10.6 Configuration Lock-and-Key Security (Dynamic Access Lists)
10.6.1 What is  Lock-and-Key
Lock and key is a traffic filtering security feature that dynamically filters IP protocol traffic. Lock and key is configured using IP dynamic extended access lists. This feature can be used in conjunction with other standard access lists and static extended access lists. When configured, designated users whose IP traffic is normally blocked at a router can gain temporary access through the router. When triggered, Lock and Key reconfigures the existing IP access list of the interface to permit designated users to reach their designated host(s). Afterwards, Lock and Key reconfigures the interface back to its original state.

For a user to gain access to a host through a router with Lock and Key configured, the user must first Telnet to the router. When a user initiates a standard Telnet session to the router, Lock and Key automatically attempts to authenticate the user. If the user is authenticated, the user will then gain temporary access through the router and be able to reach the destination host.

Benefits of Lock and Key

Lock and Key provides the same benefits as standard and static extended access lists. However, Lock and Key also has the following security benefits over standard and static extended access lists:

  • Lock and Key uses a challenge mechanism to authenticate individual users.
  • Lock and Key provides simpler management in large networks.
  • In many cases, Lock and Key reduces the amount of router processing required for access lists.
  • Lock and Key reduces the opportunity for network break-ins by network hackers.

With Lock and Key, you can specify which users are permitted access to which source/destination hosts. These users must pass a user authentication process before they are permitted access to their designated host(s). Lock and Key creates dynamic user access through a firewall, without compromising other configured security restrictions.

When to Use Lock and Key

Two examples of when you might use Lock and Key follow:

  • When you want a specific remote user (or group of remote users) to be able to access a host within your network, connecting from their remote host(s) via the Internet. Lock and Key authenticates the user, then permits limited access through your firewall router for the individual's host or subnet, for a finite period of time.
  • When you want a subset of hosts on a local network to access a host on a remote network protected by a firewall. With Lock and Key, you can enable access to the remote host only for the desired set of local user's hosts. Lock and Key requires users to authenticate through a security server, or other security server, before allowing their hosts to access the remote hosts.

How Lock and Key Works

The following process describes the Lock and Key access operation:

  1. A user opens a Telnet session to a border (firewall) router configured for Lock and Key . The user connects via the VTY port on the router.
  2. The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs a user authentication process. The user must pass authentication before access through the router is allowed. The authentication process can be done by the router or by a central access security server such as a TACACS+ or Remote Access Dial-In User Service (RADIUS) passes authentication, they are logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry can limit the range of networks to which the user is given temporary access.)
  3. The user exchanges data through the firewall.
  4. The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The configured timeout can either be an idle timeout or an absolute timeout.

Note: The temporary access-list entry is not automatically deleted when the user terminates a session. The temporary access-list entry remains until a configured timeout is reached or until it is cleared by the system administrator.

Compatibility with Releases Prior to Cisco IOS Release 11.1

Enhancements to the access-list command are used for Lock and Key. These enhancements are backward compatible --- if you migrate from a release prior to Cisco IOS Release 11.1 to a newer release, your access lists will be automatically converted to reflect the enhancements. However, if you try to use Lock and Key with a release prior to Cisco IOS Release 11.1, you might encounter problems as described in the following caution paragraph:

Caution Cisco IOS releases prior to Release 11.1 are not upwardly compatible with the Lock and Key access-list enhancements. Therefore, if you save an access list with software older than Release 11.1, and then use this software, the resulting access list will not be interpreted correctly. This could cause you severe security problems. You must save your old configuration files with Cisco IOS Release 11.1 or later software before booting an image with these files.

Risk of Spoofing with Lock and Key

Caution Lock and Key access allows an external event (a Telnet session) to place an opening in the firewall. While this opening exists, the router is susceptible to source address spoofing.

When Lock and Key is triggered, it creates a dynamic opening in the firewall by temporarily reconfiguring an interface to allow user access. While this opening exists, another host might spoof the authenticated user's address to gain access behind the firewall. Lock and Key does not cause the address spoofing problem; the problem is identified here only as a concern to the user. Spoofing is a problem inherent to all access lists, and Lock and Key does not specifically address this problem.

To prevent spoofing, you could configure network data encryption as described in the chapter "Configuring Network Data Encryption." Configure encryption so that traffic from the remote host is encrypted at a secured remote router, and decrypted locally at the router interface providing Lock and Key. You want to ensure that all traffic using Lock and Key will be encrypted when entering the router; this way no hackers can spoof the source address, because they will be unable to duplicate the encryption or to be authenticated as is a required part of the encryption setup process.

Router Performance Impacts with Lock and Key

When Lock and Key is configured, router performance can be affected in the following ways:

  • When Lock and Key is triggered, the dynamic access list forces an access list rebuild on the silicon switching engine (SSE), causing the SSE switching path to slow down momentarily.
  • Dynamic access lists require the idle timeout facility (even if the timeout is left to default) and, therefore, cannot be SSE switched. These entries must be handled in the protocol fast-switching path.
  • When remote users trigger Lock and Key at a border router, additional access-list entries are created on the border router interface. The interface access list will grow and shrink dynamically. Entries are dynamically removed from the list after either the idle-timeout or max-timeout period expires. Large access lists can degrade packet-switching performance, so if you notice performance problems, you should look at the border router configuration to see if you should remove temporary access-list entries generated by Lock and Key.

Prerequisites to Configuring Lock and Key

Lock and Key uses IP extended access lists. You must have a solid understanding of how access lists are used to filter traffic before you attempt to configure Lock and Key. Lock and Key employs user authentication and authorization as implemented in the Cisco authentication, authorization, and accounting (AAA) paradigm. You must understand how to configure AAA user authentication and authorization before you configure Lock and Key. 

Configure Lock and Key

To configure Lock and Key, perform the tasks shown in the main figure, beginning in global configuration mode.