PDA Logo.gif (6595 bytes)

Configuring Cisco Lock-and-Key

Privacy Test

Security & Audit Tools

CyberScribblings

Windows NT Server IIS

Windows 95

Cookies

Java, JavaScript and ActiveX

Intrusion Detection Systems

Security Industry Shakeout

Securing Groupware

Client/Server Audit: One Bite At A Time

Configuring Cisco Denial of Service Security Features - Part 1

Configuring Cisco Denial of Service Security Features - Part 2

Configuring Cisco Lock-and-Key

Configuring Cisco Reflexive Access Lists

Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed

TCPA: Who Can You Trust?

When Getting the Audit Done Is the Only Thing

Palladium: Friend or Foe?

Commentary: Quis Custodiet Ipsos Custodes?

Data Management: Data Destruction and Preservation

Security & Audit Products

Top Ten Security Links

Security & Audit Checklists

Computer & Security

Glossary

Security & Audit Bibliography

Search Page

privacy info

Introduction

Companies trying to maintain security these days generally disallow remote access across the Internet, because of the possibility of snoopers watching for passwords or other valuable information. Some companies require that all remote access be via direct dialup, with PPP and CHAP protocol, and possibly call-back, providing security.

That's fine for local access, but for travelling or remote employees, the long-distance bill adds up quickly. Telecommuting and remote access by mobile, outbound staff is on the rise. Serious numbers of remote users using multiple access servers can burden the network staff.

Meanwhile, as Internet Service Provider networks grow, local access points make Internet access financially attractive. Not only does using an ISP save the cost of phone calls, but it allows an organization to outsource the task of managing the network access servers and modems to the service provider.

Your organization needs a solution to secure these users coming in via the Internet. Cisco provides a facility called lock-and-key that can help. Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. You configure lock-and-key using IP dynamic extended access lists. Static access lists cannot create lock-and-key access list entries. But, you can use lock-and-key with other standard access lists and static extended access lists. When triggered, lock-and-key reconfigures the interface's existing IP access list to permit designated users to reach their designated host. Afterwards, lock-and-key reconfigures the interface back to its original state.

When you configure lock-and-key, designated users whose IP traffic the router normally blocks can gain temporary access through the router. For a user to gain access to a host through a router with lock-and-key configured, the user must first Telnet to the router. When a user initiates a standard Telnet session to the router, lock-and-key automatically attempts to authenticate the user. If the router authenticates the users, they will then gain temporary access through the router and can reach their destination host.

Once you add an entry to a traditional access list, it remains there until you remove it manually. With lock-and-key you can create a temporary opening in an access list by using a response to a user authentication procedure. The idea is to give temporary access, after proper authentication; to pre-authorized users whose traffic the router would normally block. Lock-and-key reconfigures the interface's existing IP access list to permit these designated users to reach their destination. When the connection is terminated, the router configures the interface back to its original state.

Benefits of Lock-and-Key

Lock-and-key provides the same benefits as standard and static extended access lists. Yet, dynamic packet filtering offers a major improvement over static packet filtering. Lock-and-key also has the following security benefits over standard and static extended access lists:

Lock-and-key uses a challenge mechanism to authenticate individual users.
Lock-and-key provides simpler management in large internetworks. Before, when a user needed access to internal resources, you would have to punch a whole through the firewall. If you have lots of users, you may have to do this on a regular basis. And you have punched lots of holes in your firewall!
In many cases, lock-and-key reduces the amount of router processing required for access lists. Dynamic packet filters use state tables that allow the router to make decisions based not only on the present packet but also on previous traffic. However, a dynamic packet filter is more resource intensive since it has to create and maintain a state table in memory.
Lock-and-key reduces the opportunity for network break-ins by network hackers. A dynamic packet filter creates a state table, which contains information about all established connections. A FIN=1 ACK=1 scan packet will not get through, because the filter will receive the packet and not see an entry for that communication session. Because there is no communication session, there is no reason an outside host should try to tear down a session, so the filter will drop the packet.

