Physical Security
Physical security should always come first in the mind of the security administrator. If you cannot guarantee physical security, you cannot guarantee any security. This is especially true where the console and auxiliary ports of a router are concerned. Anyone with physical access to a Cisco router and who possessed a PC, the proper cable, and the required knowledge can break into your router. Using the password recovery techniques that are widely published by Cisco will allow someone to gain total control of the router. If you set all of your router passwords to be the same or used a logically based scheme for router passwords, your entire network is now open to the will of the intruder.
Physical security deals with restricting physical access to equipment. Locking equipment-room doors, requiring employee badges, and moving routers to their own secure room is the basis for physical security.
Although you cannot prevent people who are authorized to enter the room with the router from rebooting and changing the password, you can limit what they are able to accomplish by merely connecting into the console port or by using Telnet to access the router.
One good method of preventing casual hackers from gaining access to the console port is to physically disconnect the console port from the router's motherboard. This requires the router case to be opened. This is really the equivalent of hiding a door key under the doormat; it will not stop any but the most casual hacker. Anyone opening the case to the router will quickly see that the console port is disconnected. However, this method is better than not securing the console port in any way. Chapter 9, “Cisco Secure Access Control Server (ACS),” deals with how to use AAA to ensure that console port access is truly secure.
Another method is to change the connection properties to an unusual value. This will require someone who is casually trying to connect to the console port to set something other than the defaults. At this point, it becomes a guessing game for the hacker.
Although neither of these methods is foolproof, they do provide some additional security. The only true method of preventing someone from accessing the router through the console port is to physically lock the router in a room where no unauthorized personnel have access.
Controlling Line Access
Line access can easily be controlled on a Cisco router. Lines—consisting of console ports, auxiliary ports, and Telnet ports—all have the ability to limit the users who can gain access.
Adding an access list to the vty (Telnet) ports is relatively easy. First, a standard access list (numbered 1–99) is defined as follows:
access-list 8 permit 172.30.1.45 access-list 8 permit 10.1.1.53 access-list 8 deny any
This access list allows only hosts with one of two IP addresses to Telnet into the router. After creating the access list above, you still need to apply that access list to an interface. Applying an access list to a line uses the access-class command instead of the access-group command that is commonly used at the interface level. When applying the access list to the Telnet ports, use the following commands:
line vty 0 4 access-class 8 in
An access list can also be applied to one of the lines to limit where a connected user can Telnet. Using a standard access list and applying it to the outbound interface will limit Telnet sessions. An example follows:
access-list 9 permit 172.30.1.45 access-list 9 permit 10.1.1.53 access-list 9 deny any line vty 0 4 access-class 9 out
In this case, the user can Telnet to only one of the two listed IP addresses. This might seem like a useless command set at first, because an administrator can simply remove this access list. However, depending on which level of authentication the administrator logged on with, he or she might not have the ability to configure the router. In the earlier section regarding the enable secret command, you learned that a privilege level could have an associated password. Every secret level can have its own password, and the administrator has the ability to limit functionality of each level. The privilege exec command is used to do this. Assume that you want to limit a new junior administrator to be able to use only the show commands. This can be accomplished with the following lines:
enable secret level 6 110%gdfsfej privilege exec 6 show
In the preceding example, logging on with the level 6 password allows the user to access only the show commands. Limiting which administrators know passwords allows you to control how much access the administrators have.
Unfortunately, because the console and auxiliary ports are directly connected to the router, it is impossible to add an access list to these interfaces. Other configuration options are available, such as TACACS+ and RADIUS authentication. Both of these techniques are covered in Chapter 9. However, limiting the ability to administer the router through the use of enable levels, as shown in this section, helps to control the amount of damage an inexperienced administrator can cause.
On all of the line interfaces, you should specifically set a timeout parameter. If there is no activity on the line for a period of time, which is specified in minutes and seconds, the connection will automatically disconnect. This makes it harder for a terminal that has been left unlocked to become a security breach. You can set a timeout parameter for 5 minutes and 0 seconds with the following command: