|
|
This chapter gives an overview of the security options available on the system.
This section gives an overview of the security features supported by the system.
Cisco provides several network, or protocol, layer features to increase security on IP networks. These features include controls to restrict access to routers and communication servers by way of console port, Telnet, Simple Network Management Protocol (SNMP), Terminal Access Controller Access Control System Plus (TACACS+), Remote Dial-In User Service (RADIUS), and Firewall.
You can control access to the system using the following methods:
 |
Note The detail tasks and commands necessary to configure each of these features is documented in the Security Configuration Guide in the Cisco IOS Release 12.0 Configuration Guides and Command References. |
You configure a password for nonprivileged mode by entering the following commands in the system's configuration file. Passwords are case-sensitive. In this example, the password is 1forAll.
line console 0 login password: 1forALL
When you log in to the system, the system login prompt is as follows:
User Access Verification Password:
You must enter the password 1forAll to gain nonprivileged access to the system. The system response is as follows:
router>
Nonprivileged mode is signified on the system by the > prompt. At this point, you can enter a variety of commands to view statistics on the system, but you cannot change the configuration of the system. Never use cisco, or other obvious derivatives, such as pancho, for a Cisco system password. These will be the first passwords intruders will try if they recognize the Cisco login prompt.
Configure a password for privileged mode by entering the following commands in the system's configuration file. In this example, the password is san-fran.
enable-password san-fran
To access privileged mode, enter the following command:
router> enable Password:password
Enter the password san-fran to gain privileged access to the system. The system responds as follows:
router#
Privileged mode is signified by the # prompt. In privileged mode, you can enter all commands to view statistics and configure the system.
Setting the login and enable passwords may not provide enough security in some cases. The timeout for an unattended console (by default 10 minutes) provides an additional security measure. If the console is left unattended in privileged mode, any user can modify the system's configuration. You can change the login timeout with the command exec-timeout mm ss where mm is minutes and ss is seconds. The following commands change the timeout to 1 minute and 30 seconds:
line console 0 exec-timeout 1 30
All passwords on the system can be viewed by using the write terminal and show configuration privileged mode commands. If you have access to privileged mode on the system, you can view all passwords in clear text by default.
You can hide clear-text passwords; the command service password-encryption stores passwords in an encrypted manner so that anyone entering write terminal and show configuration commands will not be able to determine the clear-text password. However, if you forget the password, regaining access to the system requires you to have physical access to the system.
|
Note Although encryption is helpful, it can be compromised and thus should not be your only network-security strategy. |
You can access both nonprivileged and privileged mode on the system through Telnet. As with the console port, Telnet security is provided when users are prompted by the system to authenticate themselves with passwords. In fact, many of the same concepts described in the "Console Access" section earlier in this chapter apply to Telnet access. You must enter a password to go from nonprivileged mode to privileged mode, and you can encrypt passwords and specify timeouts for each Telnet session.
Each Telnet port on the system is known as a virtual terminal. There are a maximum of five virtual terminal (VTY) ports on the system, allowing five concurrent Telnet sessions. (The communication server provides more VTY ports.) On the system, the virtual terminal ports are numbered from 0 through 4. You can set up nonprivileged passwords for Telnet access through the virtual terminal ports with the following configuration commands. In this example, virtual terminal ports 0 through 4 use the password marin:
line vty 0 4 login password: marin
When a user telnets to a system IP address, the system provides a prompt similar to the following:
% telnet router Trying ... Connected to router. Escape character is '^]'. User Access Verification Password:
If the user enters the correct nonprivileged password, the following prompt appears:
router>
The user now has nonprivileged access to the system and can enter privileged mode by entering the enable command as described in the "Privileged Mode Password" section earlier in this chapter.
If you want to allow only certain IP addresses to use Telnet to access the system, you must use the access-class command. The command access-class nn in defines an access list (where nn can be any number form 1 through 99) that allows access to the virtual terminal lines on the system. The following configuration commands allow incoming Telnet access to the system only from hosts on network 192.85.55.0:
access-list 12 permit 192.85.55.0 0.0.0.255 line vty 0 4 access-class 12 in
With SNMP, you can gather statistics or configure the system. Gather statistics with get-request and get-next-request messages, and configure systems with set-request messages. Each of these SNMP messages has a community string that is a cleartext password sent in every packet between a management station and the system (which contains an SNMP agent). The SNMP community string is used to authenticate messages sent between the manager and agent. Only when the manager sends a message with the correct community string does the agent respond.
The SNMP agent on the system allows you to configure different community strings for nonprivileged and privileged access. You configure community strings on the system by using the configuration command snmp-server community string [RO | RW] [access-list]. The following sections explore the various ways to use this command.
Unfortunately, SNMP community strings are sent on the network in cleartext ASCII. Thus, anyone who has the ability to capture a packet on the network can discover the community string. This may allow unauthorized users to query or modify systems through SNMP. For this reason, using the no snmp-server trap-authentication command might prevent intruders from using trap messages (sent between SNMP managers and agents) to discover community strings.