______________________________________________________________________________

Caution. Lock-and-key access allows an external event, such as a Telnet session, to place an opening in the firewall by temporarily reconfiguring an interface to allow user access. Lock-and-key doesn't prevent someone from discovering the source IP, but it does reduce the window of opportunity to exploit the open port. While this opening exists, another host might spoof the authenticated user's address to gain access behind the firewall, so the router is susceptible to source address spoofing. Lock-and-key does not cause the address-spoofing problem; rather this is an inherent problem of the TCP/IP protocols. Spoofing is a problem built-in to all access lists, and lock-and-key does not specifically address this problem.

To prevent spoofing, you could configure network data encryption. Configure encryption so a secured remote router encrypts traffic from the remote host and that the router's interface providing lock-and-key decrypts it locally. You want to ensure that the router encrypts all traffic using lock-and-key when entering the router; this way no hackers can spoof the source address, because they cannot duplicate the encryption or authenticate as required as part of the encryption setup process.

______________________________________________________________________________

With lock-and-key, you can specify users permitted access to various source and destination hosts. These users must pass a user authentication process before they are permitted access to their designated hosts. Lock-and-key creates dynamic user access through a firewall, without compromising other configured security restrictions.

Your organization will benefit from the use of lock-and-key access in the following scenarios:

When you want a specific remote user (or group of remote users) to access a host within your network, connecting from a remote host via the Internet. Lock-and-key authenticates the user, and then permits limited access through your firewall router for the individual's host or subnet, for a period of time.
When you want a subset of hosts on a local network to access a host on a remote network protected by a firewall. With lock-and-key, you can allow access to the remote host only for the desired set of local user's hosts. Lock-and-key requires the users to authenticate through a TACACS+ server, or other security server, before allowing their hosts to access the remote hosts.

Activating Lock-And-Key

The following process describes the lock-and-key access operation:

A user opens a Telnet session to an access server, a border router or firewall router configured for lock-and-key. The user connects via the virtual terminal port on the router.
The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs user authentication. The user must pass authentication before the router allows access. The router or a central access security server, such as a TACACS+ or RADIUS server, can perform the authentication.
User authentication takes place. When the user passes authentication, the IOS software creates a temporary entry in the dynamic access list. The router terminates the user Telnet session at this time.
The user exchanges data through the firewall.
The software deletes the temporary access list entry when it reaches a configured timeout (idle or absolute), or when the security or network administrator manually clears it. The temporary entry can persist well after the user is done. You can configure an idle timeout or an absolute timeout. Should the absolute timeout kick in while the user is still active, the user must re-authenticate via another short-lived Telnet session.

______________________________________________________________________________

Note. The router does not automatically delete the temporary access list entry when the user terminates a session. The temporary access list entry remains until the router reaches a configured timeout or until the system administrator clears it.

______________________________________________________________________________

Configuring Lock-and-Key

The most significant (dare I say "key"?) component of lock-and-key is dynamic access lists. These are access lists that are temporary, active only after user authentication, and which eventually go inactive, either after an idle period or when you wish to force the user to re-authenticate.

This section deals with the steps to take when configuring lock-and-key security. While completing these steps, be sure to follow the guidelines listed in the section, "Lock-and-Key Configuration Tips."

There are several steps to setting up lock-and-key access, so here's a checklist.

[Preparation] Set up and test authentication methodology.
[Preparation] Set up encryption.
Configure a dynamic access list.
Apply it to an interface, using the usual command:

hobbit(config)#ip access-group access-list-number

In line configuration mode, specify the authentication method for the full range of VTY ports:

hobbit(config)#line vty 0 4

hobbit(config-line)#login tacacs

or perhaps:

hobbit(config)#line vty 0 4

hobbit(config-line)#login local

hobbit(config)#username ptdavis password secret

or even:

hobbit(config)#line vty 0 4

hobbit(config-line)#login

hobbit(config-line)#password cisco

Enable the creation of temporary dynamic access list entries. If you do not specify the host argument, you allow all hosts on the entire network to set up a temporary access list entry.

hobbit(config-line)#autocommand access-enable [host] [timeout minutes]

The timeout option here is an idle timeout, defaulting to no timeout. This command is applied to the VTY ports.

So, let's start with configuring an access list. To configure lock-and-key, perform the following task in global configuration mode.

hobbit(config)#access-list access-list-number dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] [log-input]

You use access list numbers ranging from 100 to 199. Pick any name as long as it starts with an alphabetic character. The timeout keyword is optional, but it allows you to specify an absolute timeout for dynamic entries. You can select any value from 1 to 9999. Should you not specify absolute, by default the entry never times out, or in other words, it is available for an infinite time period. You can replace the protocol keyword with IP, TCP or UDP. You can specify a real host or specify any for the source and destination address. Usually, you will specify the any keyword since the router will replace the source IP address with that of the authenticating host. The router uses precedence to filter on the precedence level name or number. TOS defines filtering by service level specified by a name or number from 0 to 15. Use the other keywords in the same manner as you have before. For example, you want to create a dynamic access list named open_sesame with an absolute timeout of 5 minutes.

hobbit(config)#access-list 101 dynamic open_sesame timeout 5 permit ip any any log

At activation time, when the user Telnets into the NAS or router from, say 172.16.1.1, this effectively creates the following rule.

access-list 101 permit ip host 172.16.1.1 any log

In general, the router substitutes the IP address of the Telnet source for the source address or the destination address in the dynamic statements, depending on whether the access list is inbound or outbound. For inbound access lists, the Telnet source is the source in the access list statement. For outbound access lists, the Telnet source becomes the destination of the dynamic access list. Therefore, the intent is for the router to apply the dynamic access list to the interface connecting to the Internet, to the authenticating user.

The access list may also have non-dynamic statements in it, which act as they normally would. Generally, you need to allow Telnet into the router, so that the user may authenticate. You generally would stop other access, so you need lock-and-key access to pass other types of traffic through the gateway router.

Configure a dynamic access list, which serves as a template and placeholder for temporary access list entries. The following command configures an interface.

hobbit(config)#interface type number

In interface configuration mode, apply the access list to the interface.

hobbit(config-if)#ip access-group access-list-number {in | out}

In global configuration mode, define one or more virtual terminal (VTY) ports. If you specify multiple VTY ports, you must configure them all identically because the software hunts for available VTY ports on a round-robin basis. Should you not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for just lock-and-key support.

hobbit(config)#line vty line-number [ending-line-number]

Use one of the following commands to configure user authentication.

hobbit(config-line)#login tacacs

hobbit(config-line)#username name password secret

hobbit(config-line)#login local

hobbit(config-line)#password password

Next create the temporary access list entries.

hobbit(config)#autocommand access-enable host [timeout minutes]

This command enables the creation of temporary access list entries. If you do not specify the host keyword, the router will allow all hosts on the entire network to set up a temporary access list entry (which would sort of make your dynamic access list useless). The dynamic access list contains the network mask to enable the new network connection. If you don't specify a timeout, the router will not remove the entry until you reboot the router. If you use both the absolute and idle timers, make sure you make the idle timer less than the absolute timer. Following is an example where three VTY ports are configured:

hobbit(config)#line vty 0 2

hobbit(config-line)#login local

hobbit(config)#autocommand access-enable host timeout 10

One other thing you should consider for the additional VTY lines. Should you take no additional steps the router will treat every Telnet session as an attempt to open a dynamic entry. Since the router closes the Telnet session after authenticating the user, you couldn't open a Telnet session to the router to do routine maintenance. You must specify another command in your router. Enter the rotary 1 command after the other commands. This command enables normal Telnet access to the router on port 3001. So, the commands to use are:

hobbit(config)#line vty 3 4

hobbit(config-line)#login local

hobbit(config-line)#rotary 1

______________________________________________________________________________

Tip. Remember to write an access list that allows the administrator's workstation access to port 3001 on the router. More importantly, block access from all other locations.

______________________________________________________________________________

Make sure you do this correctly otherwise you may disable all Telnet to the router. If your router is remote and you don't have remote access via the auxiliary port, you may find yourself on a plane going to visit your router!

