One possible security risk on any Cisco-based network is the VTY lines of routers and switches. These lines are used for remote access (via telnet, by default) and are prime targets for remote brute force password attacks. There are a few simple steps you can follow to ensure your VTY lines are as secure as possible.
- Enable username / password based authentication. There are many solutions for authentication ranging from the incredibly complicated to the exceptionally simple. I recently detailed the easiest way to enable username / password authentication.
- Restrict VTY line access with an access-list. Once you've defined a list of management addresses, you should apply that list to your VTY lines to prevent unwanted IP addresses connecting.
- Use an SSH-enabled version of IOS. An SSH-enabled version of Cisco IOS might cost a little more, but in the long run, it's well worth it. No matter what measures you take, telnet traffic is unencrypted and represents a major security risk on the network. Even if your Cisco devices are behind a firewall, you are still exposing your telnet and enable passwords to your internal network. Using
telnetshould be avoided at all costs.
Putting It All Together
Now that you understand the basics of securing VTY lines, let's build a config that takes advantage of our new knowledge.
First, we'll enable username / password authentication. For this example, we'll use the local user database and only create one user, slap.
aaa new-model aaa authentication login default local username slap secret Zivgoolut
Next, we'll create our management access-list. This will define which IP addresses are allowed to connect to the VTY lines and attempt login.
access-list 9 remark Management IPs access-list 9 permit 172.16.9.0 0.0.0.15 access-list 9 permit host 172.16.9.99 access-list 9 deny any
Once we've installed an SSH-enabled version of IOS, the SSH server will start automatically once you generate the encryption keys with the
crypto key generate rsa configuration command.
Finally, you'll need to apply the access-list to the VTY lines and force users to use SSH.
line vty 0 4 access-class 9 in transport input ssh
That should do it. From now on, you should have access to the router or switch only via SSH.