|
Configuring Cisco Lock-and-Key |
|
IntroductionCompanies trying to maintain security these days generally disallow remote access across the Internet, because of the possibility of snoopers watching for passwords or other valuable information. Some companies require that all remote access be via direct dialup, with PPP and CHAP protocol, and possibly call-back, providing security. That's fine for local access, but for travelling or remote employees, the long-distance bill adds up quickly. Telecommuting and remote access by mobile, outbound staff is on the rise. Serious numbers of remote users using multiple access servers can burden the network staff. Meanwhile, as Internet Service Provider networks grow, local access points make Internet access financially attractive. Not only does using an ISP save the cost of phone calls, but it allows an organization to outsource the task of managing the network access servers and modems to the service provider. Your organization needs a solution to secure these users coming in via the Internet. Cisco provides a facility called lock-and-key that can help. Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. You configure lock-and-key using IP dynamic extended access lists. Static access lists cannot create lock-and-key access list entries. But, you can use lock-and-key with other standard access lists and static extended access lists. When triggered, lock-and-key reconfigures the interface's existing IP access list to permit designated users to reach their designated host. Afterwards, lock-and-key reconfigures the interface back to its original state. When you configure lock-and-key, designated users whose IP traffic the router normally blocks can gain temporary access through the router. For a user to gain access to a host through a router with lock-and-key configured, the user must first Telnet to the router. When a user initiates a standard Telnet session to the router, lock-and-key automatically attempts to authenticate the user. If the router authenticates the users, they will then gain temporary access through the router and can reach their destination host. Once you add an entry to a traditional access list, it remains there until you remove it manually. With lock-and-key you can create a temporary opening in an access list by using a response to a user authentication procedure. The idea is to give temporary access, after proper authentication; to pre-authorized users whose traffic the router would normally block. Lock-and-key reconfigures the interface's existing IP access list to permit these designated users to reach their destination. When the connection is terminated, the router configures the interface back to its original state. Benefits of Lock-and-Key Lock-and-key provides the same benefits as standard and static extended access lists. Yet, dynamic packet filtering offers a major improvement over static packet filtering. Lock-and-key also has the following security benefits over standard and static extended access lists:
______________________________________________________________________________ Caution. Lock-and-key access allows an external event, such as a Telnet session, to place an opening in the firewall by temporarily reconfiguring an interface to allow user access. Lock-and-key doesn't prevent someone from discovering the source IP, but it does reduce the window of opportunity to exploit the open port. While this opening exists, another host might spoof the authenticated user's address to gain access behind the firewall, so the router is susceptible to source address spoofing. Lock-and-key does not cause the address-spoofing problem; rather this is an inherent problem of the TCP/IP protocols. Spoofing is a problem built-in to all access lists, and lock-and-key does not specifically address this problem. To prevent spoofing, you could configure network data encryption. Configure encryption so a secured remote router encrypts traffic from the remote host and that the router's interface providing lock-and-key decrypts it locally. You want to ensure that the router encrypts all traffic using lock-and-key when entering the router; this way no hackers can spoof the source address, because they cannot duplicate the encryption or authenticate as required as part of the encryption setup process. ______________________________________________________________________________ With lock-and-key, you can specify users permitted access to various source and destination hosts. These users must pass a user authentication process before they are permitted access to their designated hosts. Lock-and-key creates dynamic user access through a firewall, without compromising other configured security restrictions. Your organization will benefit from the use of lock-and-key access in the following scenarios:
Activating Lock-And-Key The following process describes the lock-and-key access operation:
______________________________________________________________________________ Note. The router does not automatically delete the temporary access list entry when the user terminates a session. The temporary access list entry remains until the router reaches a configured timeout or until the system administrator clears it. ______________________________________________________________________________ Configuring Lock-and-Key The most significant (dare I say "key"?) component of lock-and-key is dynamic access lists. These are access lists that are temporary, active only after user authentication, and which eventually go inactive, either after an idle period or when you wish to force the user to re-authenticate. This section deals with the steps to take when configuring lock-and-key security. While completing these steps, be sure to follow the guidelines listed in the section, "Lock-and-Key Configuration Tips." There are several steps to setting up lock-and-key access, so here's a checklist.
