Configuring Lock-and-Key Security Dynamic Access Lists
|
|||||||
Contents
Configuring Lock-and-Key Security (Dynamic Access Lists)Last Updated: May 14, 2011
Feature History
This chapter describes how to configure lock-and-key security at your router. Lock-and-key is a traffic filtering security feature available for the IP protocol. For a complete description of lock-and-key commands, refer to the Cisco IOS Security Command Reference . To locate documentation of other commands that appear in this chapter, use the command reference master index or search online. To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. Prerequisites for Configuring Lock-and-KeyLock-and-key uses IP extended access lists. You must have a solid understanding of how access lists are used to filter traffic, before you attempt to configure lock-and-key. Access lists are described in the chapter âAccess Control Lists: Overview and Guidelines.â Lock-and-key employs user authentication and authorization as implemented in Ciscoâs authentication, authorization, and accounting (AAA) paradigm. You must understand how to configure AAA user authentication and authorization before you configure lock-and-key. User authentication and authorization is explained in the âAuthentication, Authorization, and Accounting (AAA)â part of this document. Lock-and-key uses the autocommand command, which you should understand. This command is described in the Cisco IOSTerminal Services Command Reference. Information About Configuring Lock-and-Key Security (Dynamic Access Lists)
About Lock-and-KeyLock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock-and-key is configured using IP dynamic extended access lists. Lock-and-key can be used in conjunction with other standard access lists and static extended access lists. When lock-and-key is configured, designated users whose IP traffic is normally blocked at a router can gain temporary access through the router. When triggered, lock-and-key reconfigures the interfaceâs existing IP access list to permit designated users to reach their designated host(s). Afterwards, lock-and-key reconfigures the interface back to its original state. For a user to gain access to a host through a router with lock-and-key configured, the user must first open a Telnet session to the router. When a user initiates a standard Telnet session to the router, lock-and-key automatically attempts to authenticate the user. If the user is authenticated, they will then gain temporary access through the router and be able to reach their destination host. Benefits of Lock-and-KeyLock-and-key provides the same benefits as standard and static extended access lists (these benefits are discussed in the chapter âAccess Control Lists: Overview and Guidelinesâ). However, lock-and-key also has the following security benefits over standard and static extended access lists:
With lock-and-key, you can specify which users are permitted access to which source and destination hosts. These users must pass a user authentication process before they are permitted access to their designated hosts. Lock-and-key creates dynamic user access through a firewall, without compromising other configured security restrictions. When to Use Lock-and-KeyTwo examples of when you might use lock-and-key follow:
How Lock-and-Key WorksThe following process describes the lock-and-key access operation:
Compatibility with Releases Before Cisco IOS Release 11.1Enhancements to the access-list command are used for lock-and-key. These enhancements are backward compatible--if you migrate from a release before Cisco IOS Release 11.1 to a newer release, your access lists will be automatically converted to reflect the enhancements. However, if you try to use lock-and-key with a release before Cisco IOS Release 11.1, you might encounter problems as described in the following caution paragraph: Risk of Spoofing with Lock-and-Key
When lock-and-key is triggered, it creates a dynamic opening in the firewall by temporarily reconfiguring an interface to allow user access. While this opening exists, another host might spoof the authenticated userâs address to gain access behind the firewall. Lock-and-key does not cause the address spoofing problem; the problem is only identified here as a concern to the user. Spoofing is a problem inherent to all access lists, and lock-and-key does not specifically address this problem. To prevent spoofing, configure encryption so that traffic from the remote host is encrypted at a secured remote router, and decrypted locally at the router interface providing lock-and-key. You want to ensure that all traffic using lock-and-key will be encrypted when entering the router; this way no hackers can spoof the source address, because they will be unable to duplicate the encryption or to be authenticated as is a required part of the encryption setup process. Router Performance Impacts with Lock-and-KeyWhen lock-and-key is configured, router performance can be affected in the following ways:
Maintaining Lock-and-KeyWhen lock-and-key is in use, dynamic access lists will dynamically grow and shrink as entries are added and deleted. You need to make sure that entries are being deleted in a timely way, because while entries exist, the risk of a spoofing attack is present. Also, the more entries there are, the bigger the router performance impact will be. If you do not have an idle or absolute timeout configured, entries will remain in the dynamic access list until you manually remove them. If this is the case, make sure that you are extremely vigilant about removing entries. Dynamic Access ListsUse the following guidelines for configuring dynamic access lists:
Lock-and-Key AuthenticationThere are three possible methods to configure an authentication query process. These three methods are described in this section. Use a network access security server such as TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.