The Internet community, recognizing this problem, greatly enhanced the security of SNMP version 2 (SNMPv2) as described in RFC 1446. SNMPv2 uses an algorithm called MD5 to authenticate communications between an SNMP server and agent. MD5 verifies the integrity of the communications, authenticates the origin, and checks for timeliness. Further, SNMPv2 can use the data encryption standard (DES) for encrypting information.
|
Note For detailed SNMP information and the supported MIBs, refer to chapter 2, System Monitoring, of the Cisco ICS 7750 Administration and Troubleshooting Guide. |
snmp-server community public RO 1
You can also specify a list of IP addresses that are allowed to send messages to the system using the access-list option with the snmp-server community command. In the following configuration example, only hosts 1.1.1.1 and 2.2.2.2 are allowed nonprivileged mode SNMP access to the system:
access-list 1 permit 1.1.1.1 access-list 1 permit 2.2.2.2 snmp-server community public RO 1
Use the RW keyword of the snmp-server community command to provide privileged access to your systems through SNMP. The following configuration command sets the agent in the system to allow only SNMP set-request messages sent with the community string private:
snmp-server community private RW 1
You can also specify a list of IP addresses that are allowed to send messages to the system by using the access-list option of the snmp-server community command. In the following configuration example, only hosts 5.5.5.5 and 6.6.6.6 are allowed privileged mode SNMP access to the system:
access-list 1 permit 5.5.5.5 access-list 1 permit 6.6.6.6 snmp-server community private RW 1
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting independently. Each service can have access to its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and systems and the Cisco IOS user interface (for both systems and access servers) can be network access servers.
Network access points enable traditional dumb terminals, terminal emulators, workstations, personal computers (PCs), and systems in conjunction with suitable adapters (such as, modems or ISDN adapters) to communicate using protocols such as Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access (ARA) Protocol. In other words, a network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks. The entities connected to the network through a network access server are called network access clients; for example, a PC running PPP over a voice-grade circuit is a network access client. TACACS+, administered through the AAA security services, can provide the following services:
The TACACS+ protocol provides authentication between the network access server and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between a network access server and a TACACS+ daemon are encrypted.
You need a system running TACACS+ daemon software to use the TACACS+ functionality on your network access server.
Cisco makes the TACACS+ protocol specification available as a draft RFC for those customers interested in developing their own TACACS+ software.
To configure your system to support TACACS+, you must perform the following tasks in global configuration mode:
|
Note The complete configuration and command information to configure TACACS+ is available through CCO by selecting Service and Support > Technical Documents > Documentation Home Page > Cisco IOS Software Configuration > Cisco IOS Release 12.0 > Configuration Guides and Command References > Security Configuration Guide. |
Firewalls are often placed in between the internal network and an external network such as the Internet. With a firewall between your network and the Internet, all traffic coming from the Internet must pass through the firewall before entering your network.
Firewalls can also be used to control access to a specific part of your network. For example, you can position firewalls at all the entry points into a research and development network to prevent unauthorized access to proprietary information.
The most basic function of a firewall is to monitor and filter traffic. Firewalls can be simple or elaborate, depending on your network requirements. Simple firewalls are usually easier to configure and manage. However, you might require the flexibility of a more elaborate firewall.
Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). You can configure access lists at your system to control access to a network: access lists can prevent certain traffic from entering or exiting a network.Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter those protocols' packets as they pass through a system.
Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the system's interfaces. Your system examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists.
Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.
Access lists should be used in firewall systems, which are often positioned between your internal network and an external network such as the Internet. You can also use access lists on a system positioned between two parts of your network to control traffic entering or exiting a specific part of your internal network.
To provide the security benefits of access lists, you should at a minimum configure access lists on border systems—systems at the edges of your networks. This provides a basic buffer from the outside network, or from a less-controlled area of your own network into a more sensitive area of your network.
Although each protocol has its own set of specific tasks and rules required in order for you to provide traffic filtering, most protocols require at least two basic steps to be accomplished:
Note that some protocols refer to access lists as filters and refer to the act of applying the access lists to interfaces as filtering.
The guidelines discussed in this section apply in general to all protocols. The specific instructions for creating access lists and applying them to interfaces vary from protocol to protocol, and that specific information is not included in this section.
|
Note The complete configuration and command information to configure access lists is available through CCO by selecting Service and Support > Technical Documents > Documentation Home Page > Cisco IOS Software Configuration > Cisco IOS Release 12.0 > Configuration Guides and Command References. To configure access lists for a specific protocol see the protocol's chapter in the appropriate configuration guide. For example, to configure access lists for the IP protocol, refer to the Configuring IP Services chapter in the Network Protocols Configuration Guide, Part 1. |
RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.
Cisco supports RADIUS under its authentication, authorization, and accounting (AAA) security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.
To configure RADIUS on your Cisco router or access server, you must perform the following tasks:
The following configuration tasks are optional:
The following example is a general configuration using RADIUS with the AAA command set entered in global configuration mode:
radius-server host 123.45.1.2 radius-server key myRaDiUSpassWoRd username root password ALongPassword aaa authentication ppp dialins radius local aaa authorization network radius local aaa accounting network start-stop radius aaa authentication login admins local aaa authorization exec local line 1 16 autoselect ppp autoselect during-login login authentication admins modem ri-is-cd interface group-async 1 encaps ppp ppp authentication pap dialins
The lines in this example RADIUS authentication, authorization, and accounting configuration are defined as follows:
|
Note The complete configuration and command information to configure RADIUS is available through CCO by selecting Service and Support > Technical Documents > Documentation Home Page > Cisco IOS Software Configuration > Cisco IOS Release 12.0 > Configuration Guides and Command References > Security Configuration Guide. |
Posted: Mon Oct 2 13:58:39 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.