dslreports logo
site
spacer

spacer
 
    «« DSL Hurdles Share Tool
spc

spacer




how-to block ads



Lock Down Source IP Addresses or Subnets

There may times that someone needs to remotely connect to routers, switches, ASA/PIX Firewall, or just any network device that is part of private network over any network (private or public) including The Internet. Typically the person connects using either telnet or ssh.

When the person connects sourcing from previously known or static IP address, then one secure way to provide connection is to lock down the source IP address or subnet within the router, switch, or firewall. Following is an illustration.

Let's say the person always connect from Outside (the Internet) of 4.1.53.4 IP address and from Inside (LAN) of 192.168.100.1 IP address. The lock down the source IP address within a router, switch, or any IOS-based devices, the configuration looks like the following.

access-list 10 remark Permitted Subnet for Remote Access
access-list 10 permit 4.1.53.4
access-list 10 permit 192.168.100.1
!
line vty 0 4
access-class 10 in
transport input ssh telnet
!
 

Now let's visit different situation. When the person is unsure of the source IP address but knows the source IP subnet which is 4.1.53.0/24 as the Outside (the Internet) IP subnet and is 192.168.100.0/24 as the Inside (LAN) IP subnet, then the configuration looks like the following to lock down the source IP subnet within a IOS-based device.

access-list 10 remark Permited Subnet for Remote Access
access-list 10 permit 4.1.53.0 0.0.0.255
access-list 10 permit 192.168.100.0 0.0.0.255
!
line vty 0 4
access-class 10 in
transport input ssh telnet
!
 

Some discussions
»[HELP] ACL Please help
»blocking telnet and http-server access to a port

Following is the list of equivalent configurations on ASA/PIX Firewall

IP Address
ssh 4.1.53.4 255.255.255.255 outside
ssh 192.168.100.1 255.255.255.255 inside
telnet 192.168.100.1 255.255.255.255 inside
 

IP Subnet
ssh 4.1.53.0 255.255.255.0 outside
ssh 192.168.100.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
 

Between Telnet and SSH

In general, accessing router, firewall, or any network device by SSH is considered more secure than by telnet. In theory, some hackers could tap into telnet session easier than ssh session since telnet uses clear text while SSH uses encryption.

Note that in order for those hackers to be able to tap, the hackers must know exactly few things beforehand such as source and destination IP addresses (IP address you use to connect via either telnet or ssh and the network device IP address you connect to), when and how to connect, etc. In reality, it is impractical for hackers to just target random connections from anybody.

Therefore, it is arguable that using ssh might not be more secure than telnet in real world. By locking down source IP address such as shown previously, using telnet to remote access network devices should be secure enough at some point.

RSA key availability and Enabling SSH access

SSH as encryption protocols must used an available RSA key in order to connect to any SSH server. When you ssh into router, firewall, switches, or any network device; those devices are considered the SSH server while the machine you use to SSH from is a SSH client. The RSA key used by SSH client to connect to SSH server must be reachable by and be available for the SSH server to use.

The RSA key can be either locally stored in SSH server or available remotely from some RSA/certificate server. Common practice is to store the key locally.

Should you decide to have the RSA key locally, you must somehow generate the key and save it. In Cisco IOS and ASA OS, a quick way to generate RSA key is to issue crypto key generate rsa command. When you generate the RSA key, it is suggested to use modulus 1024 or larger in order to enable SSH version 2 which is more secure than SSH version 1. Note that by default the crypto key generate rsa command only generate 512-modulus RSA key hence only enable SSH version 1.

Remote Access Using IPSec VPN

Previous illustration showed sample configurations when the source IP address or subnet is known. When neither is known, then different approach is needed.

Common way to securely remote connect router or firewall via The Internet is by IPSec VPN. Using specific IPSec VPN Client software, the person connects to a IPSec VPN Concentrator. Once connection is established, the person then can connect to pretty much any network devices within the private network including router and ASA/PIX Firewall via telnet or ssh.

You can use either router or ASA/PIX Firewall as the IPSec VPN Concentrator. Following is the list of sample configurations to configure router or ASA/PIX Firewall as the IPSec VPN Concentrator

»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Is Setting Up IPSec VPN Concentrator Secure Enough?

Keep in mind that since you are dealing with real world, there is nothing that is "secure enough". There are always ways to go around the perimeter and to hack into something.

The analogy is like securing your house. You can lock and chain doors (even setting up automatic security system) in addition to standard lock and key. Is it secure enough? Maybe. Is it still possible to have burglar entering the house? Yes. But is it then harder to break in? Yes.

The above analogy is pretty much showing how network security should be viewed and implemented. The whole idea is to make it harder to be hacked by setting up multiple security layers. In the world of AAA (Authentication, Authorization, and Accounting) such as accessing router or ASA/PIX Firewall remotely from the Internet, following is the list of technologies that can be implemented to have such multiple security layers.

* IPSec VPN instead of Windows VPN technology since IPSec VPN is based on more secure specialized protocols
* VPN Group Authentication (as shown in above sample configurations)
* External AAA server such as TACACS+ and RADIUS (as shown in above sample configurations)
* Certified-based and/or RSA-Token-Authentication-based VPN credential for remote access VPN users in addition to the AAA server

Following is the list of sample configurations

Configuring IPSec Between Cisco IOS Routers and Cisco VPN Client Using Entrust Certificates
IPSec Between PIX and Cisco VPN Client Using Smartcard Certificates
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level

Expand got feedback?

by Phraxos See Profile edited by aryoba See Profile
last modified: 2013-01-16 11:22:12