Securing Your OSPF Network

The following process describes the lock-and-key access operation:

1.  A user opens a Telnet session to a border router configured for lock-and-key access.

2.  The Cisco IOS software receives the Telnet packet and performs a user authentication process. The user must pass authentication before access is allowed. The authentication process can be done by the router or a central access server such as a TACACS+ or a Radius server.

---

TIPS:  
It is highly recommended that you use the TACACS+ server for your authentication query process. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database.

---

3.  When the user passes authentication, the software creates a temporary entry in the dynamic access list. The temporary entry inherits the attributes of the main dynamic access list. You can limit the range of networks to which the user is given temporary access.

4.  The user exchanges data through the firewall and then logs out.

5.  The software deletes the temporary access list entry when a configured timeout is reached or when the system administrator manually clears it. The timeout can either be an idle timeout or an absolute timeout.

---

TIPS:  
When the user terminates a session, the temporary access list entry remains until a configured timeout is reached or until it is cleared by the system administrator.

---

To configure lock-and-key access, perform the following steps beginning in global configuration mode:

1.  Configure a dynamic access list, which serves as a template and placeholder for temporary access list entries. You configure the dynamic access list with the following command:

    access-list access-list-number [dynamic dynamic-name    [timeout minutes]] {deny | permit} protocol source    source-wildcard destination destination-wildcard    [precedence precedence] [tos tos] [established] [log] 

2.  Configure an interface. To do so, use the following command:

    interface type number 

3.  In interface configuration mode, apply the access list to the interface with the following command:

    ip access-group access-list-number 

4.  In global configuration mode, define one or more virtual terminal (VTY) ports. If you specify multiple VTY ports, they must all be configured identically because the software hunts for available VTY ports on a round-robin basis. If you do not want to configure all your VTY ports for lock-and-key access, you can specify only a particular group of VTY ports for lock-and-key support. You define virtual terminal (VTY) port(s) with the following command:

    line VTY line-number [ending-line-number] 

5.  Configure user authentication. Additional information on how you might design this type of authentication is discussed in the section that follows. To configure user authentication, use one of the following commands:

    login tacacs username name password secret    password password login local 

6.  Enable the creation of temporary access list entries. If the host argument is not specified, all hosts on the entire network are allowed to set up a temporary access list entry. The dynamic access list contains the network mask to enable the new network connection. To enable the creation of temporary access list entries, use the following command:

    autocommand access-enable [host] [timeout minutes] 

Configuring User Authentication

There are three possible methods for configuring an authentication query process (see Step 5 in the previous task list):

•  Use a network access server such as a TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.

    OSPF_Router(config)# login tacacs. 

•  Use the username command. This method is more effective because authentication is determined on a user basis. The syntax for this command is: OSPF_Router# username name password password.

•  Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully. The syntax for these commands is as follows:

    OSPF_Router# password password    OSPF_Router# login local 

Dynamic Access List Golden Rules

Follow these guidelines when you configure dynamic access lists:

•  Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.

•  Configure Telnet only, so that the user must use the authentication query process. Telnet access must be allowed to enable user authentication.

•  Define either an idle timeout (with the access-enable command in the autocommand command) or an absolute timeout value (with the timeout keyword in the access-list command). Otherwise the temporary access list entry will remain even after the user has terminated his session.

•  Configure the idle timeout value to be less than the absolute timeout value.

•  Configure the idle timeout to be equal to the WAN idle timeout.

•  Do NOT create more than one dynamic access list for any one access list. The software refers to only the first dynamic access list defined.

•  Do NOT assign the same dynamic name on another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration.

•  If the router executes the autocommand command, configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an autocommand command on a VTY port allows a random host to gain EXEC mode access to the router and does not create a temporary access list entry in the dynamic access list.