Many network administrators do only the minimum when it comes to setting up user access to their routers. This is sufficient in networks where there are no serious security issues, and only a small number of people ever want or need to access the router. But, unfortunately, not every administrator can be quite so cavalier.
Most of the recipes in this chapter discuss methods for securing access to routers through important measures such as assigning usernames and passwords, controlling access-line parameters, handling remote access protocols, and affecting privileges of users and commands.
There are several important prerequisites for this discussion. You should understand what VTYs and access lines are. You should also have knowledge of user and command privilege levels. These topics are discussed in Chapters 4 and 13 of Cisco IOS In A Nutshell (O'Reilly).
We discuss best practices and provide a number of valuable recommendations in this chapter. We recommend referring to the National Security Agency (NSA) router security documents for more information. This extremely useful set of recommendations covers many different types of systems, including Cisco routers. You can download the Cisco section of this document from http://www.nsa.gov/snac/cisco.
Many examples in this chapter make limited use of Cisco's advanced authentication methodology called Authentication, Authorization, and Accounting (AAA). In this chapter, we will focus on purely local AAA implementations. We discuss AAA in more detail in Chapter 4, where we describe how to centralize these servers with TACACS+.
This chapter also contains three scripts written by the authors of this book. Two of these scripts are written in Perl, and the other is in Expect. For more information on these languages, refer to Programming Perl and Exploring Expect (both from O'Reilly). Appendix A includes information on obtaining copies of these packages and finding documentation for them.
Top |