Lock & Key

September 5, 2008 at 1:04 pm | Posted in Security | Leave a comment

Configuration

R4#
ip access-list extended INBOUND
 permit ospf any any
 permit tcp any any eq bgp
 permit tcp any eq bgp any
 permit tcp any host 150.1.4.4 eq telnet
 dynamic ACCESS timeout 10 permit ip any any
 deny   ip any any log

interface Serial0/0.1 point-to-point
 ip access-group INBOUND in 
!
interface Serial0/1
 ip access-group INBOUND in

username DYNACL password 0 CISCO
username DYNACL autocommand access-enable host timeout 5

line vty 0 4
 login local

The first 3 access-list entry allow routing traffic to pass through, which is not subject to lock & key. The forth command only Telnet into the router. The fifth access-list entry is always ignored until lock-and-key is triggered.

In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the ACCESS ACL is 10 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is created for 10 minutes (the maximum absolute time). The session is closed after 10 minutes, whether or not anyone is using it.

In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 10 minutes.

After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the S0/0.1 and S0/1 interfaces, based on the fifth access-list entry (ACCESS). This temporary entry will expire after 5 minutes of inactivity, as specified by the timeout.

Verification

R5#telnet 150.1.4.1
Trying 150.1.4.1 ...
% Destination unreachable; gateway or host down

R5#telnet 150.1.4.6
Trying 150.1.4.6 ...
% Destination unreachable; gateway or host down

R4#
Sep  5 11:47:07.695: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 155.1.45.5(55291) -> 150.1.4.1(23), 1 packet
Sep  5 11:47:09.091: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 155.1.45.5(59072) -> 150.1.4.6(23), 1 packet 

R5#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Username: DYNACL
Password:
[Connection to 150.1.4.4 closed by foreign host]
R5#telnet 150.1.4.1
Trying 150.1.4.1 ... Open

R1#exit

[Connection to 150.1.4.1 closed by foreign host]
R5#telnet 150.1.4.6
Trying 150.1.4.6 ... Open

R4#sh access-lists
Extended IP access list INBOUND
    10 permit ospf any any (92 matches)
    20 permit tcp any any eq bgp
    30 permit tcp any eq bgp any (21 matches)
    35 permit tcp any host 150.1.4.4 eq telnet (297 matches)
    40 Dynamic ACCESS permit ip any any
       permit ip host 155.1.45.5 any (36 matches) (time left 287)
    50 deny ip any any log (8 matches)

R5#telnet 150.1.4.6 /source-interface Serial0/0.1
Trying 150.1.4.6 ...
% Destination unreachable; gateway or host down

R5#telnet 150.1.4.4 /source-interface Serial0/0.1
Trying 150.1.4.4 ... Open

User Access Verification

Username: DYNACL
Password:
[Connection to 150.1.4.4 closed by foreign host]
R5#telnet 150.1.4.6 /source-interface Serial0/0.1
Trying 150.1.4.6 ... Open

R6#exit

[Connection to 150.1.4.6 closed by foreign host]

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Traffic Filtering, Firewalls, and Virus Detection
  • Configuring Lock-and-Key Security (Dynamic Access Lists)
  • Lock-and-Key Configuration Examples
  • Lock-and-Key with Local Authentication Example
Advertisements

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: