Enabling and permitting Cisco support engineers to remotely access devices in your network can dramatically decrease the time needed to resolve cases you open with our Technical Assistance Center (TAC). By allowing knowledgeable engineers to gather and analyze information about your network directly and immediately, you can facilitate more timely solutions to your network problems.
The purpose of this document is to survey the protocols for remote network access that Cisco support engineers can use to connect to your network. Each protocol has its own set of strengths and weaknesses. It is important for you to review this information, consider the range of Cisco products installed in your network, and make an informed decision to standardize on a protocol (or protocols) for remote access. It is very important to formally document your remote-access policy, as well as detail the full process and procedures associated with obtaining and utilizing remote access to your network. The planning and preparation you do now will provide a return on investment in the form of reduced network downtime and faster Time To Resolution (TTR) if a problem occurs.
Any discussion about remote access must consider the issue of security. Whereas the only truly secure network is one that is inaccessible, such a network is also less useful. Remote access should provide necessary connectivity while mitigating unnecessary security risks. Two main risks should be considered. The first is the unintended exposure of sensitive information. This can occur whenever unencrypted data is sent over an unsecure network such as the Internet. Potentially sensitive information such as IP addresses, configuration information, and passwords could be captured anywhere along the data path. The second risk is the introduction of malicious code, such as viruses, worms, and Trojan horses, into the network. Although it is impossible to eliminate this risk completely, Cisco internal policy mitigates the risk by requiring the consistent use of virus-scanning software, including daily scans and regular distribution of updates.
When to Allow Access
The need for and usefulness of remote access is usually correlated with the urgency of the problem you are experiencing. Many Priority 1 (P1) and Priority 2 (P2) cases are prime candidates for remote access. However, even many nonurgent cases can benefit. Allowing remote access minimizes the amount of time spent waiting for information and updates. You also receive the full attention of the Cisco support engineer while he or she is connected to your network.
Choosing a Remote-Access Protocol
The following sections outline three categories of remote-access protocols: remote terminal, remote windowing, and remote network connection.
Remote Terminal Protocols
A remote terminal protocol enables the projection of an ASCII console-like interface over the network. These protocols, which include Telnet, Cisco Live, Secure Shell, and modems, are useful for connecting to Cisco devices that have fully implemented command-line interfaces (CLIs), such as routers and switches. Any configuration, command output, debug, and log information necessary for the diagnosis of the problem can be captured through the remote terminal interface. A network deployment consisting of only Cisco routers or switches could be fully supported through the use of any of the remote terminal protocols described in the next sections.
The Telnet protocol is used mainly to transport interactive character data streams over TCP, making it useful only for Cisco products that have a CLI. All Cisco routers and switches include a Telnet daemon that is enabled by default. Telnet clients are readily available for all operating systems and are preinstalled in the Cisco UNIX computing environment and on all Microsoft Windows PCs.
The Telnet protocol makes no provisions for securing data transferred across a connection. All data is sent in plaintext over TCP port 23. If the device under scrutiny is directly connected to the public Internet, the minimum requirement for securing Telnet access is to limit the source addresses from which the device will accept Telnet connections. Standard practice is to allow only Telnet from devices within your own network and to add temporary exceptions for specific hosts that Cisco will use to access your network.
If your devices reside behind a firewall, source address control is generally not necessary because the firewall will prevent TCP from being established from the outside network to the inside. For Cisco to access a device behind a firewall, however, you will need either to open a hole in the firewall for the IP address Cisco will use to access your network, or place a trusted host in your DMZ. With a trusted host, Cisco will Telnet into the host and from there proceed to Telnet to the destination device. Depending on your corporate policy, changes to the firewall configuration might be difficult to accomplish quickly, so establishing a permanent trusted host on the DMZ is usually preferable.
Any IP addresses and passwords used by Cisco support engineers to gain remote access to your network will be logged in an internal-only section of the case notes. Only Cisco employees will have access to this information. To counter the possibility of someone sniffing or inadvertently exposing passwords, Cisco encourages the use of one-time passwords (OTPs). If a hardware token is necessary to generate the OTP, it is important for you to document ownership and procedures for locating and using that token.
Because Telnet uses a simple ASCII character data stream and does not implement a Layer 3 packet transport, there is virtually no possibility of introducing viruses, worms, or other malicious code. Disruption of your network can still occur due to software glitches or human error, but these disruptions are usually limited to the nodes that are being accessed.
