Полезная информация


Table of Contents

Configuring  Lock-and-Key  Security (Dynamic  Access  Lists)

Configuring  Lock-and-Key  Security (Dynamic  Access  Lists)

This chapter describes how to configure lock-and-key security at your router. Lock-and-key is a traffic filtering security feature available for the IP protocol.

For a complete description of lock-and-key commands, refer to the "Lock-and-Key Commands" chapter of the Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

In This Chapter

This chapter has the following sections:

About Lock-and-Key

Lock-and-key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock-and-key is configured using IP dynamic extended access lists. Lock-and-key can be used in conjunction with other standard access lists and static extended access lists.

When lock-and-key is configured, designated users whose IP traffic is normally blocked at a router can gain temporary access through the router. When triggered, lock-and-key reconfigures the interface's existing IP access list to permit designated users to reach their designated host(s). Afterwards, lock-and-key reconfigures the interface back to its original state.

For a user to gain access to a host through a router with lock-and-key configured, the user must first Telnet to the router. When a user initiates a standard Telnet session to the router, lock-and-key automatically attempts to authenticate the user. If the user is authenticated, they will then gain temporary access through the router and be able to reach their destination host.

Benefits of Lock-and-Key

Lock-and-key provides the same benefits as standard and static extended access lists (these benefits are discussed in the chapter, "Access Control Lists: Overview and Guidelines"). However, lock-and-key also has the following security benefits over standard and static extended access lists:

With lock-and-key, you can specify which users are permitted access to which source/destination hosts. These users must pass a user authentication process before they are permitted access to their designated host(s). Lock-and-key creates dynamic user access through a firewall, without compromising other configured security restrictions.

When To Use Lock-and-Key

Two examples of when you might use lock-and-key are as follows:

How Lock-and-Key Works

The following process describes the lock-and-key access operation:

    1. A user opens a Telnet session to a border (firewall) router configured for lock-and-key. The user connects via the virtual terminal port on the router.

    2. The Cisco  IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs a user authentication process. The user must pass authentication before access through the router is allowed. The authentication process can be done by the router or by a central access security server such as a TACACS+ or RADIUS server.

    3. When the user passes authentication, they are logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry can limit the range of networks to which the user is given temporary access.)

    4. The user exchanges data through the firewall.

    5. The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The configured timeout can either be an idle timeout or an absolute timeout.

Note The temporary access list entry is not automatically deleted when the user terminates a session. The temporary access list entry remains until a configured timeout is reached or until it is cleared by the system administrator.

Compatibility with Releases Prior to Cisco  IOS Release 11.1

Enhancements to the access-list command are used for lock-and-key. These enhancements are backward compatible---if you migrate from a release prior to Cisco  IOS Release  11.1 to a newer release, your access lists will be automatically converted to reflect the enhancements. However, if you try to use lock-and-key with a release prior to Cisco  IOS Release  11.1, you might encounter problems as described in the following caution paragraph:

Caution Cisco  IOS releases prior to Release 11.1 are not upwardly compatible with the lock-and-key access list enhancements. Therefore, if you save an access list with software older than Release  11.1, and then use this software, the resulting access list will not be interpreted correctly. This could cause you severe security problems. You must save your old configuration files with Cisco  IOS Release  11.1 or later software before booting an image with these files.

Risk of Spoofing with Lock-and-Key

Caution Lock-and-key access allows an external event (a Telnet session) to place an opening in the firewall. While this opening exists, the router is susceptible to source address spoofing.

When lock-and-key is triggered, it creates a dynamic opening in the firewall by temporarily reconfiguring an interface to allow user access. While this opening exists, another host might spoof the authenticated user's address to gain access behind the firewall. Lock-and-key does not cause the address spoofing problem; the problem is only identified here as a concern to the user. Spoofing is a problem inherent to all access lists, and lock-and-key does not specifically address this problem.

To prevent spoofing, you could configure network data encryption as described in the chapter "Configuring Cisco Encryption Technology." Configure encryption so that traffic from the remote host is encrypted at a secured remote router, and decrypted locally at the router interface providing lock-and-key. You want to ensure that all traffic using lock-and-key will be encrypted when entering the router; this way no hackers can spoof the source address, because they will be unable to duplicate the encryption or to be authenticated as is a required part of the encryption setup process.

Router Performance Impacts with Lock-and-Key

When lock-and-key is configured, router performance can be affected in the following ways:

Prerequisites to Configuring Lock-and-Key

Lock-and-key uses IP extended access lists. You must have a solid understanding of how access lists are used to filter traffic, before you attempt to configure lock-and-key. Access lists are described in the previous chapter, "Access Control Lists: Overview and Guidelines."

Lock-and-key employs user authentication and authorization as implemented in Cisco's Authentication, Authorization, and Accounting (AAA) paradigm. You must understand how to configure AAA user authentication and authorization before you configure lock-and-key. User authentication and authorization is explained in the "Authentication, Authorization, and Accounting (AAA)" part of this document.

Lock-and-key uses the autocommand command, which you should understand. This command is described in the "Modem Support and Asynchronous Device Commands" chapter of the Dial Solutions Command Reference.

