5. DISCUSIÓN
5.1 BLOQUEO IN VITRO E IN VIVO DEL NERVIO SAFENO
Sometimes people overestimate the benefits of configuring authentication banners. Banners with detailed warnings often make it easier to prosecute attackers who break into your systems. In some cases, you may be forbidden to monitor the activities of unauthorized users unless you have taken steps to notify them of your intent to do so.
Typically, authentication banners include the following information:
•
A warning that the system you are trying to access should be used only by authorized personnel•
A detailed explanation that the unauthorized use of such a device is illegal, and individuals who attempt to break in are subject to prosecution•
A notice that the use of such a device may be monitored•
Specific notices required by certain local authoritiesInteractive Access Control
You have already learned that you can access network devices via several interactive methods such as Telnet, rlogin, SSH, and local asynchronous, even modem connections for out-of-band access. On Cisco IOS devices, these interactive access methods have two basic types of lines (or sessions). The first type is the use of standard lines used by console and dialup modem connections. The first type of these connections are known as TTYs. TTY stands for “Text Telephone.” The “Y” has a historical value referenced to the first text telephones. Now the term TTY refers to a serial connection to a computerized device. The second type of standard lines is the virtual TTYs (VTYs). VTYs are used by remote connections such as Telnet and SSH. This section shows the best way to protect interactive access.
One of the most common practices in Cisco IOS devices is to disable interactive logins on lines that will not need them. You can use the loginandno passwordcommands at the line configuration level. Another good practice is to restrict access to allow only the specific protocols (that is, SSH). In Cisco IOS devices, you can do this with the transport input
command (for example, transport input ssh).
Always restrict the IP addresses or networks from which access will be granted to network access devices. In Cisco IOS, you can achieve this by using the access-classcommand in conjunction with an ACL. In the following example, an access list is configured to allow devices only on the 10.10.10.0/24 network to access the router via SSH.
Myrouter#configure terminal
myrouter(config)#access-list 10 permit 10.10.10.0 0.0.0.255
myrouter(config)#line vty 0 4
myrouter(config-line)#access-class 10 in
On the Cisco ASA and PIX, you can restrict administrative access in a similar fashion by using the ssh,telnet,http, and asdm locationcommands. The sshcommand restricts SSH connections to the security appliance. The telnet command restricts Telnet connections. Thehttp and asdm location commands restrict HTTPS access via the Adaptive Security Device Manager (ASDM). In the following example, the only host allowed to access and manage the Cisco ASA via SSH and ASDM is 172.18.85.123.
ciscoasa# configure terminal
ciscoasa(config)# ssh 172.18.85.123 255.255.255.255 inside
ciscoasa(config)# http 172.18.85.123 255.255.255.255 inside
ciscoasa(config)# asdm location 172.18.85.123 255.255.255.255 inside
As with the Cisco ASA/PIX, in Cisco IOS, you can enable HTTP authentication with the
ip http authenticationcommand. The following example shows a configuration listing for HTTP authentication using RADIUS.
myrouter(config)#aaa new-model
myrouter(config)#aaa authentication login default group radius
myrouter(config)#aaa authorization exec default group radius
myrouter(config)#ip http server
myrouter(config)#ip http authentication aaa
myrouter(config)#tacacs-server host 172.18.85.181
myrouter(config)#tacacs-server key cisco123
You can also restrict who can administer the IOS device via HTTP by using the
ip http access-class command. The following example shows how 10.10.10.123 is the only host allowed to connect via HTTP to the router.
mrouter(config)# access-list 9 permit host 10.10.10.123
mrouter(config)# ip http access-class 9
myrouter(config)# ip http max-connections 3
In this example, the router is configured to limit the maximum number of concurrent connections to three with the ip http max-connections command.
You can also configure timeouts to avoid idle sessions from consuming an administrative session indefinitely. In Cisco IOS, you can modify the idle timeout with the exec-timeout
command, as shown in the following example. In this example, the exec-timeout is configured for 5 minutes.
myrouter(config)#line vty 0 4
myrouter(config-line)#exec-timeout 5
On the Cisco ASA, you can do the same by configuring the ssh timeoutortelnet timeout
commands as follows.
ciscoasa(config)# ssh timeout 5
ciscoasa(config)# telnet timeout 5
Another trick on Cisco IOS devices is to enable TCP keepalives on incoming sessions with theservice tcp-keepalives-in command. The use of this command protects against malicious orphan connections.
Several IOS login enhancements have occurred since Cisco IOS Software Release 12.3(4)T. Thelogin delaycommand was introduced to allow a delay between login attempts, making dictionary attacks harder to exploit.
NOTE Dictionary attacks were defined earlier in this chapter.
Thelogin block-forcommand allows you to limit the frequency of failed login attempts in Cisco IOS routers. The frequency is limited by defining a maximum number of failed attempts within a specified period. When this number is reached, the Cisco IOS router does not accept additional connections for a “quiet period.” You can also create an ACL to include trusted systems and networks from which legitimate connections are expected. This is called an exception ACL, and it is configured in conjunction with the
login quiet-mode access-class global command.
In the example that follows, the Cisco IOS router will enter a 60-second quiet period if 15 failed login attempts are exceeded within 60 seconds. The access list included next will make an exception for the authorized system with IP address 10.10.10.123. In addition, logging messages will be generated for every 10th failed login and every 15th successful login.
myrouter(config)# access-list 99 permit host 10.10.10.123
myrouter(config)# login block-for 60 attempts 15 within 60
myrouter(config)# login quiet-mode access-class 99
myrouter(config)# login on-failure log every 10
myrouter(config)# login on-success log every 15