Basic Router Security
Remote configuration using SSH

Having remote access to network devices is critical for effectively managing a network. Traditionally, Cisco IOS supports Telnet, which allows users to connect to a remote router using TCP port 23. However, this method provides no security because all Telnet traffic goes over the network in clear text. Secure Shell (SSH) replaces Telnet to provide remote router administration with connections that support strong privacy and session integrity. This connection provides functionality that is similar to that of an outbound Telnet connection except that the connection is encrypted. With authentication and encryption, SSH allows for secure communications over an insecure network. The components that make up SSH are shown in Figure .

There are currently two versions of SSH available, SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSH was introduced into IOS platforms/images in the following sequence:

  • SSHv1 server was introduced in some IOS platforms/images starting in 12.1.(1)T.
  • SSHv1 client was introduced in some IOS platforms/images starting in 12.1.(3).T.
  • SSHv1 terminal-line access, also known as reverse-Telnet, was introduced in some IOS platforms/images starting in 12.2.(2).T.
  • SSHv2 was introduced into 12.3(4)T.

The SSH terminal-line access feature enables users to configure their router with secure access and perform the following tasks:

  • Connect to a router that has multiple terminal lines connected to consoles or serial ports of other routers, switches, or devices
  • Simplify connectivity to a router from anywhere by securely connecting to the terminal server on a specific line
  • Allow modems attached to routers to be used for dial-out securely
  • Require authentication to each of the lines through a locally defined username and password, TACACS+, or RADIUS

Cisco routers are capable of acting as the SSH client and server. By default, both of these functions are enabled on the router when SSH is enabled. These two functions are detailed in the following sections.

SSH Client
The SSHv1 Integrated Client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco router or other SSH client to make a secure, encrypted connection to another Cisco router or to any other device running the SSHv1 server.

The SSH client in Cisco IOS software works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), Triple DES (3DES), and password authentication. User authentication is performed like that in the telnet session to the router. The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.

SSH Server
When the SSH server function is enabled on a Cisco router or other device, an SSH client is able to make a secure, encrypted connection to that router or device. The SSH server in Cisco IOS will work with publicly and commercially available SSH clients as well as other Cisco routers that have SSH enabled.

When SSH is enabled on a Cisco Router, it acts as both a client and a server by default. The Secure Copy Protocol (SCP) feature that is provided with SSH also allows for the secure transfer of configuration and image files.


Lab Activity

Lab Exercise: Configure SSH

In this lab, students will configure a router as a Secure Shell (SSH) Version 1 server. Students will install and configure an SSH client on a student PC. Students will then use show and debug commands to troubleshoot SSH. Finally, the students will strengthen SSH by configuring SSH Version 2.

Lab Activity

Lab Exercise: Controlling TCP/IP Services

In this lab, students will begin the process of implementing a secure perimeter router. Students will explicitly deny common TCP/IP services, and then verify that these services have been disabled.

Interactive Media Activity

Demonstration Activity: Configuring SSH Access

In this activity, students will learn how to configure Cisco routers to act as SSH clients and servers.

Interactive Media Activity

Demonstration Activity: Setting up an IOS Router as an SSH Client and Adding Terminal Line Access

In this activity, students will learn how to configure a router as a SSH client.