Popular Posts

Friday, 3 July 2009

Learn to configure Telnet Security on Cisco Router

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As you know, directly connecting to the console of a router is generally a relatively easy method for gaining access to the device; however, this method is inconvenient and not abundantly scalable. If console access is the only method available to gain access into the device, an administrator must always walk, drive, or fly to the physical location of the router and plug into the device's console port. Fortunately, there are methods for gaining access into the router from a remote location. The most common method of remote administration for a Cisco router is to use a Telnet session. Unlike with console access, there are four configuration requirements that must be met before you can use this method of access:

1. An enable password must be supplied.
2. The router must have an IP address assigned to a routable interface.
3. The routing table of the router must contain a route for the source of the Telnet packet.
4. Under line configuration mode, a vty password must be supplied.


The steps involved in defining Telnet security are similar to the steps used to configure console security. An example of configuring the fourth requirement (after the first three have been met) can be seen here:


CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#line vty 0 4
CiscoRouter(config−line)#password CisViSa
CiscoRouter(config−line)#login
CiscoRouter(config−line)#end
CiscoRouter#





As mentioned in my previous post about learning to configure Console Security, Cisco routers also maintain a local user authentication database, which can be used to authenticate users who directly connect to the console port of a router. Here is an example of configuring the router to use the local user database for uthentication of users who attempt to access the router via the console:


!
username Visa privilege 15 password 0 Vipsw
username Googla privilege 12 password 0 Goopsw
username Yaha privilege 8 password 0 Yapsw
!
line vty 0 4
login local



The result is that, when a user telnets to the router with this configuration, they will be prompted to enter a username and password before being allowed to gain access into the router.

Routers can also restrict Telnet access to authorized users with the use of an access list. The access list is then applied to the virtual terminal ports of the router with the access−class command. This allows you to restrict Telnet access from a particular IP address or a subnet of IP addresses. Use the following steps to this method of security:
Use the access−list global configuration command to configure an access list that permits the specific hosts that are allowed Telnet access.

1. Use the access−class access−list−number {in|out} command to apply the access list to the virtual terminal ports.
2. In the following example, the router is configured to allow only three hosts Telnet access on each of the available virtual terminal ports:


CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#access−list 20 permit 192.168.0.10
CiscoRouter(config)#access−list 20 permit 192.168.0.11
CiscoRouter(config)#access−list 20 permit 192.168.0.12
CiscoRouter(config)#line vty 0 4
CiscoRouter(config−line)#access−class 20 in
CiscoRouter(config−line)#end
CiscoRouter#



Note: Console and Telnet security is not preconfigured for you by default. One of your first configuration steps when you initially set up your router should be to configure each of these interfaces. To see more access-list commands visit here!

If you like this post, please subscribe below,thanks!

Enter your email address:

Delivered by FeedBurner

To Stay Up to date with Network Security, Please Subscribe!

0 comments:

Post a Comment