hobbit(config)#ip access-group access-list-number
hobbit(config)#line vty 0 4 hobbit(config-line)#login tacacs or perhaps: hobbit(config)#line vty 0 4 hobbit(config-line)#login local hobbit(config)#username ptdavis password secret or even: hobbit(config)#line vty 0 4 hobbit(config-line)#login hobbit(config-line)#password cisco
hobbit(config-line)#autocommand access-enable [host] [timeout minutes] The timeout option here is an idle timeout, defaulting to no timeout. This command is applied to the VTY ports. So, let's start with configuring an access list. To configure lock-and-key, perform the following task in global configuration mode. hobbit(config)#access-list access-list-number dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] [log-input] You use access list numbers ranging from 100 to 199. Pick any name as long as it starts with an alphabetic character. The timeout keyword is optional, but it allows you to specify an absolute timeout for dynamic entries. You can select any value from 1 to 9999. Should you not specify absolute, by default the entry never times out, or in other words, it is available for an infinite time period. You can replace the protocol keyword with IP, TCP or UDP. You can specify a real host or specify any for the source and destination address. Usually, you will specify the any keyword since the router will replace the source IP address with that of the authenticating host. The router uses precedence to filter on the precedence level name or number. TOS defines filtering by service level specified by a name or number from 0 to 15. Use the other keywords in the same manner as you have before. For example, you want to create a dynamic access list named open_sesame with an absolute timeout of 5 minutes. hobbit(config)#access-list 101 dynamic open_sesame timeout 5 permit ip any any log At activation time, when the user Telnets into the NAS or router from, say 172.16.1.1, this effectively creates the following rule. access-list 101 permit ip host 172.16.1.1 any log In general, the router substitutes the IP address of the Telnet source for the source address or the destination address in the dynamic statements, depending on whether the access list is inbound or outbound. For inbound access lists, the Telnet source is the source in the access list statement. For outbound access lists, the Telnet source becomes the destination of the dynamic access list. Therefore, the intent is for the router to apply the dynamic access list to the interface connecting to the Internet, to the authenticating user. The access list may also have non-dynamic statements in it, which act as they normally would. Generally, you need to allow Telnet into the router, so that the user may authenticate. You generally would stop other access, so you need lock-and-key access to pass other types of traffic through the gateway router. Configure a dynamic access list, which serves as a template and placeholder for temporary access list entries. The following command configures an interface. hobbit(config)#interface type number In interface configuration mode, apply the access list to the interface. hobbit(config-if)#ip access-group access-list-number {in | out} In global configuration mode, define one or more virtual terminal (VTY) ports. If you specify multiple VTY ports, you must configure them all identically because the software hunts for available VTY ports on a round-robin basis. Should you not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for just lock-and-key support. hobbit(config)#line vty line-number [ending-line-number] Use one of the following commands to configure user authentication. hobbit(config-line)#login tacacs or hobbit(config-line)#username name password secret hobbit(config-line)#login local or hobbit(config-line)#password password Next create the temporary access list entries. hobbit(config)#autocommand access-enable host [timeout minutes] This command enables the creation of temporary access list entries. If you do not specify the host keyword, the router will allow all hosts on the entire network to set up a temporary access list entry (which would sort of make your dynamic access list useless). The dynamic access list contains the network mask to enable the new network connection. If you don't specify a timeout, the router will not remove the entry until you reboot the router. If you use both the absolute and idle timers, make sure you make the idle timer less than the absolute timer. Following is an example where three VTY ports are configured: hobbit(config)#line vty 0 2 hobbit(config-line)#login local hobbit(config)#autocommand access-enable host timeout 10 One other thing you should consider for the additional VTY lines. Should you take no additional steps the router will treat every Telnet session as an attempt to open a dynamic entry. Since the router closes the Telnet session after authenticating the user, you couldn't open a Telnet session to the router to do routine maintenance. You must specify another command in your router. Enter the rotary 1 command after the other commands. This command enables normal Telnet access to the router on port 3001. So, the commands to use are: hobbit(config)#line vty 3 4 hobbit(config-line)#login local hobbit(config-line)#rotary 1 ______________________________________________________________________________ Tip. Remember to write an access list that allows the administrator's workstation access to port 3001 on the router. More importantly, block access from all other locations. ______________________________________________________________________________ Make sure you do this correctly otherwise you may disable all Telnet to the router. If your router is remote and you don't have remote access via the auxiliary port, you may find yourself on a plane going to visit your router! When the administrator starts the session, she will need to specify the port, for example, telnet 172.16.0.1 3001. ______________________________________________________________________________ Caution. Even though you could use the local database for Telnet, it is not recommended as the Telnet protocol sends the userid and the associated password across the network in cleartext. Also, even though you can use a line password, this likewise is not recommended. Even if you could pick a password that is sufficiently robust, you will loose individual accountability. Anyone with knowledge of the password can log in. ______________________________________________________________________________ Lock-and-Key Configuration Tips You should understand the tips in this section before you attempt to configure lock-and-key. Tips for Configuring Dynamic Access Lists Here are a few tips from Cisco when configuring dynamic access lists:
