Configuring Lock-and-Key Security (Dynamic Access Lists)

Benefits of Lock-and-Key
Lock-and-key provides the same benefits as standard and static extended access lists (these benefits are discussed in the chapter "Access Control Lists: Overview and Guidelines"). However, lock-and-key also has the following security benefits over standard and static extended access lists:
  • Lock-and-key uses a challenge mechanism to authenticate individual users.
  • Lock-and-key provides simpler management in large internetworks.
  • In many cases, lock-and-key reduces the amount of router processing required for access lists.
  • Lock-and-key reduces the opportunity for network break-ins by network hackers.
With lock-and-key, you can specify which users are permitted access to which source and destination hosts. These users must pass a user authentication process before they are permitted access to their designated hosts. Lock-and-key creates dynamic user access through a firewall, without compromising other configured security restrictions.

When to Use Lock-and-Key
Two examples of when you might use lock-and-key follow:

  • When you want a specific remote user (or group of remote users) to be able to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user, then permits limited access through your firewall router for the individual's host or subnet, for a finite period of time.
  • When you want a subset of hosts on a local network to access a host on a remote network protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local user's hosts. Lock-and-key require the users to authenticate through a TACACS+ server, or other security server, before allowing their hosts to access the remote hosts.


How Lock-and-Key Works
The following process describes the lock-and-key access operation:

  1. A user opens a Telnet session to a border (firewall) router configured for lock-and-key. The user connects via the virtual terminal port on the router.
  2. The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs a user authentication process. The user must pass authentication before access through the router is allowed. The authentication process can be done by the router or by a central access security server such as a TACACS+ or RADIUS server.
  3. When the user passes authentication, they are logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry can limit the range of networks to which the user is given temporary access.)
  4. The user exchanges data through the firewall.
  5. The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The configured timeout can either be an idle timeout or an absolute timeout.

Prerequisites to Configuring Lock-and-Key
Lock-and-key uses IP extended access lists. You must have a solid understanding of how access lists are used to filter traffic, before you attempt to configure lock-and-key. Access lists are described in the chapter "Access Control Lists: Overview and Guidelines."


Lock-and-key employs user authentication and authorization as implemented in Cisco's authentication, authorization, and accounting (AAA) paradigm. You must understand how to configure AAA user authentication and authorization before you configure lock-and-key. User authentication and authorization is explained in the "Authentication, Authorization, and Accounting (AAA)" part of this document.


Lock-and-key uses the autocommand command, which you should understand. This command is described in the "Modem Support and Asynchronous Device Commands" chapter of the Cisco IOS Dial Technologies Command Reference.

Lock-and-Key Configuration Guidelines

Dynamic Access Lists
Use the following guidelines for configuring dynamic access lists:

  • Do not create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined.
  • Do not assign the same dynamic-name to another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration.
  • Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
  • Configure Telnet as the protocol so that users must open a Telnet session into the router to be authenticated before they can gain access through the router.
  • Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolute timeout—otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
  • If you configure an idle timeout, the idle timeout value should be equal to the WAN idle timeout value.
  • If you configure both idle and absolute timeouts, the idle timeout value must be less than the absolute timeout value.
  • If you realize that a job will run past the ACL's absolute timer, use the access-list dynamic-extend command to extend the absolute timer of the dynamic ACL by six minutes. This command allows you to open a new Telnet session into the router to re-authentication yourself using lock-and-key.
  • The only values replaced in the temporary entry are the source or destination address, depending whether the access list was in the input access list or output access list. All other attributes, such as port, are inherited from the main dynamic access list.
  • Each addition to the dynamic list is always put at the beginning of the dynamic list. You cannot specify the order of temporary access list entries.
  • Temporary access list entries are never written to NVRAM.
  • To manually clear or to display dynamic access lists, refer to the section " Maintaining Lock-and-Key" later in this chapter.

Lock-and-Key Authentication
There are three possible methods to configure an authentication query process. These three methods are described in this section.

Method 1—Configuring a Security Server
Use a network access security server such as TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.
Router(config-line)# login tacacs

Method 2—Configuring the username Command
Use the username command. This method is more effective because authentication is determined on a user basis.
Router(config)# username name {nopassword password {mutual-password encryption-type
encryption-password}}

Method 3—Configuring the password and login Commands
Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully.
Router(config-line)# password password
Router(config-line)# login local

The autocommand Command
Use the following guidelines for configuring the autocommand command:

  • If you use a TACACS+ server to authenticate the user, you should configure the autocommand command on the TACACS+ server as a per-user autocommand. If you use local authentication, use the autocommand command on the line.
  • Configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an autocommand command on a VTY port allows a random host to gain EXEC mode access to the router and does not create a temporary access list entry in the dynamic access list.
  • If you did not previously define an idle timeout with the autocommand access-enable command, you must define an absolute timeout now with the access-list command. You must define either an idle timeout or an absolute timeout—otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
  • If you configure both idle and absolute timeouts, the absolute timeout value must be greater than the idle timeout value.

Verifying Lock-and-Key Configuration
You can verify that lock-and-key is successfully configured on the router by asking a user to test the connection. The user should be at a host that is permitted in the dynamic access list, and the user should have AAA authentication and authorization configured.
To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that is permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol.
The following sample display illustrates what end-users might see if they are successfully authenticated. Notice that the Telnet connection is closed immediately after the password is entered and authenticated. The temporary access list entry is then created, and the host that initiated the Telnet session now has access inside the firewall.
Router% telnet corporate

Trying 172.21.52.1 ...

Connected to corporate.example.com.

Escape character is `^]'.

User Access Verification

Password:Connection closed by foreign host.

You can then use the show access-lists command at the router to view the dynamic access lists, which should include an additional entry permitting the user access through the router.

Lock-and-Key with Local Authentication Example
This example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface.
interface ethernet0

ip address 172.18.23.9 255.255.255.0

ip access-group 101 in

access-list 101 permit tcp any host 172.18.21.2 eq telnet

access-list 101 dynamic mytestlist timeout 120 permit ip any any

line vty 0

login local

autocommand access-enable timeout 5

The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered.
In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the mytestlist ACL is 120 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is created for 120 minutes (the maximum absolute time). The session is closed after 120 minutes, whether or not anyone is using it.
In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes.
After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.

Lock-and-Key with TACACS+ Authentication Example
The following example shows how to configure lock-and-key access, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "cisco".
aaa authentication login default group tacacs+ enable

aaa accounting exec stop-only group tacacs+

aaa accounting network stop-only group tacacs+

enable password ciscotac

!

isdn switch-type basic-dms100

!

interface ethernet0

ip address 172.18.23.9 255.255.255.0

!

interface BRI0

ip address 172.18.21.1 255.255.255.0

encapsulation ppp

dialer idle-timeout 3600

dialer wait-for-carrier-time 100

dialer map ip 172.18.21.2 name diana

dialer-group 1

isdn spid1 2036333715291

isdn spid2 2036339371566

ppp authentication chap

ip access-group 102 in

!

access-list 102 permit tcp any host 172.18.21.2 eq telnet

access-list 102 dynamic testlist timeout 5 permit ip any any

!

!

ip route 172.18.250.0 255.255.255.0 172.18.21.2

priority-list 1 interface BRI0 high

tacacs-server host 172.18.23.21

tacacs-server host 172.18.23.14

tacacs-server key test1

tftp-server rom alias all

!

dialer-list 1 protocol ip permit

!

line con 0

password cisco

line aux 0

line VTY 0 4

autocommand access-enable timeout 5

password cisco

!

Comments

Post a Comment

Popular posts from this blog

TCP/IP 明確擁塞通知 (ECN)

