■■ Cisco routers ■■ Cisco switches
■■ Cisco VPN concentrator ■■ Cisco PIX firewall
■■ Network Appliance storage filers ■■ Secure management
■■ Management stations ■■ Two-factor authentication ■■ SOCKS Management
■■ SSH—User restrictions
■■ SSH—Network access controls
Network Devices
Our discussion of secure network devices will address the installation, setup, and usage of SSH on the specified network devices in terms of secure man- agement and secure networking. Our discussion will range from how to install SSH on network devices to actually enabling and using SSH on a regular basis on these same devices.
ing an IOS version that contains SSH support. Cisco SSH servers require IPSec (DES or 3DES) encryption software image from IOS 12.1(1)T. For SSH clients, IOS 12.1(3)T is required.
2. Make sure a hostname and host domain have been configured for the router. The following commands are not SSH commands but com- mands on the router that are required in order to use SSH.
Syntax: Router(config)# hostname <hostname> Example: Router(config)# hostname Belwa
Syntax: Router(config)# ip domain-name <domainname> Example: Router(config)# ip domain-name eNapkin
3. Generate an RSA key pair for the router, which will automatically enable SSH:
Router(config)# crypto key generate rsa
This command will enable both local and remote SSH authentication to and from the router. When using the SSH client, be aware that it runs in EXEC mode with no specific configuration on the router. Now that SSH is enabled on the router, configure SSH appropriately.
4. Set the authentication timeout for SSH. The maximum timeout cannot exceed 120 seconds, which is also the default; however, once the session is established, the VTY timeout setting applies, not the SSH timeout set- ting. The following syntax sets the router’s timeout session for SSH: Syntax: Router(config)# ip ssh timeout(seconds)
Example: Router(config)# ip ssh timeout 120
5. Set the authentication retries for SSH. The maximum number of retries is five; however, the default is three. The following syntax sets the router’s authentication retries for SSH:
Syntax: Router(config)# ip ssh authentication-retries(integer) Example: Router(config)# ip ssh authentication-retries 3
Router# show ssh
This command shows any connections that are established, the version, the encryption, the state, and the username.
8. Once SSH is enabled and configured, it may be appropriate to prevent any non-SSH connections to access the router, such as Telnet. It is important to disable insecure protocols such as Telnet if a stronger and more secure protocol is in place and provides the same type of access. To require the use of SSH on terminal-line connections, enter the follow- ing command:
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
9. Once SSH has been enabled on the Cisco router, enter the following commands to connect to the SSH service on the router:
Syntax: ssh –l userid –c <des | 3des> –p <port number> IP.Address/hostname
Example: ssh –l <username> –c 3des <router.ip.address>
In addition to providing SSH access to a router, Cisco IOS provides terminal- line access with SSH, which allows SSH access to non-SSH routers that have a console or serial-port connection to an SSH-enabled router. A simple terminal- line access configuration is illustrated in Figure 5.1.
Figure 5.1 Terminal-line access.
SSH Client Router SSH-Enabled Router non-SSH-Enabled IPv4 Network Connection Serial-Line
Example: Router(config)# line 1 200
2. Disable the EXEC process of each line using the following syntax: Router(config)# no exec
3. Define the login authentication option, which must be username/pass- word, with the following syntax:
Syntax: Router(config)# login authentication <listname> Example: Router(config)# login authentication default
4. Define a group of lines that will be used when SSH is enabled using the following syntax:
Syntax: Router(config)# rotary <group> Example: Router(config)# rotary 1
5. Define the use of SSH on the line using the transport input command, as listed:
Router(config)# transport input ssh
6. Configure SSH for the TTY lines, the port number to connect to, and the rotary group using the following syntax:
Syntax: Router(config)# ip ssh port <portnumber> rotary <group> Example: Router(config)# ip ssh port 2001 rotary 1
7. SSH terminal-line access should now be configured! Any SSH client connection to the SSH-enabled router on port 2001 should be given access to the non-SSH enabled router via the serial-line or console to the SSH-enabled router.
Once SSH has been enabled on the Cisco router, enter the following com- mands to connect to the remote router via the serial-line:
3550, 4000, 5000, 6000, 8540, and 8510.
To use SSH on Cisco routers, complete the following steps.
1. Download the correct CatOS to the switch. Make sure you are down- loading a CatOS version that holds SSH support. Cisco SSH servers require the IPSec (DES or 3DES) encryption software image from CatOS 6.1.
2. Generate the RSA Key with the following command: Cat6509> (enable) set crypto key rsa 1024
3. Restrict SSH to authorized host/subnets with the following commands: Cat6509> set ip permit 172.16.1.0 255.255.255.0
4. After the key hash has been made, enable SSH with the following command:
Cat6509> (enable) set ip permit enable ssh
5. Once SSH has been enabled on the Catalyst switch, enter the following command to connect to the SSH services on the switch:
ssh –c 3des –v <switch ip address>