|
Lock and key is a traffic filtering
security feature that dynamically filters IP protocol traffic. Lock
and key is configured using IP dynamic extended access lists. This
feature can be used in conjunction with other standard access lists
and static extended access lists. When configured, designated users
whose IP traffic is normally blocked at a router can gain temporary
access through the router. When triggered, Lock and Key reconfigures
the existing IP access list of the interface to permit designated
users to reach their designated host(s). Afterwards, Lock and Key
reconfigures the interface back to its original state.
For a user to gain access to a host through a router with Lock
and Key configured, the user must first Telnet to the router. When a
user initiates a standard Telnet session to the router, Lock and Key
automatically attempts to authenticate the user. If the user is
authenticated, the user will then gain temporary access through the
router and be able to reach the destination host.
Benefits of Lock and Key
Lock and Key provides the same benefits as standard and static
extended access lists. However,
Lock and Key also has the following security benefits over standard
and static extended access lists:
- Lock and Key uses a challenge mechanism to authenticate
individual users.
- Lock and Key provides simpler management in large networks.
- In many cases, Lock and Key reduces the amount of router
processing required for access lists.
- Lock and Key reduces the opportunity for network break-ins by
network hackers.
With Lock and Key, you can specify which users are permitted
access to which source/destination hosts. These users must pass a
user authentication process before they are permitted access to
their designated host(s). Lock and Key creates dynamic user access
through a firewall, without compromising other configured security
restrictions.
When to Use Lock and Key
Two examples of when you might use Lock and Key follow:
- When you want a specific remote user (or group of remote
users) to be able to access a host within your network,
connecting from their remote host(s) via the Internet. Lock and
Key authenticates the user, then permits limited access through
your firewall router for the individual's host or subnet, for a
finite period of time.
- When you want a subset of hosts on a local network to access a
host on a remote network protected by a firewall. With Lock and
Key, you can enable access to the remote host only for the
desired set of local user's hosts. Lock and Key requires users
to authenticate through a security server, or other security
server, before allowing their hosts to access the remote hosts.
How Lock and Key Works
The following process describes the Lock and Key access
operation:
- A user opens a Telnet session to a border (firewall) router
configured for Lock and Key . The user connects via the VTY port
on the router.
- The Cisco IOS software receives the Telnet packet, opens
a Telnet session, prompts for a password, and performs a user
authentication process. The user must pass authentication before
access through the router is allowed. The authentication process
can be done by the router or by a central access security server
such as a TACACS+ or Remote Access Dial-In User Service (RADIUS)
passes authentication, they are logged out of the Telnet
session, and the software creates a temporary entry in the
dynamic access list. (Per your configuration, this temporary
entry can limit the range of networks to which the user is given
temporary access.)
- The user exchanges data through the firewall.
- The software deletes the temporary access list entry when a
configured timeout is reached, or when the system administrator
manually clears it. The configured timeout can either be an idle
timeout or an absolute timeout.
Note: The temporary access-list entry is not
automatically deleted when the user terminates a session. The
temporary access-list entry remains until a configured timeout is
reached or until it is cleared by the system administrator.
Compatibility with Releases Prior to Cisco IOS Release 11.1
Enhancements to the
access-list
command are used for Lock
and Key. These enhancements are backward compatible --- if you migrate
from a release prior to Cisco IOS Release 11.1 to a newer
release, your access lists will be automatically converted to
reflect the enhancements. However, if you try to use Lock and Key
with a release prior to Cisco IOS Release 11.1, you might
encounter problems as described in the following caution paragraph:
Caution Cisco IOS releases prior to Release 11.1 are
not upwardly compatible with the Lock and Key access-list
enhancements. Therefore, if you save an access list with software
older than Release 11.1, and then use this software, the
resulting access list will not be interpreted correctly. This
could cause you severe security problems. You must save your old
configuration files with Cisco IOS Release 11.1 or later
software before booting an image with these files.
Risk of Spoofing with Lock and Key
Caution Lock and Key access allows an external event (a
Telnet session) to place an opening in the firewall. While this
opening exists, the router is susceptible to source address
spoofing.
When Lock and Key is triggered, it creates a dynamic opening in
the firewall by temporarily reconfiguring an interface to allow user
access. While this opening exists, another host might spoof the
authenticated user's address to gain access behind the firewall.
Lock and Key does not cause the address spoofing problem; the
problem is identified here only as a concern to the user. Spoofing
is a problem inherent to all access lists, and Lock and Key does not
specifically address this problem.
To prevent spoofing, you could configure network data encryption
as described in the chapter "Configuring Network Data
Encryption." Configure encryption so that traffic from the
remote host is encrypted at a secured remote router, and decrypted
locally at the router interface providing Lock and Key. You want to
ensure that all traffic using Lock and Key will be encrypted when
entering the router; this way no hackers can spoof the source
address, because they will be unable to duplicate the encryption or
to be authenticated as is a required part of the encryption setup
process.
Router Performance Impacts with Lock and Key
When Lock and Key is configured, router performance can be
affected in the following ways:
-
When Lock and Key is triggered, the dynamic access list forces
an access list rebuild on the silicon switching engine (SSE),
causing the SSE switching path to slow down momentarily.
-
Dynamic access lists require the idle timeout facility (even
if the timeout is left to default) and, therefore, cannot be SSE
switched. These entries must be handled in the protocol
fast-switching path.
-
When remote users trigger Lock and Key at a border router,
additional access-list entries are created on the border router
interface. The interface access list will grow and shrink
dynamically. Entries are dynamically removed from the list after
either the idle-timeout or max-timeout period expires. Large
access lists can degrade packet-switching performance, so if you
notice performance problems, you should look at the border
router configuration to see if you should remove temporary
access-list entries generated by Lock and Key.
Prerequisites to Configuring Lock and Key
Lock and Key uses IP extended access lists. You must have a solid
understanding of how access lists are used to filter traffic before
you attempt to configure Lock and Key. Lock and Key employs user
authentication and authorization as implemented in the Cisco
authentication, authorization, and accounting (AAA) paradigm. You
must understand how to configure AAA user authentication and
authorization before you configure Lock and Key.
Configure Lock and Key
To configure Lock and Key, perform the tasks shown in the main
figure, beginning in global configuration mode.
|