Image
當路由器擁塞的程度已經達到填滿傳入封包緩衝區而開始捨棄封包時,會影響網路而縮減頻寬,對資料損失敏感或具時效性的傳輸量流動會進而受到衝擊,而且可能在擁塞之後產生連結閒置時間。TCP/IP 明確擁塞通知 (ECN) 讓路由器能夠通知「傳輸控制通訊協定」(TCP) 對等體,由於網路擁塞,緩衝區已滿。TCP 對等體會以減緩資料傳輸來回應,協助防止封包損失。 明確擁塞通知(Explicit Congestion Notification) TCP/IP 的 ECN 支援同時使用 IP 及 TCP 標頭中的未使用位元。 • 在 (IP) 網際網路層上,轉送封包時,傳送主機必須能夠表示有能力執行 ECN,而路由器則必須能夠指出所遇到的擁塞狀況。 • 在 (TCP) 傳輸層,TCP 對等體必須彼此表明有能力執行 ECN。接收端對等體必須能夠通知傳送端對等體,已經從遇到擁塞狀況的路由器接到封包;傳送端對等體必須能夠通知接收端對等體,已經從接收端對等體接到擁塞指標,並且已經降低傳輸速率。 IP 中的 ECN 支援 IP 標頭中的 8 位元 [Type of Service (TOS)] 欄位最先定義於 RFC 791 中,指出封包由路由器進行非預設傳送的傳送優先順序、延遲、輸送量、可靠性,以及成本等特性。TOS 欄位在 RFC 2474 中重新定義,以包含 6 位元區別服務代碼點 (Differentiated Services Code Point, DSCP) 及兩個未使用的位元。DSCP 值表示的傳送優先順序會對應於先前在內部網路的路由器中設定的佇列。IP 中的 ECN 支援使用 RFC 2474 所定義 TOS 欄位的兩個未使用位元。[圖 1] 顯示 ECN 中 TOS 欄位的新定義。 圖 1:ECN 中 TOS 欄位的新定義 RFC 2474 所定義 TOS 欄位中的兩個未使用位元在 RFC 3168 中定義為 ECN 欄位,欄位的值如下: • 00 傳送主機不支援 ECN。 • 01 或 10 傳送主機支援 ECN。 • 11 路由器已遇到擁塞狀況。 具備 ECN 功能的主機傳送其封包時,會將 ECN 欄位設定為 01 或 10。對於具備 ECN 功能的主機所傳送的封包,如果路徑中的路由器具備 ECN 功能,但是正遇到擁塞狀況,則 ECN 欄位會設定為 11。一旦 ECN
Read More »

L2TPv3 Enables Layer 2 Services for IP Networks

Image
White Paper -------------------------------------------------------------------------------- Layer 2 Tunneling Protocol Version 3 Enables Layer 2 Services for IP Networks The competitive environment for service providers has changed considerably since the Internet became a global force in the 1990s. Enterprises are no longer signing up for new IP-based services for the novelty or out of fear of being left behind by the competition. The challenge for service providers today is to grow their businesses by expanding their customer base and service revenue in a more cautious spending environment. Most enterprises are taking a more conservative approach to network investments. New IP-based services give enterprises an opportunity to improve their productivity and competitiveness while lowering their existing network expenses. Service providers that offer these services and savings can grow their customer base and service revenue. This white paper focuses on one such opportunity—offering tra
Read More »

Q-in-Q(Dot1Q Tunnel) Sample Configuration

透過IEEE 802.1q in IEEE 802.1q(Q-in-Q)的方式,我們可以讓VLAN的數量增加超過4096(4096*4096),也可以讓客戶自行設定Trunk穿過Service Provider所提供的Ethernet Solution(如:FTTx)。 假設現在的網路架構為: SW1 F0/1 <- SP VLAN 10 -> SW2 F0/1 兩端的設備都是連接到VLAN 10,因此在兩端的Switch啟用Dot1q Tunnel建立Trunk SW1(config)#vlan dot1q tag native !預設,Native VLAN不會加上tag,如果在Q-in-Q中要針對native vlan加tag,必須使用上述指令 SW1(config)#int f0/1 SW1(config-if)#switchport mode dot1q-tunnel SW1(config-if)#switchport access vlan 10 SW1(config)#system mtu 1508 !一般Switch預設system mtu 1500,為了支援多層tag,必須加大MTU,設定完成必須reload switch SW2(config)#vlan dot1q tag native !預設,Native VLAN不會加上tag,如果在Q-in-Q中要針對native vlan加tag,必須使用上述指令 SW2(config)#int f0/1 SW2(config-if)#switchport mode dot1q-tunnel SW2(config-if)#switchport access vlan 10 SW2(config)#system mtu 1508 !一般Switch預設system mtu 1500,為了支援多層tag,必須加大MTU,設定完成必須reload switch
Read More »