Category: security

You could limit terminal access to a router with an access-class in line configuration command for a very long time (since, at least, IOS release 10.0). However, the access-class command only accepted standard access-lists, allowing you to restrict access solely based on source IP addresses. In the meantime, this feature quietly got upgraded to support extended access lists. In the IOS release 12.4, the command even accepts (undocumented !) named access lists.

These new features give you the ability to implement interesting policies, for example:

• Telnet access is only allowed from the network management station.
• SSH access is allowed from anywhere within internal network

You can also use the extended access list logging functionality, making it possible to log every connection attempt to the router.

Cisco has in IOS release 12.3(4)T (integrated into 12.4) finally introduced features (long available in Unix and Windows) that slow down dictionary attacks on a router. On top of logging of login failures, you can also slow down the login process by delaying the router response after a login failure with the login delay seconds command.

On top of that, the you can configure the router to enter quiet mode after several login failures have been detected in specified timeframe with the login block-for seconds attempts tries within seconds configuration command.

Cisco Press has just released my latest book (and my first digital one): Deploying Zone-Based Firewalls. The book covers a completely new way to configure IOS firewall feature set based on security zones you define on a router and inter-zone policies configured using the familiar class-maps and policy-maps.

You can preview this digital book (they call it Digital Short Cut) using the Safari technology at Cisco Press and buy it at Amazon.