| Although you may focus on using the
Cisco IOS to secure network resources, you should not forget that the
router itself is a vital resource that must also be protected. An
obvious vulnerability is a router's virtual terminals, which should
rarely, if ever, be open to public Internet connections.
Although an extended access list can be used to block the Telnet
port (TCP 23), such a list would be IP-specific and may have to be
configured for every IP interface on the router. A more efficient
and precise approach is to apply a standard access list to the
virtual terminal lines themselves. The figure illustrates these
virtual terminal (VTY) lines, which are numbered 0 to 4.
You can apply an access list directly to one of the five VTYs,
but because you can not always predict which VTY a user will connect
to, you should apply the same access list to all five lines, as
shown:
RTA(config)#access-list 5 permit
200.100.50.0 0.0.0.255
RTA(config)#access-list 5 permit host 192.168.1.1
RTA(config)#line vty 0 4
RTA(config-line)#access-class 5 in
In this example, access list 5 defines which hosts will be
allowed to connect to the virtual terminals. The
line vty 0 4
command specifies all five VTYs.
Finally, the
access-class
command -- not
ip access-group
-- is used to apply the list to the
VTYs. Note that the
in
keyword is almost always used with
this command. The
out
keyword would actually restrict the
router's capability to Telnet to outside destinations.
|