Restricting Access to Your Router

The ability to remotely administer your router is a very important feature. However, you want to restrict access as much as possible to keep intruders out. Aside from configuring your firewall to deny access to routers, we can configure the router to allow access only in specific ways. Sometimes the people you want to keep off your routers are users on your local network. We'll examine user authentication and passwords to restrict access to the router.

15.3.1. Virtual Terminal Access

The virtual terminal (VTY) configuration on your router defines how incoming connections to your router are handled. For example, we can configure the types of protocols are allowed (telnet versus SSH) to connect to our devices.

15.3.1.1. Protecting VTY with an access list

When you telnet or ssh to your router, you connect to a VTY. This terminal lets you configure your router over the network without a physical connection to the console port. This capability is extremely useful but also dangerous: if you can configure your router over the network, so can anyone else with the appropriate password. One way to make the router more secure is to apply an access list to the VTY ports. This list should allow connections only from certain hosts. The following commands restrict telnet access to the 192.168.1.5 machine (we'll talk about SSH in the next section). We also apply an exec-timeout, which disconnects idle connections:

 ! Define the access list
 access-list 5 permit 192.168.1.5 0.0.0.0
 access-list 5 deny any log
 !
 line vty 0 4
 ! Only allow telnet
 tranport input telnet
 ! Apply our access list for incoming connections
 access-class 5 in
 ! Finally, apply an exec-timeout, which will disconnect an idle connection
 ! The timeout is 10 minutes and 0 seconds
 exec-timeout 10 0

Here's a cool tip. The line in bold logs all failed authorization attempts to your router. The log will contain the user's IP address, which is pretty useful if you want to track down who's trying to access your router without permission.

 

15.3.1.2. Allowing SSH connections to the router

In the previous example, we used the command transport input telnet, which allowed only telnet access to our router. Once this was quite acceptable, but times have changed and telnet's security limitations are now well known. SSH is now the standard method for connecting to remote devices.

15.3.1.3. Enabling SSH

To enable SSH on our router (in this case, running IOS 12.2), we need to enable SSH, configure RSA keys, set a hostname, and set the IP domain name. After SSH is enabled, we are going to restrict our VTY access to SSH only.

First we enable SSH and set the hostname and domain name:

 Router(config)#ip ssh
 Router(config)#hostname router1
 router1(config)#ip domain-name xyz.com

Next we create the RSA keys:

 router1(config)#crypto key generate rsa
 The name for the keys will be: router1.xyz.com
 Choose the size of the key modulus in the range of 360 to 2048 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.
 How many bits in the modulus [512]:
 Generating RSA keys ...
 [OK]

 router1(config)#end
 router1#
 00:18:57: %SSH-5-ENABLED: SSH 1.5 has been enabled
 00:18:59: %SYS-5-CONFIG_I: Configured from console by console

We can verify our SSH configuration with the show ip ssh command.

 router1#show ip ssh
 SSH Enabled - version 1.5
 Authentication timeout: 120 secs; Authentication retries: 3

All that's left is to restrict our VTY access to SSH:

 line vty 0 4
 login
 password somepassword
 transport input ssh

 

15.3.2. Users and Authentication

Usernames are optional: many routers by default have no usernames and only a single password, which is given to everyone who needs access to the router. However, doing without usernames has obvious problems: you can never tell who is logged in, who just rebooted the router, or who is responsible for the configuration changes that broke your Internet connection. Usernames and passwords make it possible to trace who has done what; they add a sense of accountability and allow more fine-grained control over what individuals are allowed to do.

There are several methods for adding users ; the more advanced methods allow accounting (tracking what a particular user actually did) as well as authorization (merely verifying that a user has permission to do something). First, let's look at the easiest way to add users to a router's configuration.

15.3.2.1. Adding users with the user command

Throughout this book, we have added username and password pairs to the router configuration itself. For example, we can add the users Patty and Pete to the router's configuration with the username command:

 ! First, enable password encryption to "hide" the
 ! clear-text passwords in the configuration
 service password-encryption
 ! Now define the passwords
 username patty password patty1
 username pete password pete2

Patty's password is now patty1, and Pete's password is pete2.[*]

[*] These passwords are clearly weak and are used here only for clarity of the illustration. You would use a stronger password to protect your routers and educate users to do likewise.