Cisco Live is an online collaboration tool used by Cisco support personnel to share Web browser data. Included in Cisco Live is a Telnet application that bridges data between Telnet sessions. The use of this Telnet bridge allows Telnet access to be attained without requiring a change in the firewall configuration and without a trusted host on the DMZ. This is possible because both Telnet sessions are originated from the inside (from inside your network and from inside the Cisco network) and go to the Cisco Live Telnet bridge application that resides on the outside of Cisco's protected network. Cisco Live is based on Telnet for transport of all data, so all information is carried in plaintext.
Secure Shell (SSH) is a standard protocol for securing connections over untrusted networks. Hosts are authenticated and all traffic is encrypted with various cipher algorithms. SSH encompasses a large suite of capabilities, but its most important feature is the ability (similar to that of Telnet) to tunnel interactive character data streams. In recent versions of Cisco IOS Software, an SSH server is available in all encryption feature sets. This allows Cisco personnel to access your Cisco devices securely without the possibility of exposing sensitive information. However, it is still a good idea to implement source address control even though the protocol itself provides a means to authenticate the host.
Because SSH uses TCP (port 22) as its transport, SSH faces the same set of issues as Telnet when firewalls are present in the network. Direct SSH sessions require opening a hole in your firewall, or preparing a trusted host on the DMZ. Because SSH encrypts all the data traveling over the untrusted path of the Internet, your Cisco support engineer can use either SSH or Telnet to access your Cisco devices through the trusted DMZ host. By combining both protocols, you enable access to any Cisco device while mitigating the security risk of information exposureeven without the encryption feature sets deployed.
SSH can also tunnel TCP ports through the secure connection. Unsecure remote-access protocols, such as Virtual Network Computing (VNC), can actually take advantage of this SSH feature to secure data. However, this feature also creates the potential for introducing malicious code into your network. To minimize the risks associated with this, port forwarding should be turned off (not accepted) on the SSH server unless necessary. Cisco IOS Software-based SSH servers do not support port forwarding, so it should not be a concern when terminating sessions on a router or switch. Secure Copy (SCP) and Secure FTP (SFTP) are file transfer protocols that are usually bundled with SSH clients and servers. These features enable the transport of malicious code onto the server, so they should be turned off; Cisco does not require their use.
Modems provide a means of transmitting data through the telephone network. Dialup connectivity using a modem is possible wherever a functioning analog line exists. This can often be a life saver for disaster recovery and troubleshooting remote sites. Security is usually implemented by configuring a local username and password. Although it is much more difficult for outsiders to sniff a modem session than a session on the Internet, it is still possible to tap telephone lines and decode modem tones, so the use of an OTP is recommended. Disabling remote access when it is not required is as easy as turning off the modem or unplugging the telephone line.
Because many factors can limit the maximum transmission speed of modems, modems are generally much slower than other types of dedicated Internet connections. In addition, modem connections are notoriously unstable; this decreases their usefulness when collecting voluminous output or when collecting data over extended periods of time.
Modems can be used for pure interactive character stream transport or for packet-mode transmission. For the purposes of accessing a CLI, character data stream transport will likely provide the best performance because it has the least overhead. This mode of transport also eliminates the possibility of introducing malicious code into your network.
Remote Windowing Protocols
Remote windowing protocols enable the projection of arbitrary contents of a GUI across a network connection. This is useful for remotely observing and controlling a device with Microsoft Windows or other GUIs. Some Cisco devices such as the Cisco Call Manager and Cisco Unity servers have limited CLI interfaces or none at all. Remote windowing protocols enable you to export the entire graphical environment to a Cisco support engineer to perform problem analysis and troubleshooting.
Because remote windowing protocols export the graphical display of the interface, they are not bandwidth-efficient for collecting logs or other character-based output. In addition, any logs that are collected exist on the server, not on the viewer/client, so an additional step of transferring the data file back to Cisco is required. Depending on the specific protocol, there might or might not be provisions for doing this transfer.
MeetingPlace is a multimedia conferencing product that includes a data conferencing tool called MeetingPlace Web. A dedicated MeetingPlace Web server exists outside the Cisco firewall and acts as a bridge between attendees. This allows Cisco engineers and customers to participate in MeetingPlace conferences with no configuration changes required to firewalls. All signaling and data is transmitted through TCP port 80. (Port 443 can be used if an SSL connection is required.)
First-time users of the MeetingPlace Web application automatically download a Java-based application called MeetingPlace Webshare, which allows them to participate in a data conference.
MeetingPlace data conferences have no password protection. Participants must know the specific Meeting ID to join. The client is written as a Java applet and supports only Windows platforms running either Internet Explorer or Netscape. (Other platforms such as Mac and Unix will not have the full range of data conferencing functionality as the Windows platform.) Future MeetingPlace releases may allow for full support of a wider range of platforms. There should be minimal risk of malicious code being introduced when using the MeetingPlace Web application.
