Hypertext Transfer Protocol (HTTP) Configuration Services
Many Cisco devices allow the use of a Web browser for configuration and monitoring. Although this method of configuration might be convenient, especially for the new administrator, special considerations are required to ensure security. HTTP services are also used on the Cisco 1003, 1004, and 1005 routers for use with the Cisco IOS ClickStart software.
Access lists must be used on perimeter routers to limit who can access a router from outside of the local network. If HTTP services are used, you need to adjust access lists to allow only specific IP addresses access to routers through WWW services.
HTTP services are turned on with the ip http server command. Use the no form of the command to disable this service. HTTP services run by default on TCP port 80; this can be changed to virtually any port required. It is recommended that you change the default port. Changing from the default port of 80 requires a hacker to know which port is in use before being able to exploit any possible security holes.
Control over who accesses the HTTP services is managed by a standard access list, as well as by the ip http access-class command. Note that unlike other access-class commands, the ip http access-class command is entered in the global configuration mode. Additional security can be achieved through AAA authentication, which is covered in Chapter 10. If AAA authentication is not used, the enable password is used for logging onto the router.
The following is an example of setting HTTP services on a router, creating and applying an access list, and adding AAA authentication. Note that all commands are entered in the global configuration mode. Also note that the use of an exclamation mark (!) at the beginning of a line indicates that the line is a comment.
ip http server !Starts HTTP services on the router. !Services can be stopped with the no ip http services command. ip http port 10120 !This changes the port used for management from port 80 to port 10120. !Port 10120 was an arbitrary number chosen because it is not commonly used. !To change the port back to 80, use the no ip http port command. access-list 91 permit host 10.1.1.50 !Allow host 10.1.1.50 access. access-list 91 permit host 10.1.1.52 !Allow host 10.1.1.52 access. access-list 91 deny any any !Deny all others. This line is included for clarity. !All access lists have an implied deny all at the end. ip http access-class 91 !Apply access list 91 to HTTP services. ip http authentication aaa tacacs !Use TACACS for authentication.