When we display the router's configuration, we see the passwords in their encrypted form:

 username pete password 7 0831495A0C4B

To tell the VTY to use the usernames that you have listed with the username command, we need to use the login local command. This command is considered the old way of enabling local authentication . The new way is with the AAA commands, which we cover in the next section.

 ! this is the old way of enabling local authentication.
 line vty 0 4
 login local
 ! restrict inbound connections to ssh only
 transport input ssh

For reference, the AAA equivalent command for the above example is:

 aaa new-model
 aaa authentication login default local

Now that the passwords are in the configuration, Patty and Pete can log in when they connect to the router. That was certainly simple. But this method doesn't scaleit's not manageable if you need to work with more than a few users and one or two routers. What if you're managing a worldwide corporate network with hundreds of routers and dozens of administrators? What if you're managing an ISP with thousands of dial-up users? In either case, you have a long list of usernames and passwords that needs to be maintained on several different machines. How do you keep the lists in sync? How would you even keep them up to date?

There is a better way. Make a central authentication repository using an authentication protocol, and configure the router to use the authentication server. There are several different protocols that you can use, but the most popular are TACACS+ and Radius, both of which use the AAA framework.

15.3.2.2. Using the AAA framework

The authentication, authorization, and accounting model (AAA) is a framework for providing authentication and accounting services across a network. It requires the support of another protocoltypically, Radius or TACACS+. Radius is an open standard that is supported by a wide range of devices and vendors. Both Radius and TACACS+ encrypt sensitive data.

Radius and TACACS+ are both supported by the CiscoSecure product. If you wish to use that product for your AAA configurations, you can find out more information on Cisco's website. Or you can use a Radius server, which you should be able to find in both free and commercial versions. For example, for a Linux box, you could look at http://www.freeradius.org (other free Radius servers are also available). Windows 2000 and Windows Server 2003 include a Radius server. For other platforms, a quick Google search will lead you to several Radius servers.

The rest of this section deals with the configuration on the router side using AAA to communicate with a Radius or TACACS+ server.

15.3.2.3. User management with AAA

The first step is to enable AAA on the router with the command aaa new-model:

 ! This is required to use the AAA method
 aaa new-model

 ! Configure the Radius server
 radius-server host 10.10.1.2
 radius-server key somepassword

Next we set up the list of authentication services we want to use with the command aaa authentication. In this example, we are setting the name of the list to the default, which tells the router to use this list for all lines and interfaces. If we assign a name other than the default, we must explicitly reference that name in the line configuration (we will do this in an upcoming example). In this list, we tell the router to attempt to authenticate with the Radius server. If it can't connect, it should use the enable password as a backup:

 aaa authentication login default radius enable

The next step defines the authorization for the user, specifying what the person is allowed to do on the system. In this case, we are going to grant the user access to the router's command line with the command exec:

 aaa authorization exec default group radius none

The final piece is the accounting, which can log user activity to the Radius server. In this example, we are going to log the starting and stopping of any commands performed by the user. The value 15 is the privilege level of the commands to log.

 aaa accounting commands 15 default start-stop group radius

 

15.3.2.4. Restricting dial-in user access with AAA

While we are reviewing AAA access to our devices, we should consider using it for our dial-in configurations as well. In this sample configuration, we show a group of eight lines configured for dial-in access. The AAA configuration items are highlighted in bold. The rest of the configuration is here for completeness. Refer to Chapter 17 for more information on those commands.

 ! Configure AAA
 aaa new-model
 aaa authentication login default radius local
 aaa authentication ppp default if-needed radius
 aaa authorization network radius
 !
 ! Define our pool of addresses for dialup users
 ip local pool pool1 10.10.1.100 10.10.1.108
 !
 !
 interface Group-Async1
 ip unnumbered Ethernet0
 encapsulation ppp
 async mode interactive
 peer default ip address pool pool1
 ! Take our security advice on disabling CDP on interfaces
 ! that don't need it
 no cdp enable
 ppp authentication chap
 group-range 1 8
 !
 !
 ! Configure the lines connected to the modes
 line 1 8
 autoselect ppp
 autoselect during-login
 modem dialin
 transport input all
 stopbits 1
 rxspeed 115200
 txspeed 115200
 flowcontrol hardware