Virtual Network Computing
Virtual Network Computing (VNC) is one of several remote windowing protocols, but it is the only one that is freely available. A VNC viewer can access the virtual desktop of any UNIX server or any Microsoft Windows PC running a VNC server. No state is stored on the viewer, so an engineer can access the desktop from different or multiple machines (for collaboration purposes). The viewer is very small, available on a variety of platforms, and a platform-independent Java version is available for use from any Java-capable Web browser. A VNC viewer is standard in the Cisco UNIX computing environment. It is also available for download on any Windows platform.
VNC uses a challenge-response authentication mechanism to prevent sending the plaintext version of the shared password (which must be defined) across the network. After authentication is complete, however, all display traffic is sent in plaintext, and it is theoretically possible for an outsider to sniff the stream and reconstruct the session. All data is sent on TCP port 5900 by default; however, the port number can range up to 5999 depending on the display number that is set up. TCP ports 5800-5899 are also used when using a Web browser to access the Java VNC viewer client.
Although the VNC protocol does not provide encryption of data traffic, other tunneling protocols such as VPN or SSH can be used as a secure transport. Because VNC exports the full GUI interface of the server, there are very few restrictions to what you can do. There is no file transfer integration, however. Thus, if logs are gathered, there is the additional step of transferring the data back to Cisco after data collection is complete. Because there is no file transfer integration and VNC is merely a remote windowing technology that does not provide network layer connectivity, there should be no possibility of introducing malicious code into your network.
Like most TCP-based remote access tools, firewalls will prevent Cisco support engineers from directly accessing protected VNC servers. Opening a hole in the firewall is the only way to allow VNC into your network. To minimize security risks, you should allow access only from the IP address your Cisco support engineer is using to access your network.
Windows Terminal Services
Windows Terminal Services (WTS) is a Microsoft remote display technology that is a standard feature of Windows 2000 Server and Windows XP Professional. WTS is available for Windows NT 4.0 servers as well. The WTS client (also called Remote Desktop Connection in Windows XP) is available at no charge from the Microsoft Website. Unlike VNC, WTS remote sessions cannot be shared or viewed by other users.
Data is transferred using Remote Desktop Protocol (RDP), which uses TCP port 3389 by default. The default port can be changed in the Windows registry. RDP has the capability to redirect (or export) much more than just the display of the desktop. Audio, network drives, printers, serial ports, etc. can all be redirected through RDP. Authentication is integrated with the Windows login authentication mechanism, and there is the option to securely encrypt (128-bit) all traffic.
For troubleshooting Microsoft Windows-based applications and products, WTS is likely to be the default choice because it is a standard feature of the Microsoft Windows operating systems on which Cisco applications run.
Because WTS can export local drives to the remote client, the danger of malicious code being introduced is greater. This feature does, however, make it easier to copy log files which have been collected on the server.
Citrix is the other major vendor for remote display technology on Microsoft platforms. Its capabilities and features are very much the same as WTS, but it uses TCP port 1494. Citrix clients are not freely available and are available only on Microsoft platforms. As such, client availability and familiarity can be a stumbling block if Citrix is required to access your network. The client is available on the Cisco Windows computing platforms, but it is not preinstalled. Citrix has the same properties and restrictions as WTS with regard to firewalls and malicious code.
WebEx provides Web-based multimedia conferencing services. The WebEx Meeting Center is built on a multimedia switching platform, a distributed system of T.120 data conferencing servers. T.120 is a suite of networking protocol standards for real-time multipoint data communications. It enables the sharing of select applications or the entire desktop, so it is also a type of remote windowing protocol. The Meeting Center acts as a bridge for two legs of a T.120 call that are initiated by each WebEx client (similar to the Telnet bridge in Cisco Live). This allows the system to function in a network with no configuration changes to the firewalls.
WebEx meetings are protected by passwords and all attendees are visible to the presenter. Unknown participants can be expelled and meetings can be locked down when all invited parties are present. Data traffic is normally sent over TCP port 1270, although data transmission will fall back to TCP port 80 (HTTP) if 1270 is blocked. Subscribers can purchase the option to have all traffic encrypted in a Secure Sockets Layer connection (TCP port 443).
WebEx clients for attendees are available at no charge from the WebEx Web site. Anyone can join a meeting, but attendees must register. The client is written as a Java applet and supports Windows, Mac OS, Solaris, and Linux operating systems. Like MeetingPlace, there should be minimal risk of malicious code being introduced when using the WebEx service.
