One possible security risk on any Cisco-based network is the VTY lines of routers and switches. These lines are used for remote access (via telnet, by default) and are prime targets for remote brute force password attacks. There are a few simple steps you can follow to ensure your VTY lines are as secure as possible.
- Enable username / password based authentication. There are many solutions for authentication ranging from the incredibly complicated to the exceptionally simple. I recently detailed the easiest way to enable username / password authentication.
- Restrict VTY line access with an access-list. Once you’ve defined a list of management addresses, you should apply that list to your VTY lines to prevent unwanted IP addresses connecting.
- Use an SSH-enabled version of IOS. An SSH-enabled version of Cisco IOS might cost a little more, but in the long run, it’s well worth it. No matter what measures you take, telnet traffic is unencrypted and represents a major security risk on the network. Even if your Cisco devices are behind a firewall, you are still exposing your telnet and enable passwords to your internal network. Using
telnetshould be avoided at all costs.
Putting It All Together
Now that you understand the basics of securing VTY lines, let’s build a config that takes advantage of our new knowledge.
First, we’ll enable username / password authentication. For this example, we’ll use the local user database and only create one user, slap.
aaa new-model
aaa authentication login default local
username slap secret ZivgoolutNext, we’ll create our management access-list. This will define which IP addresses are allowed to connect to the VTY lines and attempt login.
access-list 9 remark Management IPs
access-list 9 permit 172.16.9.0 0.0.0.15
access-list 9 permit host 172.16.9.99
access-list 9 deny anyOnce we’ve installed an SSH-enabled version of IOS, the SSH server will start automatically once you generate the encryption keys with the crypto key generate rsa configuration command.
Finally, you’ll need to apply the access-list to the VTY lines and force users to use SSH.
line vty 0 4
access-class 9 in
transport input sshThat should do it. From now on, you should have access to the router or switch only via SSH.
Get Slaptijack updates delivered to your Inbox or RSS Reader for free!
September 18th, 2007 at 4:32 pm
[...] Cisco VPN Client Version 5.0.01.0600 Non MSI Installer Pulled From CCO (CCO Login Required) This update revises a previously announced update regarding vulnerabilities in the Cisco VPN Client for Microsoft Windows. Cisco has removed ‘vpnclient-win-is-5.0.01.0600-k9.exe’ from their site. Additionally, they will no longer release any non-MSI (InstallShield) versions of the Windows client. XSS and SQL Injection in Cisco CallManager/Unified Communications Manager Logon Page Several XSS and SQL injection vulnerabilities have been discovered in Cisco CallManager. There are currently no workarounds for these vulnerabilities, but Cisco will make fixed software available to affected customers. VTY Authentication Bypass Vulnerability This is actually an old issue re-surfaced. If you are configuring a Cisco Catalyst switch and enter anything in the VTY line configuration, the switch will insert the no login configuration command there by default. This shouldn’t be a problem for readers that secure their VTY lines. [...]