Security
-
Zone Based Firewall
ACLs control access based on protocol, source IP address, destination IP address and ports. These ACLs are stateless and do not inspect the traffic actually going through the router. Stateful firewalls can look at Layer 4 to 7 of packets to verify the state of the transmission, and detect whether a port is being piggybacked…
-
Configuring AAA for Network Device Access Control
Create a local user with full privilege for fallback username fallback_admin privilege 15 algorithm-type scrypt secret Bananas123 Enable AAA functions with the command aaa new-model Next add a TACACS server and group tacacs server authentication_server address 192.168.1.50 key tacacskey aaa group server tacacs+ authentication_group server name authentication_server Finally enable AAA login authentication with the following…
-
Comparison of RADIUS and TACACS+
Component RADIUS TACACS+ Protocol and Ports Cisco:UDP Port 1645 (Authentication/Authorisation)UDP Port 1646(Accounting)Industry Standard:UDP Port 1812 (Authentication/Authorisation)UDP Port 1813(Accounting) TCP Port 49 Encryption Encrypts the password fieldSupports EAP for 802.1x authentication Encrypts entire payloadDoes not support EAP Authentication and Authorisation Combines authentication and authorisationCannot be used to authorise individual CLI commands Separates authentication and authorisationCan be…
-
RADIUS
RADIUS is an Internet Engineering Task Force AAA protocol. It follows a client-server model where the client can initiate a request to the server. RADIUS is the AAA protocol of choice for network access. The main reason is RADIUS is the AAA transport protocol for Extensible Authentication Protocol, whilst TACACS+ does not support any EAP…
-
TACACS+
TACACS+ is developed by Cisco and release as an open standard in the early 1990s. TACACS+ is mainly used for AAA device access control but it is possible for to be used for network access too. TACACS+ uses TCP port 49 to communicate between TACACS+ clients and the TACACS+ server TACACS+ can provide authentication, authorisation…
-
Authentication, Authorisation, and Accounting (AAA)
AAA is a framework that is for enabling a set of three independent security functions Authentication Enables a user to be identified and verified prior to being granted access Authorisation Defines the privileges and restrictions to be enforced on an authenticated user Accounting Provides the ability to track and log user access, including user identities,…
-
Absolute Timeout
The command absolute-timeout <minutes> under line configuration mode terminates an EXEC session after the specified period has expired, even if the connection is being used (not idle) It is recommended to be used with the command logout-warning <notice-in-seconds> to display a warning to users about a connection timeout that is away to occur.
-
EXEC Timeout
By default an idle EXEC session terminated after 10 minutes of inactivity The command exec-timeout <minutes> <seconds> under line configuration mode can be used to tweak this value Using the command exec-timeout 0 0 and no exec-timeout disables the EXEC timeout, but this is not recommended.
-
Auxiliary (AUX) Port
Some Cisco devices have an auxiliary port available for remote administration through a dial-up modem connection. In most cases this is not required, and the AUX port should be disabled with the command no exec under line aux 0
-
Establishing VTY Access via SSH
Telnet is a popular but insecure method of accessing IOS devices. Telnet sessions are sent in plain text and can make it easy to sniff and capture confidential session information. SSH can provide encryption and strong authentication as an alternative, it is available in two versions SSH Version 1 Improvement over telnet in its handling…