When the administrator starts the session, she will need to specify the port, for example, telnet 172.16.0.1 3001.

______________________________________________________________________________

Caution. Even though you could use the local database for Telnet, it is not recommended as the Telnet protocol sends the userid and the associated password across the network in cleartext. Also, even though you can use a line password, this likewise is not recommended. Even if you could pick a password that is sufficiently robust, you will loose individual accountability. Anyone with knowledge of the password can log in.

______________________________________________________________________________

Lock-and-Key Configuration Tips

You should understand the tips in this section before you attempt to configure lock-and-key.

Tips for Configuring Dynamic Access Lists

Here are a few tips from Cisco when configuring dynamic access lists:

Turn on logging and review the logs for suspicious activity.
Do not create more than one dynamic access list name for any one access list. The router will only use the first one.
Do not re-use a dynamic-name on another access list. You must make all named entries globally unique within the configuration. The software just re-uses the entry for that name that it has already.
Limit the dynamic access list entries, when possible, to specific protocols and specific destination addresses.
Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
Configure Telnet as the protocol, so that the user must Telnet into the router for authentication, before they can gain access through the router.
Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolute timeout; otherwise, the temporary access list entry will remain configured indefinitely on the interface (long after session termination) until you remove the entry manually. (You could configure both idle and absolute timeouts should you desire.)
If you configure an idle timeout, make the idle timeout value equal to the wide area network idle timeout value.
If you configure both idle and absolute timeouts, make the idle timeout value less than the absolute timeout value.
The only values replaced in the temporary entry are the source or destination address, depending on whether the access list was in the input access list or output access list. The temporary rule inherits all other attributes such as port from the main dynamic access list.
Deploy dynamic access lists together with time-based access lists. This way you limit the periods when users can create dynamic entries. Should you see repeated attempts outside of the authorized hours, this might indicate cracker activity. Hopefully, your staff is aware of the hours when you permit access.
The IOS always puts each addition to the dynamic list at the beginning of the dynamic list.
If multiple users cause temporary entries to a dynamic access list, they go at the beginning of the list. You cannot specify the order of temporary access list entries, but it doesn't matter, as they are host-specific entries.
Change user passwords frequently.
The IOS never writes temporary access list entries to NVRAM. The IOS saves the dynamic list, but it does not save temporary entries.
To manually clear or to display dynamic access lists, refer to the section " Maintaining Lock-and-Key " later in this article.

Tips for Configuring Lock-and-Key Authentication

These tips correspond to lock-and-key authentication. There are three possible methods, described in this section, to configure an authentication query process.

______________________________________________________________________________

Note. Cisco recommends that you use the TACACS+ server for authentication. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database.

______________________________________________________________________________

Method 1—Configuring a Security Server

Use a network access security server such as a TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.

hobbit(config-line)#login tacacs

The following example shows how to configure lock-and-key access, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "quebec."

aaa authentication login default tacacs+ enable

aaa accounting exec stop-only tacacs+

aaa accounting network stop-only tacacs+

enable password papa

isdn switch-type basic-dms100

interface ethernet0

ip address 172.18.23.9 255.255.255.0

interface BRI0

ip address 172.18.21.1 255.255.255.0

encapsulation ppp

dialer idle-timeout 3600

dialer wait-for-carrier-time 100

dialer map ip 172.18.21.2 name janet

dialer-group 1

isdn spid1 2036333715291

isdn spid2 2036339371566

ppp authentication chap

ip access-group 102 in

access-list 102 permit tcp any host 172.18.21.2 eq telnet

access-list 102 dynamic testlist timeout 5 permit ip any any

ip route 172.18.250.0 255.255.255.0 172.18.21.2

priority-list 1 interface BRI0 high

tacacs-server host 172.18.23.21

tacacs-server host 172.18.23.14

tacacs-server key test1

tftp-server rom alias all

dialer-list 1 protocol ip permit

line con 0

password quebec

line aux 0

line VTY 0 4

autocommand access-enable timeout 5

password quebec

Method 2—Configuring the username Command

Use the username command. This method is more effective than line protection because the router determines authentication on a user basis.

hobbit(config-line)#username name password password

hobbit(config-line)#login local

The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered.

The next example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface.

username name password romeo

interface ethernet0

ip address 172.18.23.9 255.255.255.0

ip access-group 101 in

access-list 101 permit tcp any host 172.18.23.2 eq telnet

access-list 101 dynamic test timeout 120 permit ip any any

line vty 0

autocommand access-enable timeout 5

After a user Telnets into the router, the router will attempt to authenticate the user. When authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (that is, test). This temporary entry will expire after 5 minutes, as specified by the timeout.

Method 3—Configuring the password and login Commands

Use the password and login commands. This method is less effective because you configure the password for the port, not for the user. Therefore, any user who knows the password can authenticate successfully.

hobbit(config-line)#password password

hobbit(config-line)#login

Using only a password is not the best way to go and, as such, you will not find an example in this article.

Tips for Configuring the autocommand Command

These tips deal with configuring the autocommand command:

f you use a TACACS+ server to authenticate the user, you should configure the autocommand command on the TACACS+ server as a per-user autocommand. If you use local authentication, use the autocommand on the line.
Configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an autocommand command on a VTY port allows a random host to gain EXEC mode access to the router and does not create a temporary access list entry in the dynamic access list.
If you did not previously define an idle timeout with the autocommand access-enable command, you must define an absolute timeout now with the access-list command. You must define either an idle timeout or an absolute timeout; otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the administrator manually removes the entry. (You could configure both idle and absolute timeouts should you wish.
If you configure both idle and absolute timeouts, the absolute timeout value must be greater than the idle timeout value.

Verifying and Maintaining Lock-and-Key Configuration

You can verify that you successfully configured lock-and-key on the router by asking a user to test the connection. The user should login from a host that you permitted in the dynamic access list and the user should have AAA authentication and authorization configured for them.

To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that you permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol, such as SMTP, HTTP or Telnet.

Maintaining Lock-and-Key

When your organization uses lock-and-key, dynamic access lists will dynamically grow and dwindle as you add and delete entries. You need ensure that you delete entries in a timely way, because while entries exist, the risk of a spoofing attack is present. Also, the more entries, the greater the hit on router performance.

If you haven't configured an idle or absolute timeout, entries will remain in the dynamic access list until you manually remove them. If this is the case, make sure that you are extremely vigilant about removing entries. Develop a routine for removing entries.

Displaying Dynamic Access List Entries

You can display temporary access list entries when they are in use. After you clear a temporary access list entry or the router clears it because of the absolute or idle timeout parameter; the IOS can no longer display it. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries currently established, perform the following task in privileged EXEC mode:

hobbit#show access-lists [access-list-name]

Deleting Dynamic Access List Entries

To manually delete a temporary access list entry, perform the following task in privileged EXEC mode:

hobbit#clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

Conclusion

In this article, you learnt about dynamic access lists. Why use this feature? Suppose you dial into your ISP, you identify yourself, and you try to connect up to your company only to run smack into an access list on a packet-filtering router. Access denied! Drat! This is where Cisco's Lock-And-Key enters the picture. You connect to your ISP, you Telnet to a border router or access server, you authenticate yourself to it, and then it punches a temporary hole in the firewall that lets you in.

Using lock-and-key, you allow selected users (and the hosts they're on) through a firewall into a secured internal or external network. While still fraught with risks, this is better than standard and extended access lists, because static access lists:

leave permanent openings that crackers might find and exploit
are difficult to manage in a large network
can require the router to do excessive processing, depending on what's in the list
do not offer a mechanism to authenticate individual users

Remember to authenticate all VTY ports (remote connections) or you've left an open door. Oh, and remember to define either an idle timeout or an absolute timeout value, or your temporary access list entries won't go away.

Abridged version of a document originally published by Auerbach Publications 2002. This subject also is covered in Securing and Controlling Cisco Routers from Auerbach Publications/CRC Press.