An irritating Networking question

I just wanted to run this question by you guys. I went with Extended but they put so much verbage, I can't tell if that's right nor what:

Lets say you work at an enterprise that has no centralized authentication system. You are asked to configure an ACL on all of the routers on your network in such a way as to prevent unauthenticated Telnet access, while still giving the network team access. You have no way of knowing the IP address that you and your co-workers might have when logging into the routers at any given time.

What kind of ACL do you use to achieve the goal outlined above?

a. Extended
b. Time-based
c. Predictive
d. Reflexive
e. Dynamic

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

YFZblu

I'll take a stab - I don't work in networking however...

A - Can't be right because you don't know what IP's you and your co-workers will be using
B - Time-based makes no sense, because attackers operate during business hours too
C - Predictive - I have no idea what this is, or if it's even a thing
D - Reflexive is the old way Cisco used to attempt to achieve stateful connection tracking, right? I'll say no to that.

Which leaves us with 'E' - This is my choice. Perform authentication on the router itself. Here is what I found on Dynamic ACL's:

This process describes the lock-and-key access operation.
A user opens a Telnet session to a border router configured for lock-and-key access.

The Cisco IOS software receives the Telnet packet. It performs a user authentication process. The user must pass authentication before access is allowed. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server.

Lock-and-Key: Dynamic Access Lists - Cisco Systems

-EDIT- The more I think about this, the more I think I'm shaky about my answer. I don't think I'd pick any of the others though, so...E is my educated guess.

crypticgeek

This is a tough question. The key points here I believe are "no centralized authentication system", "prevent unauthenticated Telnet access", and "no way of knowing the [source] IP address".

Prevent unauthenticated telnet makes me immediately think of a dynamic access list. You could place a dynamic access list on a border router and use that prevent any unauthenticated user from telnetting to any routers behind the border router. Having no centralized authentication system is okay as you can use the local AAA database on the border router for this access list. It requires no additional configuration on the other routers pertaining to an ACL.

I would say this is the "best" answer given only the information in and constraints of the question. Using a process of elimination the other answers are a not really a better fit. An extended ACL for instance does you no good as the question specifically denotes you can't filter on source address.

danyzuko

Good Job guys. I looked it up on the almighty youtube(Lol) and found the application of a Dynamic ACL(Lock and Key). I probably saw only a hint of Dynamic ACL mentioned in CCNA class. But here is an example config:
BorderRouter(config)# username test123 password 0 test123 (I forgot what the 0 is for)
BorderRouter(config)# username test123 autocommand access-enable host timeout 15
(i've never heard of autocommand before but seems like it's a triggered command on login and access-enable is the corresponding timer for host access?)
BorderRouter(config)# Login local
BorderRouter(config)# access-list 100 permit tcp 172.16.0.0 0.0.0.255 host 172.16.0.250 eq telnet
BorderRouter(config)# access-list 100 dynamic MyACL timeout 10 permit icmp 172.16.0.0 0.0.0.255 172.31.0.0 0.0.0.255
BorderRouter(config-if)# ip access-group 100 in

Now you can't ping the targeted host, but after telneting in, YOU CAN!
Host1>telnet 172.16.0.250
trying 172.16.0.250 ... Open
Username: test123
Password: ____

I take it that the 1st statement says, If you get in thru Telnet route, Go ahead.

But is 2nd line where the ACL is given a name, and the bonding of the autocommand at the same time?
I guess an ICMP rule is what is sufficient to control the telnet connection?

Just looks kind of weird.. Dynamic Access List - YouTube

Any comments appreciated.