Networking

Cisco router access control methods

Network downtime can be costly. Any means to avoid this is critical and Cisco offers many. Here Jeff Brady explores various methods of access control on Cisco routers, which can protect your network from costly downtime.

Routers are an integral part of most any modern internetwork. The cost of the hardware, time, and resources to keep the network online makes this equipment expensive. We will explore various methods of access control on Cisco routers that can protect your network from costly downtime. Some or all of these guidelines can be applied in a single-office facility or the largest enterprise.

Physical security
The network will most certainly go down if your routers are stolen or tampered with. You should place your routers in an area that can be secured either by lock and key, swipe card, or even biometric access devices. In a smaller organization, this might be a wiring closet or the IT manager's office. Larger businesses may secure their routers, servers, etc. in a data center environment. While locking our routers away may sound good enough, we also need to lock down the console and auxiliary ports on the router. This will prevent unauthorized individuals, whether employees, contractors, or outsiders with physical access to your equipment, from viewing and possibly tampering with the configuration. With the commands below, we can set the password for the console port:
router#config t
Enter configuration commands, one per line. End with CNTL/Z
router(config)#line console 0
router(config-line)#login
router(config-line)#password pa55w0rD
router(config-line)#exec-timeout 15
router(config-line)#end
router#


In the above commands, we set the console password to pa55w0rD. We also set a 15-minute timeout. If you walk away, you will be required to log in again after 15 minutes of inactivity. You can adjust this time (from 0 to 35791 minutes) to suit your needs. If your router also has an auxiliary port, the procedure is the same, but you will substitute line aux 0 for line console.

Physically securing your routers takes very little time and is a sound practice. Replacing a “missing” router or fixing an unauthorized configuration will cost far more time and money in network downtime.

Remote access security via Telnet
Administration and security are much easier when you can physically walk over and touch the equipment you maintain. Realistically though, we are discussing routers and typically we are using them to connect various offices. Being able to access your routers remotely is essential. You want to be able to troubleshoot and make configuration changes without getting in the car or taking a cross-country airplane trip! We also must keep unauthorized persons from compromising the routers. We will now explore various ways we can make our routers more secure and still be able to do our job.

The most common method of remotely accessing routers is through the use of Telnet. Telnet will allow us to get into the router with a Windows, Linux/UNIX, or even a Macintosh machine. If you are using a Linux or UNIX box, Telnet should be familiar.

If you are using a Mac, a Telnet client such as BetterTelnet will suit you. Windows boxes have the Telnet command that can be executed from the DOS prompt. I, however, recommend Tera Term Pro. Telnet gives us easy access to our routers from almost anywhere, but this also gives our cracker friends the same ease of access. Cisco allows us to make access more difficult for our script-kiddie friends and still allows us to get our work done. This is done through the use of access control lists. We can restrict Telnet access to one or a group of IP addresses that we specify. In the next example, we will set up a standard access list and apply it to the virtual terminal or VTY.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z
router(config)#access
router(config)#access-list 98 permit 192.168.1.3 255.255.255.255
router(config)#access-list 98 permit 192.168.1.4 255.255.255.255
router(config)#access-list 98 deny any
router(config)#line vty 0 4
router(config-line)#access-class 98 in
router(config-line)#end


In the example above, we restricted Telnet access to two IP addresses, (192.168.1.3 and 192.168.1.4) and denied everything else. I do not recommend using hostnames in your access list, as DNS servers can be compromised. I highly recommend setting up a Linux box and using it for telnetting into your routers. This will allow you to limit the number of IP addresses that can telnet into the routers as defined in your VTY access list and allow you access from home, on the road, etc.

Remote access security via modem
You may want to set up dial-in access to the core and distribution layers of your network. This will add costs in the form of analog phone lines and modems but will allow you to access the router without passing traffic over an insecure network, such as the Internet. If you decide that you are only going to access the routers either by modem or console access, be sure to disable Telnet access by issuing the timeout loginresponse 0 command to the VTY. Having analog access to your routers has the additional benefit of allowing you to connect to your routers and troubleshoot connectivity issues in the event that the router's WAN link goes down.

