LA ENSEÑANZA DEL INGLES MEDIADA POR LAS TIC

Lock-and-key is a traffic filtering security feature that can automatically create access lists on the router to allow incoming traffic from an authenti- cated source. These access lists are also referred to as dynamic access lists. Lock-and-key can be used in conjunction with other standard and extended access lists. Traditional standard and extended access lists cannot create lock-and-key access list entries. Once an entry is added to a traditional access list, it remains there until it is removed manually. With lock-and-key you can create a temporary opening in an access list by uti- lizing a response to a user authentication procedure. The idea here is to give temporary access, after proper authentication, to designated users who normally have their IP traffic blocked at the router. Lock-and-key reconfigures the interface’s existing IP access list to permit designated users to reach their destination.

When the connection is terminated, the interface is configured back to its original state.

Let’s say, for example, that a user in Figure 2.7 is working at a branch office and needs to log into the corporate office. The user will attempt to log in from a PC that is connected to a router (typically via LAN). A Telnet session will be opened to the router to provide authentication. The router at the corporate site (which is configured for lock-and-key) receives the Telnet packet and opens a Telnet session. Next, the router will prompt for a password and then perform authentication by using a test that is config- ured by the administrator, such as a name and password. The authentica- tion process can be done locally by the router using local username/ password configuration, or through an external AAA server such as

TACACS+ or RADIUS. When the user successfully authenticates, the Telnet session closes and a temporary entry is created in the dynamic access list. This dynamic access list typically will permit traffic from the user’s source IP address to some predetermined destination. This dynamic access list will be deleted when a timeout is reached or when it can be cleared by the administrator. A timeout can be configured as an idle-timeout or when the maximum-timeout period expires.

A user may not have a static IP address in a situation where a DHCP is in use in a LAN environment or when a user is connected through a dial up to an Internet Service Provider. In both cases, users may typically get a different IP address. Lock-and-key access lists can be used to implement a higher level of security without creating large holes in your network. The format of a lock-and-key access list is as follows:

access-list access-list-number [dynamic dynamic-name[timeout minutes]]

{deny | permit} protocol source source-wildcard destination

destination-wildcard[precedence precedence] [tos tos] [established] [log]

Table 2.13 describes lock-and-key access lists.

Figure 2.7

Branch site Corporate Site E1 Data User login Challenge Response Server S0

Table 2.13

Command Description

access-list list number Defines the number of the access list. The standard access list numbers range from 100–199.

dynamic dynamic-name Designates the name of the dynamic access list.

timeout minutes The timeout is optional and designates an absolute timeout for dynamic entries.

permit If conditions are met, traffic will be allowed. deny If conditions are met, traffic will be denied. protocol Defines the protocol for filtering. Available

options here are keywords such as TCP or UDP. source-address Identifies the host or network from which the

packet is being sent. The source can be specified by an IP address or by using the keyword any.

source wildcard-mask This defines the number of wildcard bits assigned to the source address. The source wildcard-mask can be specified by an IP address or by using the keyword any. destination-address Identifies the host or network to which the

packet is being sent. The destination can be specified by an IP address or by using the keyword any.

destination wildcard-mask This defines the number of wildcard bits assigned to the destination address. The destination wildcard-mask can be specified by an IP address or by using the keyword any. precedence / precedence Used for filtering by the precedence level number name or number.

TOS Defines filtering by service level specified by a name or number (01–5).

Established When using TCP, filtering will occur if RST or ACK bits are set.

Log This keyword results in the logging of packets that match the permit or deny statement.

■ _{The access-list number has the same format as an extended}

access list using the number 100–199.

■ _{The dynamic-name parameter is used to name your access list.} ■ _{The timeout parameter here is optional. This is where a maximum}

timeout for your dynamic access list is configured. If no timeout is specified, the temporary access list entry will remain configured indefinitely on the interface. The entry would have to be removed manually.

■ _{The permit or deny field tells the router the action to perform.} ■ _{The protocol field can be any TCP/IP protocol field; TCP will be}

used in most cases. When using UDP, remember that it is a con- nectionless protocol and contains no SYN-ACK bits for negotiation. UDP also contains no bits in the header for us to determine if it is part of an existing conversation.

■ _{The source IP address is always replaced with the IP address of the}

authenticating host so the keyword anyis typically used here.

■ _{The destination address and destination wildcard mask will specify}

the destination that will be allowed by the dynamic access list. Previously when defining standard and extended access lists, we had two steps: build the access list and then apply it to an interface. When using lock-and-key access lists, there are a few more steps we must follow. After creating the access list and applying the access list to an interface, we must configure our virtual terminal (VTY) ports.

By default, the router has 5 VTY ports available for Telnet sessions. They are numbered 0 through 5. When a user connects to a router, the connection will reserve a VTY port for the duration of that session, so five different Telnet sessions can be established on the router simultaneously. If you specify multiple VTY ports, they must all be configured identically because the software hunts for available VTY ports on a round-robin basis. If you do not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for lock-and-key support only.

We have chosen to use three VTY ports in the following configuration:

Line vty 0 2 login local

autocommand access-enable host timeout 10

You must use the autocommand here. When using the autocommand the host parameter is an important player also. Without the host param- eter the dynamic entries would not replace the source IP address of the

authenticating host; therefore, any host would be allowed. The timeout parameter is optional here and specifies the idle-timeout. If no maximum- timeout or idle-timeout is specified, the entry will not be removed until the router is rebooted. If you use both timers, the idle-timeout should be set to a lower number than the maximum-timeout.

Another issue to consider when using a lock-and-key access list is that if no additional steps are taken, every Telnet session incoming to the router will be treated as an attempt to open a dynamic entry. Remember here that after authentication the Telnet session is closed, so we would never be able to Telnet to our router for management purposes. We have to specify another command in our router to alleviate this problem. Beneath our remaining VTY ports, the rotary 1 command is needed. The rotary 1 command will enable normal Telnet access to our router on port 3001. You will need to specify the use of port 3001 when attempting to access the

Prevention of IP