Router Security: Restrict Access To virtual terminals

For network administrators, there are many things that can be done about vro security. Such as blocking Security Vulnerabilities, preventing identity crises, and limiting logical access. We may also configure a user name and password prompt for the console and virtual terminal connection. These measures are important. However, we should also pay attention to implementing other security functions.

Basic knowledge

An important security measure we can take is implementing the access control list (ACL), which implements basic security. There are two types of access control lists: Numbers and names. Each of these two types can be classified into standard and extended.

Digital access list: in the operating system, numbers 1 to 99 and 1300 to 1999 are prepared for the standard access list, the numbers 100-199 and 2000-2699 are reserved for the extended access list. In this article, we only use a basic access control list to protect our virtual terminal connection port, that is, the VTY port. In short, we only allow some IP addresses or some network addresses to remotely log on (telnet) to our vro.

Name-based access list: a name-Based Access Control List allows us to reference it by a name including text and numbers. This means that no numbers are used, and our access list can have a meaningful name, such as "manage_telnet". This name makes its meaning and purpose very clear.

Standard access list: with the help of standard access list, we can specify the source address of the data packet. Therefore, we can check where the data packet comes from and, based on the source IP address of the data packet, we can either allow or reject this communication.

Extended access list: with the extended access list, we can control details more precisely. In addition to controlling the source IP address, we can also control the destination IP address. We can also check the source port number and destination port number, or even check many other advanced parameters, for example, TCP, UDP, and ICMP.

Instance

In this example, we will use a digital standard access list. We will use access list number 1, although any number can be selected from the standard access list range. That is to say, we can check the source IP address of this packet.

Here, I only want to allow one person to log on to the vro (Do you want many people to log on to your vro ?). You only need to write out the access list and apply it to our VTY port (for remote logon ). We will use "*" to control specific bit modes and only allow specific networks/subnets in almost any combination.

In addition, there are some free white papers to discuss these issues. You can refer to the configuration according to your vro and network.

The following is an example:

Bbone_ OK> enable
Bbone_ OK # config t
Bbone_ OK (config) # access-list 1 permit 130.107.12.114
 

In these rows, we only enter the global configuration mode, create an access list number 1, and only allow data packets originating from 130.107.12.114. So how do we know that this is a source address, not a target address? This is simple because it is a standard access list (1 is the first number in the range of the standard access list), and the only thing this standard access list can do is check the source IP address.

So far, this access list has not done anything, because we have not applied it anywhere. For ease of understanding, we can regard this access list as a security guard. We have already hired this security guard, but we have not assigned him a task: Which one should I ask him to guard? You can run the show startup-config command to view the configuration of its "Door". This list should be applied to any interface we want to control. Because we want to control the VTY port, we first give the command to access the VTY interface:

Bbone_ OK (config) # line vty 0 4
Bbone_ OK (config-line) # access-class 1 in
 

Once we enter the row configuration mode, we can use the "access-class" command to apply the previously created access list 1. The "access-class" command applies this access list to the line configuration mode (VTY here ).

In this way, only users with an IP address of 130.107.12.114 can log on to our device, and other workstations are prohibited.

This simple example shows the access control list function, which may be helpful to you.