Secure access to a router
teancum144
Member Posts: 229 ■■■□□□□□□□
in Security+
I ran across a question worded similarly to the following:
To ensure network access to a router is allowed for only the network group and from only authorized machines, router hardening includes which two of the following:
a. TACACS+
b. VPN
c. IPSec
d. ACL
e. SSH
f. SNMP
The answer is 'a' and 'd'. Why not 'a' and 'e'?
To ensure network access to a router is allowed for only the network group and from only authorized machines, router hardening includes which two of the following:
a. TACACS+
b. VPN
c. IPSec
d. ACL
e. SSH
f. SNMP
The answer is 'a' and 'd'. Why not 'a' and 'e'?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
Comments
-
mjb2424 Member Posts: 17 ■□□□□□□□□□ACL's on the router or at other places in the network could be established to prevent anyone other than those explicitly allowed in the ACL from accessing the router. For example, only a single management station's IP address might be allowed access to a router.
This is one of those questions where pick the "best" answer comes into play. Although identifying authentication information should be required for SSH, therefore limiting access to authorized entities, the primary purpose of SSH is to provide encrypted communications. -
Serpente Member Posts: 15 ■□□□□□□□□□I think the key here is the use of "authorized machine". SSH will allow authorised users, but it does not filter based on the machine being used, whereas ACLs filter based on IP addresses.
-
RouteMyPacket Member Posts: 1,104Don't over think this, it's easy to see the answers.
To allow access from the "network group" and from "authorized machines"
How can VPN accomplish that? It can't
SSH? This is a router right? Then nope
SNMP? Nope
IPSec? Nope
TACACS+? Oh yeah, here we have command level authorization and accounting. Groups can be applied to access policy so this is one of our answers.
ACL? Oh yeah, this is the entire premise of ACL's..we use them to permit and or deny traffic so this is out other correct answer.
When looking at these questions, start eliminating the options that are absolutely not plausible first.Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
teancum144 Member Posts: 229 ■■■□□□□□□□Makes sense (thanks!), but how do you access the router without SSH? I've never used TACACS+; does it provide an interface to remotely access the router?If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
-
RouteMyPacket Member Posts: 1,104teancum144 wrote: »Makes sense (thanks!), but how do you access the router without SSH? I've never used TACACS+; does it provide an interface to remotely access the router?
Access is a blanket term.
Do you have "access" to the core switch teancum144? "Yes, I have a username and password"
Can you "access" it from your machine?
There are many ways to harden routers. Obviously we have username/password, SSH is the medium in which we will connect, but is that medium allowed from say 192.168.1.24 255.255.255.0 (your machine)? Perhaps it only accepts SSH requests from 192.168.2.0/24?
Once you get around CCNP Security you will run into command level authorization, perhaps briefly mentioned at CCNA Security. Cisco ACS is the standard bearer for engineers to secure access to their gear. With TACACS+ the router has been configured for AAA (Authentication, Authorization, Accounting) and when we attempt to login (normal router prompt mind you), based on the AAA configuration the router will forward that logon request to ACS which will then based on its configuration permit or deny the request (and of course log the attempt pass or fail)
Again, SSH is the medium in which we use to get to the router/switch/firewall...once connected then we are talking about authentication etc.Modularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it?