| 10.2 | Basic Security | ||
| 10.2.5 | Restricting VTY and HTTP access |
|
Configuring
the HTTP Server To
configure the HTTP server, perform the tasks shown in Figure By default, there are five virtual terminal lines on each Cisco device. However, you can usually create as many as you need. The virtual terminal line that you "get" is based on the number of vty sessions that are currently in use. Because you will never know exactly which vty line you are using, you should set identical restrictions on all lines. The line first vty-number last vty- line number command takes you into the selected configuration mode of the virtual terminal lines. The most common use of this command will be line vty 0 4. This indicates that you are modifying the first five virtual terminal lines. The access-class command applies
the access list to the interface. The access list is a standard access
list that indicates the source addresses that are either permitted or
denied. The in|out condition at the end of the access-class
statement indicates whether the source address should be allowed to
establish a Telnet session into this device or out of this device. Cisco IOS Software allows you to use a Web browser to issue Cisco IOS commands to your network device. The Hypertext Transfer Protocol (HTTP) server software required to do this is found in Releases 11.0(6) and later. This makes configuring network devices easier, but opens some security holes at the same time. By default, HTTP access is disabled. To enable HTTP access on a Cisco IOS command-based switch or router, enter the following command:
An access list can then be used to filter
the access to the HTTP management of the network device. In Figure
Recently, some set command-based switches have implemented a Web interface as well. The Catalyst® Web Interface (CWI) is a browser-based tool that you can use to configure the Catalyst 6000, 5000, and 4000 Family Switches. It consists of a graphical user interface (GUI) that runs on the client, Catalyst CV 5.0 (Catalyst version of CiscoView 5.0), and an HTTP server that runs on the switch. A GUI alternative to the CLI and Simple Network Management Protocol (SNMP) interfaces, the CWI provides a real-time graphical representation of the switch and detailed information, such as port status, module status, type of chassis, and modules. The CWI uses HTTP to download Catalyst CV from the server to the client. HTTP is the TCP/IP protocol that the World Wide Web uses to exchange HTML documents. Communication between the client and
server usually occurs on a TCP/IP connection. The TCP/IP port number for
HTTP is 80. In this client/server mode, the client opens a connection to
the server and sends a request. The server receives the request, sends a
response back to the client, and closes the connection. To enable HTTP
access to the actual switch itself, issue the commands shown in Figure
|