When is it appropriate to use lock-and-key? Two
general scenarios warrant a dynamic access list configuration:
- You want to permit a user, or group of users, to securely access a host
within your protected network via the Internet. Lock-and-key authenticates
the user and then permits limited access through your firewall router, but
only for that individual's host or subnet, and only for a finite period of
time.
- You want certain users on a remote network to access a host on the
corporate network protected by a firewall (as shown in the figure). Lock-and-key
requires users to authenticate before allowing their hosts to access the
protected hosts.
The following steps summarize lock-and-key operation:
- A user opens a Telnet session to a firewall router configured for
lock-and-key. The user connects via one of the VTYs on the router.
- The Cisco IOS receives the Telnet packet, opens a Telnet session, prompts
the user for a username and password, and performs the authentication
process. The authentication can be done by the router or by a security
server (such as a TACACS+ or RADIUS box). When a user passes authentication,
he or she is logged out of the Telnet session, and the software creates a
temporary entry in the dynamic access list. Depending on the configuration,
this temporary entry can limit the range of networks to which the user is
given temporary access.
- The user exchanges data through the "hole" in the firewall.
- The IOS deletes the temporary access list entry when a configured timeout
is reached, or when the system administrator manually clears it. The
configured timeout can be either an idle timeout or an absolute timeout. The
temporary access-list entry is not automatically deleted when the user
terminates a session. It remains until the timeout is reached or until it is
cleared by the system administrator.
Cisco IOS releases prior to Release 11.1 are not compatible with dynamic
access lists (lock-and-key). Therefore, if you use a configuration file that
includes a dynamic access list with IOS software older than Release 11.1, the
resulting access list will not be interpreted correctly. This could cause
you severe security problems.
|
|