Configure Lock-and-Key

To configure lock-and-key, use the following commands beginning in global configuration mode. While completing these steps, be sure to follow the guidelines listed in the section, "Lock-and-Key Configuration Tips."
Step Command Purpose

1 . 

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} telnet source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log]

Configure a dynamic access list, which serves as a template and place holder for temporary access list entries.

2 . 

interface type number

Configure an interface.

3 . 

ip access-group access-list-number

In interface configuration mode, apply the access list to the interface.

4 . 

line VTY line-number [ending-line-number]

In global configuration mode, define one or more virtual terminal (VTY) ports. If you specify multiple VTY ports, they must all be configured identically because the software hunts for available VTY ports on a round-robin basis. If you do not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for lock-and-key support only.

5 . 

login tacacs


username name password secret


password password

Configure user authentication.

6 . 

autocommand access-enable [host] [timeout minutes]

Enable the creation of temporary access list entries. If the host argument is not specified, all hosts on the entire network are allowed to set up a temporary access list entry. The dynamic access list contains the network mask to enable the new network connection.

For an example of a lock-and-key configuration, see the section "Lock-and-Key Configuration Examples" later in this chapter.

Lock-and-Key Configuration Tips

You should understand the tips in this section before you configure lock-and-key.

Dynamic Access Lists

Use the following tips for configuring dynamic access lists:

Lock-and-Key Authentication

There are three possible methods to configure an authentication query process. These three methods are described in this section.

Note Cisco recommends that you use the TACACS+ server for your authentication query process. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database. Using a TACACS+ server is described in the next section, "Method 1Configure a Security Server."
Method 1---Configure a Security Server

Use a network access security server such as TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.

Router# login tacacs
Method 2---Configure the username Command

Use the username command. This method is more effective because authentication is determined on a user basis.

Router# username name password password
Method 3---Configure the password and login Commands

Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully.

Router# password password
Router# login local

The autocommand Command

Use the following tips for configuring the autocommand command:

Verify Lock-and-Key Configuration

You can verify that lock-and-key is successfully configured on the router by asking a user to test the connection. The user should be at a host that is permitted in the dynamic access list, and the user should have AAA authentication and authorization configured.

To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that is permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol.

The following sample display illustrates what end-users might see if they are successfully authenticated. Notice that the Telnet connection is closed immediately after the password is entered and authenticated. The temporary access list entry is then created, and the host that initiated the Telnet session now has access inside the firewall.

Router% telnet corporate
Trying ...
Connected to corporate.domain.com.
Escape character is `^]'.
User Access Verification
Password:Connection closed by foreign host.

You can then use the show access-lists command at the router to view the dynamic access lists, which should include an additional entry permitting the user access through the router.

Lock-and-Key Maintenance

When lock-and-key is in use, dynamic access lists will dynamically grow and shrink as entries are added and deleted. You need to make sure that entries are being deleted in a timely way, because while entries exist, the risk of a spoofing attack is present. Also, the more entries there are, the bigger the router performance impact will be.

If you do not have an idle or absolute timeout configured, entries will remain in the dynamic access list until you manually remove them. If this is the case, make sure that you are extremely vigilant about removing entries.

Display Dynamic Access List Entries

You can display temporary access list entries when they are in use. After a temporary access list entry is cleared by you or by the absolute or idle timeout parameter, it can no longer be displayed. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries that are currently established, use the following command in privileged EXEC mode:
Command Purpose

show access-lists [access-list-number]

Display dynamic access lists and temporary access list entries.

Manually Delete Dynamic Access List Entries

To manually delete a temporary access list entry, use the following command in privileged EXEC mode:
Command Purpose

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

Delete a dynamic access list.

Lock-and-Key Configuration Examples

There are two examples in this section:

Cisco recommends that you use a TACACS+ server for authentication, as shown in the second example.

Example of Lock-and-Key with Local Authentication

This example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface.

interface ethernet0
  ip address
  ip access-group 101 in
access-list 101 permit tcp any host eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout 5

The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered.

After a user Telnets into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.

Example of Lock-and-Key with TACACS+ Authentication

The following example shows how to configure lock-and-key access, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "cisco."

aaa authentication login default tacacs+ enable
aaa accounting exec stop-only tacacs+
aaa accounting network stop-only tacacs+
enable password ciscotac
isdn switch-type basic-dms100
interface ethernet0
ip address
interface BRI0
  ip address
  encapsulation ppp
  dialer idle-timeout 3600
  dialer wait-for-carrier-time 100
  dialer map ip name diana
  dialer-group 1
  isdn spid1 2036333715291
  isdn spid2 2036339371566
  ppp authentication chap
  ip access-group 102 in
access-list 102 permit tcp any host eq telnet
access-list 102 dynamic testlist timeout 5 permit ip any any
ip route
priority-list 1 interface BRI0 high
tacacs-server host
tacacs-server host
tacacs-server key test1
tftp-server rom alias all
dialer-list 1 protocol ip permit
line con 0
  password cisco
line aux 0
line VTY 0 4
autocommand access-enable timeout 5
password cisco

Copyright 1989-1998 © Cisco Systems Inc.