Router(config-line)# login tacacs
Use the username command. This method is more effective because authentication is determined on a user basis. Router(config)# username name {nopassword | password { mutual-password | encryption-type encryption-password }} Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully. R outer(config-line)# password password Router(config-line)# login local The autocommand CommandThe autocommand command configures the system to automatically execute a specified privileged EXEC command when a user connects to a particular line. Use the following guidelines for configuring the autocommand command:
How to Configure Lock-and-Key Security (Dynamic Access Lists)
Configuring Lock-and-KeyTo configure lock-and-key, use the following commands beginning in global configuration mode. While completing these steps, be sure to follow the guidelines listed in the âLock-and-Key Configuration Guidelinesâ section of this chapter. DETAILED STEPS Verifying Lock-and-Key ConfigurationYou can verify that lock-and-key is successfully configured on the router by asking a user to test the connection. The user should be at a host that is permitted in the dynamic access list, and the user should have AAA authentication and authorization configured. To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that is permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol. The following sample display illustrates what end-users might see if they are successfully authenticated. Notice that the Telnet connection is closed immediately after the password is entered and authenticated. The temporary access list entry is then created, and the host that initiated the Telnet session now has access inside the firewall.
Router% telnet corporate
Trying 172.21.52.1 ...
Connected to corporate.example.com.
Escape character is â^]â.
User Access Verification
Password:Connection closed by foreign host.
You can then use the show access-lists command at the router to view the dynamic access lists, which should include an additional entry permitting the user access through the router.s Displaying Dynamic Access List EntriesYou can display temporary access list entries when they are in use. After a temporary access list entry is cleared by you or by the absolute or idle timeout parameter, it can no longer be displayed. The number of matches displayed indicates the number of times the access list entry was hit. To view dynamic access lists and any temporary access list entries that are currently established, use the following command in privileged EXEC mode: Configuration Examples for Lock-and-KeyExample Lock-and-Key with Local AuthenticationThis example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface. interface ethernet0 ip address 172.18.23.9 255.255.255.0 ip access-group 101 in access-list 101 permit tcp any host 172.18.21.2 eq telnet access-list 101 dynamic mytestlist timeout 120 permit ip any any line vty 0 login local autocommand access-enable timeout 5 The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered. In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the mytestlist ACL is 120 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is created for 120 minutes (the maximum absolute time). The session is closed after 120 minutes, whether or not anyone is using it. In the access-enablecommand, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes. After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). If there is no activity, this temporary entry will expire after 5 minutes, as specified by the timeout. Example Lock-and-Key with TACACS+ AuthenticationCisco recommends that you use a TACACS+ server for authentication, as shown in the example. The following example shows how to configure lock-and-key access, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password âpassword1â. aaa authentication login default group tacacs+ enable aaa accounting exec stop-only group tacacs+ aaa accounting network stop-only group tacacs+ enable password ciscotac ! isdn switch-type basic-dms100 ! interface ethernet0 ip address 172.18.23.9 255.255.255.0 ! interface BRI0 ip address 172.18.21.1 255.255.255.0 encapsulation ppp dialer idle-timeout 3600 dialer wait-for-carrier-time 100 dialer map ip 172.18.21.2 name dialermapname dialer-group 1 isdn spid1 2036333715291 isdn spid2 2036339371566 ppp authentication chap ip access-group 102 in ! access-list 102 permit tcp any host 172.18.21.2 eq telnet access-list 102 dynamic testlist timeout 5 permit ip any any ! ! ip route 172.18.250.0 255.255.255.0 172.18.21.2 priority-list 1 interface BRI0 high tacacs-server host 172.18.23.21 tacacs-server host 172.18.23.14 tacacs-server key test1 tftp-server rom alias all ! dialer-list 1 protocol ip permit ! line con 0 password password1 line aux 0 line VTY 0 4 autocommand access-enable timeout 5 password password1 ! Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. |
|||||||