Secure access to a router

teancum144 · September 2013

I ran across a question worded similarly to the following:

To ensure network access to a router is allowed for only the network group and from only authorized machines, router hardening includes which two of the following:
a. TACACS+
b. VPN
c. IPSec
d. ACL
e. SSH
f. SNMP

The answer is 'a' and 'd'. Why not 'a' and 'e'?

mjb2424 · September 2013

ACL's on the router or at other places in the network could be established to prevent anyone other than those explicitly allowed in the ACL from accessing the router. For example, only a single management station's IP address might be allowed access to a router.

This is one of those questions where pick the "best" answer comes into play. Although identifying authentication information should be required for SSH, therefore limiting access to authorized entities, the primary purpose of SSH is to provide encrypted communications.

Serpente · September 2013

I think the key here is the use of "authorized machine". SSH will allow authorised users, but it does not filter based on the machine being used, whereas ACLs filter based on IP addresses.

RouteMyPacket · September 2013

Don't over think this, it's easy to see the answers.

To allow access from the "network group" and from "authorized machines"

How can VPN accomplish that? It can't

SSH? This is a router right? Then nope

SNMP? Nope

IPSec? Nope

TACACS+? Oh yeah, here we have command level authorization and accounting. Groups can be applied to access policy so this is one of our answers.

ACL? Oh yeah, this is the entire premise of ACL's..we use them to permit and or deny traffic so this is out other correct answer.

When looking at these questions, start eliminating the options that are absolutely not plausible first.

teancum144 · September 2013

Makes sense (thanks!), but how do you access the router without SSH? I've never used TACACS+; does it provide an interface to remotely access the router?

RouteMyPacket · September 2013

teancum144 wrote: »

Makes sense (thanks!), but how do you access the router without SSH? I've never used TACACS+; does it provide an interface to remotely access the router?

Access is a blanket term.

Do you have "access" to the core switch teancum144? "Yes, I have a username and password"

Can you "access" it from your machine?

There are many ways to harden routers. Obviously we have username/password, SSH is the medium in which we will connect, but is that medium allowed from say 192.168.1.24 255.255.255.0 (your machine)? Perhaps it only accepts SSH requests from 192.168.2.0/24?

Once you get around CCNP Security you will run into command level authorization, perhaps briefly mentioned at CCNA Security. Cisco ACS is the standard bearer for engineers to secure access to their gear. With TACACS+ the router has been configured for AAA (Authentication, Authorization, Accounting) and when we attempt to login (normal router prompt mind you), based on the AAA configuration the router will forward that logon request to ACS which will then based on its configuration permit or deny the request (and of course log the attempt pass or fail)

Again, SSH is the medium in which we use to get to the router/switch/firewall...once connected then we are talking about authentication etc.

Secure access to a router

Comments