Tips for Configuring Lock-and-Key Authentication These tips correspond to lock-and-key authentication. There are three possible methods, described in this section, to configure an authentication query process. ______________________________________________________________________________ Note. Cisco recommends that you use the TACACS+ server for authentication. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database. ______________________________________________________________________________ Method 1Configuring a Security Server Use a network access security server such as a TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities. hobbit(config-line)#login tacacs The following example shows how to configure lock-and-key access, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "quebec." aaa authentication login default tacacs+ enable aaa accounting exec stop-only tacacs+ aaa accounting network stop-only tacacs+ enable password papa ! isdn switch-type basic-dms100 ! interface ethernet0 ip address 172.18.23.9 255.255.255.0 !! interface BRI0 ip address 172.18.21.1 255.255.255.0 encapsulation ppp dialer idle-timeout 3600 dialer wait-for-carrier-time 100 dialer map ip 172.18.21.2 name janet dialer-group 1 isdn spid1 2036333715291 isdn spid2 2036339371566 ppp authentication chap ip access-group 102 in ! access-list 102 permit tcp any host 172.18.21.2 eq telnet access-list 102 dynamic testlist timeout 5 permit ip any any ! ! ip route 172.18.250.0 255.255.255.0 172.18.21.2 priority-list 1 interface BRI0 high tacacs-server host 172.18.23.21 tacacs-server host 172.18.23.14 tacacs-server key test1 tftp-server rom alias all ! dialer-list 1 protocol ip permit ! line con 0 password quebec line aux 0 line VTY 0 4 autocommand access-enable timeout 5 password quebec ! Method 2Configuring the username Command Use the username command. This method is more effective than line protection because the router determines authentication on a user basis. hobbit(config-line)#username name password password hobbit(config-line)#login local The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered. The next example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface. username name password romeo interface ethernet0 ip address 172.18.23.9 255.255.255.0 ip access-group 101 in access-list 101 permit tcp any host 172.18.23.2 eq telnet access-list 101 dynamic test timeout 120 permit ip any any line vty 0 login local autocommand access-enable timeout 5 After a user Telnets into the router, the router will attempt to authenticate the user. When authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (that is, test). This temporary entry will expire after 5 minutes, as specified by the timeout. Method 3Configuring the password and login Commands Use the password and login commands. This method is less effective because you configure the password for the port, not for the user. Therefore, any user who knows the password can authenticate successfully. hobbit(config-line)#password password hobbit(config-line)#login Using only a password is not the best way to go and, as such, you will not find an example in this article. Tips for Configuring the autocommand Command These tips deal with configuring the autocommand command:
Verifying and Maintaining Lock-and-Key Configuration You can verify that you successfully configured lock-and-key on the router by asking a user to test the connection. The user should login from a host that you permitted in the dynamic access list and the user should have AAA authentication and authorization configured for them. To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that you permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol, such as SMTP, HTTP or Telnet. Maintaining Lock-and-Key When your organization uses lock-and-key, dynamic access lists will dynamically grow and dwindle as you add and delete entries. You need ensure that you delete entries in a timely way, because while entries exist, the risk of a spoofing attack is present. Also, the more entries, the greater the hit on router performance. If you haven't configured an idle or absolute timeout, entries will remain in the dynamic access list until you manually remove them. If this is the case, make sure that you are extremely vigilant about removing entries. Develop a routine for removing entries. Displaying Dynamic Access List Entries You can display temporary access list entries when they are in use. After you clear a temporary access list entry or the router clears it because of the absolute or idle timeout parameter; the IOS can no longer display it. The number of matches displayed indicates the number of times the access list entry was hit. To view dynamic access lists and any temporary access list entries currently established, perform the following task in privileged EXEC mode: hobbit#show access-lists [access-list-name] Deleting Dynamic Access List Entries To manually delete a temporary access list entry, perform the following task in privileged EXEC mode: hobbit#clear access-template [access-list-number | name] [dynamic-name] [source] [destination] Conclusion In this article, you learnt about dynamic access lists. Why use this feature? Suppose you dial into your ISP, you identify yourself, and you try to connect up to your company only to run smack into an access list on a packet-filtering router. Access denied! Drat! This is where Cisco's Lock-And-Key enters the picture. You connect to your ISP, you Telnet to a border router or access server, you authenticate yourself to it, and then it punches a temporary hole in the firewall that lets you in. Using lock-and-key, you allow selected users (and the hosts they're on) through a firewall into a secured internal or external network. While still fraught with risks, this is better than standard and extended access lists, because static access lists:
Remember to authenticate all VTY ports (remote connections) or you've left an open door. Oh, and remember to define either an idle timeout or an absolute timeout value, or your temporary access list entries won't go away. Abridged version of a document originally published by Auerbach Publications 2002. This subject also is covered in Securing and Controlling Cisco Routers from Auerbach Publications/CRC Press. |