock-and-key could be configured on a router using a locally maintained user authentication file. To start, a particular network interface on the router is declared along with a subnetted IP address. The ip access-group command places the just-named interface and networks under the control of access list 103:
MyRouter(config)# interface ethernet1
MyRouter(config-if)# ip address 209.198.208.30 255.255.255.0 MyRouter(config-if)# ip access-group 103 in
The keyword in specifies that access control be applied only to inbound connections (lock-and-key can also be used to restrict outbound connections).
In the following statement, the first entry of access list 103 allows only Telnet connections into the router. The second entry of access list 103 is ignored until lock-and-key is triggered whenever a Telnet connection has been established in the router. The keyword dynamic defines access list 103 as a dynamic (lock-and-key) list.
MyRouter(config)# access-list 103 permit tcp any host 209.198.207.2 eq telnet
MyRouter(config)# access-list 103 dynamic InCrowd timeout 60 permit ip any any
This is the key juncture. If so configured, an attempted Telnet connection to the router causes it to check against its local user database to see if the user and password are valid for lock-and-key access to the router. If validated, the timeout 60 permit ip any any statement gives the user 60 minutes to use the router as a connection between any two IP addresses.
Finally, an autocommand statement creates a temporary inbound access list entry (named InCrowd in the previous statement) at the network interface Ethernet1 and line 0 on the router. The temporary access list entry will time out after five minutes.
MyRouter(config)# line vty 0
MyRouter(config-line)# login local
MyRouter(config-line)# autocommand access-enable timeout 5
The temporary access list entry isn’t automatically deleted when the user terminates the session. It will remain configured until the timeout period expires.
Dynamic access lists can also be configured to authenticate users against a user database maintained on either a TACACS+ or RADIUS server. This, in effect, turns a router into an access server through which a user can gain entry into an internetwork, but only by logging in via a Telnet session.
It goes without saying, and is certainly a cliché, that network security is extremely important and necessary. However, understanding that it’s important and understanding how to actually implement it are two different things. To be sure, an entire book can be (and many have been) written on the subject of network security in general, and Cisco security in particular. The object of this chapter was to show you various details behind some of the important components in securing your internetwork. In Chapter 9, we’ll talk about some specific tools that Cisco offers in the realm of network access and security.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is chapter eight from Cisco: A Beginner's Guide, by Velte and Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354). Check it out at your favorite bookstore. Buy this book now.
|
|
/ 8 