Remote Network Connection Protocols
The ultimate goal of remote access is to provide network layer connectivity. This allows any protocol or application to be used for monitoring and collecting data from any Cisco device. Such flexibility, however, comes with the increased risk and possibility of malicious code being introduced. The installation and regular updating of virus scanning software and virus definitions is mandatory on any Microsoft Windows platform at Cisco. This greatly reduces the risk of transmitting malicious code; however, the risk is not completely eliminated.
Through the use of protocols such as Point-to-Point Protocol (PPP) and SLIP (Serial Line Internet Protocol) modems provided the earliest forms of remote network connectivity. The prevalence of modems makes them a widely deployed and popular form of remote access. To secure such access, PPP defines protocols such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) to authenticate users. Because PAP sends user and password information in plaintext, for maximum security Cisco advises using CHAP whenever possible. If PAP is necessary, Cisco recommends the use of OTPs to mitigate the risk of passwords being tapped or sniffed.
The disadvantages of modems, as discussed earlier, include slow speeds and unstable connections. For monitoring and CLI-based troubleshooting, the modem speeds are usually sufficient. However, the limitations of modems are a factor if extensive logging and debugging is necessary.
Virtual Private Networks
Virtual Private Networks (VPNs) implement network-layer connectivity using protocols such as IP Security (IPSec) and Point-to-Point Tunneling Protocol (PPTP). Both IPSec and PPTP have defined encryption protocols to protect all data that travels through the tunnel. Encryption should be considered mandatory in the server-side configuration. Multiple authentication protocols are available for each protocol, but the principle mechanisms in use still rely on the creation of an account with an associated username and password.
The Cisco VPN IPSec client is available for Microsoft Windows, Mac OS, Linux, and Solaris operating systems. It allows a remote PC to set up a secure IPSec connection to the following devices:
For more information about configuring these devices for Cisco VPN clients, see:
All versions of Microsoft Windows OS come with a PPTP client that can connect to most Cisco routers running Cisco IOS Software Release 12.1 or later or to a Windows NT/2000 server configured as a PPTP server.
Cisco Information Security (InfoSec) policies prohibit the establishment of an outbound VPN connection from inside the Cisco network. This policy is designed to prevent an inadvertent or intentional misconfiguration that could cause packets to be leaked into or out of the VPN tunnel. This could potentially lead to the transmitting of sensitive information or malicious code.
To enable our use of IPSec and PPTP VPNs for remote access while still complying to internal InfoSec policies, the TAC has constructed a dedicated setup for outbound VPN access. Clients such as the Cisco IPSec VPN client and Microsoft's PPTP client are installed on nonpersistent virtual machines which are accessible for TAC engineers to use. The risk of introducing malicious code is mitigated because the virtual machine reverts back to the original installation image after every use. Other VPN clients such as Nortel's VPN client for Connectivity are also available. New clients can be added to cater to your network deployment.
Regarding remote access, the security and protection of your data and of your network is of utmost importance to Cisco. Remote access procedures are sensitive information, and you can be assured that Cisco personnel will treat this information with the highest degree of care and security.
It is crucial for you to prepare, document, and test every detail of your remote access procedure. This includes listing who and which groups need to be involved in the process, what and how configuration changes need to be made, how to create or enable accounts used for Cisco TAC remote access, and where associated hardware such as OTP token cards are kept. This preparation is necessary so that when the need arises, follow-through will be swift and problem-free.
Depending on the range of Cisco products deployed in your network, the requirements for Cisco remote access will vary.
For troubleshooting Cisco platforms with a CLI, remote terminal protocols have the least complexity, the most familiarity, the best performance, and are the most convenient for gathering information interactively or using a script. When configured correctly, they have the added benefit of virtually eliminating the possibility of malicious code being transmitted. As the only remote terminal protocol to support encryption, SSH should be considered as the ideal remote-access tool for Cisco TAC access to routers and switches.
For Cisco products based on Windows platforms, such as Cisco CallManager or Cisco Unity Unified Messaging, the GUI component of these products calls for the use of remote windowing protocols. Because WTS is pre-installed on these platforms and the protocol supports encryption, this is your likeliest choice. However, because of its cross-platform compatibility, general availability, and targeted feature set, VNC might provide the best performance with the least risk. It is necessary, however, to secure VNC sessions with SSH to alleviate data-security concerns.
The protocols described in this document are only some of the protocols available, and the choices and possibilities are constantly changing. Cisco is committed to working with the remote access policies, procedures, and protocols you choose. Your carefully planned and documented formal process for TAC remote access to your network will help Cisco to assist you on a moment's notice with resolving problems you may have with Cisco products.