When we talk about “security” we know what we want, but describing it and making it happen can be different matters altogether. Network security has a natural conflict with network connectivity. The more an autonomous system opens itself up, the more risk it takes on. This, in turn, requires that more effort be applied to security enforcement tasks. This article is chapter eight of the book, Cisco: A Beginner's Guide, third edition, by Anthony Velte and Toby Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354).
Access lists are normally used to filter traffic at the packet level. In other words, when a connection is attempted through a router interface, packet headers are inspected for prohibited IP addresses or application port numbers, and traffic is passed or blocked. These are
TACACS+ AV Pair
Specifies the connection service to be authorized or accounted. For example, aaa authorization service=ppp would be used to authorize a person to make a remote PPP connection to a device. Another example would be
service=shell to let an administrator get into a device’s
Privileged EXEC command mode.
A protocol is a subset of a service. For example, a PPP connection might use TN3270, VINES, Telnet, or other protocols. A key protocol nowadays is VPDN (Virtual Private Dialup Network). The AV pair protocol=vpdn would let a remote dial-in user establish an encrypted connection to the enterprise’s VPN network.
Specifies whether routing updates may be propagated through the interface used for the connection.
Specifies the IOS command mode the person may use. For this to work, commands must first be grouped using the level command.
Restricts connection access lists on a device. Connection
access lists are also called reflexive access lists, and are used
to track sessions.
Four AV pairs restricting access to per-user inbound and
outbound access lists placed on an interface.
Specifies a username for establishing remote VPN connections.
Specifies the password placed on the home gateway into the VPN. Must be used where service=ppp and
Table 8-9. TACACS+ Authentication and Authorization AV Pairs
called extended access lists, and they’re discussed in Chapter 9. To review here, such access lists are extended in that they can filter based on network application port numbers instead of just addresses. They’re also called static extended access lists, because the permit and deny commands are blindly enforced, regardless of the user. To make an exception for a particular person, an administrator would need to go into the router’s config file and edit the list for that interface.
Dynamic access lists are configured using so-called lock-and-key commands. By employing these, a user who would otherwise be blocked can be granted temporary access to a network or subnet via a Telnet session over the Internet.
The Telnet session is opened to a router configured for lock-and-key. The dynamic access list prompts the user for authentication information. As with other user-based security protocols, lock-and-key can be configured to check against a user database on the router itself (local), or against a user database maintained on a TACACS+ or RADIUS server. If authenticated, the user is automatically logged out of the Telnet session and can start a normal application such as a browser.
Lock-and-Key Using a Local User Database
The following sequence of code snippets shows how lock-and-key could be configured on a router using a locally maintained user authentication file. To start, a particular network interface on the router is declared along with a subnetted IP address. The ip access-group command places the just-named interface and networks under the control of access list 103:
MyRouter(config)# interface ethernet1 MyRouter(config-if)# ip address 220.127.116.11 255.255.255.0 MyRouter(config-if)# ip access-group 103 in
The keyword in specifies that access control be applied only to inbound connections (lock-and-key can also be used to restrict outbound connections).
In the following statement, the first entry of access list 103 allows only Telnet connections into the router. The second entry of access list 103 is ignored until lock-and-key is triggered whenever a Telnet connection has been established in the router. The keyword dynamic defines access list 103 as a dynamic (lock-and-key) list.
MyRouter(config)# access-list 103 permit tcp any host 18.104.22.168 eq telnet MyRouter(config)# access-list 103 dynamic InCrowd timeout 60 permit ip any any
This is the key juncture. If so configured, an attempted Telnet connection to the router causes it to check against its local user database to see if the user and password are valid for lock-and-key access to the router. If validated, the timeout 60 permit ip any any statement gives the user 60 minutes to use the router as a connection between any two IP addresses.
Finally, an autocommand statement creates a temporary inbound access list entry (named InCrowd in the previous statement) at the network interface Ethernet1 and line 0 on the router. The temporary access list entry will time out after five minutes.
MyRouter(config)# line vty 0 MyRouter(config-line)# login local MyRouter(config-line)# autocommand access-enable timeout 5
The temporary access list entry isn’t automatically deleted when the user terminates the session. It will remain configured until the timeout period expires.
Dynamic access lists can also be configured to authenticate users against a user database maintained on either a TACACS+ or RADIUS server. This, in effect, turns a router into an access server through which a user can gain entry into an internetwork, but only by logging in via a Telnet session.
It goes without saying, and is certainly a cliché, that network security is extremely important and necessary. However, understanding that it’s important and understanding how to actually implement it are two different things. To be sure, an entire book can be (and many have been) written on the subject of network security in general, and Cisco security in particular. The object of this chapter was to show you various details behind some of the important components in securing your internetwork. In Chapter 9, we’ll talk about some specific tools that Cisco offers in the realm of network access and security.