ACLs for Telnet...whats the point?

The Prize Is Lobster

Maybe I am missing something on this but from my understanding, restricting access to a telnet connection via ACL seems a bit unnecessary. If you only wanted administrative telnet access to a router, its assumed the router would be password protected initially anyway, and it requires including all administrators IPs in the Access List which would require static IPs on all admin workstations, etc. Bleh....am I overlooking something here?

dtlokee

The point is multiple lines of defense. If you simpy rely on passwords they can be broken, if you add an access list to restrict what ip addresses can even create a connection you have added an additional layer of security. In many cases (in our NOC for example) all the admin workstations are on the same VLAN so restricting access is easily accomplished. Sometimes the NOC workstations are all translated using NAT to provide additional security so you would simply use an access-list to allow the dynamic NAT pool

Webmaster

Security, when properly implemented, is implemented in layers. Just because it already has a password doesn't mean you shouldn't use additional means to secure administrative access (and use ACL's, and SSH instead of Telnet for example)

It requires including all administrators IPs in the Access List which would require static IPs on all admin workstations.

True in smaller organizations, but in larger networks the IT departement often is assigned a separate IP subnet and you could allow that subnet or a portion of it. On the other hand, it's quite common to give a network management station a static IP address.

Webmaster

Ah, I see dtlokee already posted something similar, that's why I normally press the Preview button before submitting a reply... well, it's a point worth stressing.

Paul#4

More security is usually better if implemented properly.

Restricting telnet access with ACL's provides extra security for various reasons.

What if you want site admins to telnet only from work ?
What if your company uses the same password for all routers, but want to restrict other admins from accessing this particular router?
What happens if a hacker gets the password(ex-employee), but he cannot telnet to the router because of an ACL.

These things seem marginal but are very important when securing a cisco router.


Just think...more security is usually better.

The Prize Is Lobster

That makes sense.


actually after posting this I remembered that when I worked net support some years back, all of our workstations were on static IPs.

Webmaster

Paul#4 wrote:

more security is usually better.

Indeed, until it interferes with accessibility/availability. Implementing security, especially access controls, is a trade-off between security and accessibility. For example, if you own a gun and want to store it in a secure manner, you could put it in a small safe, put that one in a larger safe, wrap a bunch of chromium chains around it and bury it 500 feet below the ground. That should keep it pretty safe, but also makes it useless to you because you cannot access it quickly and need to perform too much tasks.

Rearden

For example, we keep all of our switches in a VLAN that also uses 10.x.x.x addresses. This way, only the machines in that VLAN can access them. We STILL use ACLS to prevent someone from plugging a machine into a port that someone accidentally left in the management VLAN and being able to try and telnet to our switches.

sprkymrk

Restricting telnet via ACL also forces admins to use a secure protocol (SSH for instance) to manage the device, so as to avoid sending passwords in clear text across the network.

This may have already been mentioned above, but most of the posts emphasize "layered security" as the primary reason (which is not incorrect), so I just wanted to point out another reason in case it wasn't obvious.

Paul#4

Webmaster wrote:

Paul#4 wrote:

more security is usually better.

Indeed, until it interferes with accessibility/availability. Implementing security, especially access controls, is a trade-off between security and accessibility. For example, if you own a gun and want to store it in a secure manner, you could put it in a small safe, put that one in a larger safe, wrap a bunch of chromium chains around it and bury it 500 feet below the ground. That should keep it pretty safe, but also makes it useless to you because you cannot access it quickly and need to perform too much tasks.

That's true, there are some unreasonable security demands.
Implementing an ACL on telnet is standard and worth it.

If you just follow Cisco's recommeneded methods 9 out of 10 times you will be right.
There is a right way and wrong way to do most things in networking.
Finding the right way is sometimes difficult.

Webmaster

Paul#4 wrote:

Implementing an ACL on telnet is standard and worth it.

Yep, exactly my point. If a static IP is really needed it's still worth it and any inconvenience because of a static address doesn't outweigh the advantage of the additional layer of security the ACL provides.

sprkymrk wrote:

Restricting telnet via ACL also forces admins to use a secure protocol (SSH for instance) to manage the device, so as to avoid sending passwords in clear text across the network.

That's more appropriate for ACLs on regular network interface than the access list on the vty lines, ie. if you want to deny telnet entirely for a certain network behind a router. If you enable SSH on the lines it won't accept Telnet anymore so it will effectively be disabled.

erikd65

We have one router in the field that some bozo kept (and still keeps trying) to break the login, so I applied access lists to all the vty lines... problem solved. Its just another line of defense.

I also run AAA via TACACS+ on an ACS server as well.

Paul Boz

Well, my reasoning is that hey, it's a valid feature put there, so why not? I like playing with IOS and configuring things just for the sake of doing it. The added level of security is worth it, but make sure you can remote to a device (home or work PC) that has an allowed IP address because if you're on the road and want to manage your router or network and try to login via a non-allowed IP address you're SOL.

Chivalry1

DEFENSE IN-DEPTH!!

BTW, if your Cisco IOS supports it please use SSH to avoid Man-In-the-Middle attacks.