Username/password on the router
If you have more than a handful of people in your shop, you may want to consider setting up usernames on the routers. If someone leaves your organization, you can simply delete his or her info from the router. User accounts are entered on the router by entering them like so, in global configuration mode:
service password-encryption
username test privilege 15 password changeme


Privilege levels
privilege level 1 nonprivileged (prompt is router>), the default level for login
privilege level 15 privileged (prompt is router#), the level after going into enable mode
privilege level 0 seldom used, but includes five commands: disable, enable, exit, help, and logout
Table 1

It is very important that you enter the service password-encryption command (as shown above), otherwise, your users’ passwords will be in clear text and readable by anyone that issues the show running-config command on the router! Here is how the accounts will appear when you show the running-config on the router:
username test privilege 15 password 7 104D01180B10170609

Adding separate usernames for the people in your shop can be an effective method of controlling access on your routers, provided that the number of users and routers remains small.

CiscoSecure/Tacacs+
On larger networks, security becomes increasingly difficult to maintain. Manually adding or removing an employee from 100 routers can be a nightmare. In the previous example, the encrypted passwords seem secure; however, password encryption is easily broken using downloadable tools, applications for PalmOS handhelds, or even by entering the encrypted string on Web tools like those from Useful Cisco Password Utilities.

Thankfully, Cisco has an access control method for the enterprise: Terminal Access Controller Access Control System (Tacacs+). What Tacacs+ allows us to do is set up a centralized server or servers to handle authentication, authorization, and accounting.

Once you have your server set up with your list of users with access privileges and have entered your router information, you can configure your routers to use Tacacs+. Cisco produces a product called CiscoSecure ACS, and it has versions that will run on Windows NT, Windows 2000, and Solaris.

Below, you see the commands to enable Tacacs+ on your Cisco router.
aaa new-model
aaa authentication login default tacacs+ local enable
aaa authentication login no_tacacs enable local
aaa authorization exec default tacacs+ local if-authenticated
aaa accounting send stop-record authentication failure
aaa accounting nested
aaa accounting update newinfo
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
aaa accounting connection default start-stop tacacs+
aaa accounting system default start-stop tacacs+

tacacs-server host 172.20.88.14
tacacs-server key bravo87Z

line con 0
exec-timeout 0 15
login authentication no_tacacs
transport input none


The above example shows a configuration for using Tacacs+ on a Cisco router. Configurations can vary depending on the IOS your router is running, so refer to the CiscoSecure ACS documentation and the Cisco Systems Web site.

Once you have the software installed, configuration is very easy through a Web-based interface. You can add routers, add/change/delete users, and review a variety of reports. The reports are useful in that you can see what changes a particular user has made on a router, authenticate failure tracking, and more.

Figure A
The opening screen for CiscoSecure


Centralized control of your users’ accounts will make administration and access control to your routers more efficient and give you reporting capabilities on the changes your users are making to the routers. CiscoSecure gives you the ability to do all of this using a simple Web-based application.

Conclusion
In this Daily Feature, we have explored some ways to control access to your routers and help improve the security of your network. You may want to employ one or several of these methods in your organization. Remember that nothing is totally secure, so always keep abreast of security updates for your equipment and periodically review your network's security.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
4 comments
rbacca
rbacca

Does anyone know if there is a way to view/display the user accounts created using the command below. (I don't want to type show run and look for the accounts.. I'M looking for a command that would display just the users. Username/password on the router service password-encryption username test privilege 15 password changeme

arkahnz
arkahnz

The SCADA system I work on basically uses a GPRS network to acquire data from remote sites. The 3rd party telecom company providing GPRS allots dynamic IPs to the remote devices. We use a cisco router for incoming traffic from these remote sites. In such a scenario where IPs change periodically how do I secure my servers using ACLs ? I basically want to make sure that traffic coming only from the remote sites is allowed.

seanferd
seanferd

I can't speak to any other possibilities. 1) Especially if these SCADA systems are critical infrastructure, at least to you, get static IPs. 2) Use a DDNS service to assign domain names to the dynamic IPs. Filter by domain. You will need to be able to run a DDNS updater at the locations with the dynamic IPs, either as a software client or via DDNS capabilities of a router. 2a) Of course, if there is a way to report the IP when it changes, like DDNS updaters do, directly to the Cisco router, do so. Needless to say, all ports and protocols not in use should be closed. (Ports in stealth mode would be best.)

Editor's Picks