Question

There is no question the router plays a vital role in networking. If this device were to be controlled by an attacker, then the entire CIA goal can be violated. As such, you can argue about the need to protect the router administratively, physically, and technically. Our focus again is on the technical part. Having said this, discuss the methods that can be used on a standard IOS router that will prevent unauthorized access to the router. Also, discuss how privilege levels and role-based CLI can improve the security on the router.

Answer 1

The Authentication, Authorization, and Accounting (AAA) framework is plays an important role to secure network devices. The AAA framework provides authentication of management sessions and can also limit users to specific, administrator-defined commands and log all commands entered by all users. These also provides highly configurable environment that can be altered with respect to different needs of network.

TACACS+ Authentication

It is an authentication protocol that IOS devices can use for authentication. The management users can access IOS device via SSH, HTTPS, telnet, or HTTP. It provides the ability to use individual user accounts for each network administrator. When the user does not depend on a single shared password, the security of the network is improved and accountability is strengthened.

Authentication Fallback

If there comes a time when all the TACACS+ servers are unavailable then the IOS devices can rely on secondary authentication protocol. Typical configurations include the use of local or enable authentication if all configured TACACS+ servers are unavailable.

TACACS+ Command Authorization

Command authorization with TACACS+ and AAA provides a mechanism that permits or denies each command that is entered by an administrative user. When the user enters EXEC commands, IOS sends each command to the configured AAA server. The AAA server then uses its configured policies in order to permit or deny the command for that particular user.

Redundant AAA Servers

The AAA servers that are leveraged in an environment should be redundant and deployed in a fault-tolerant manner. This helps ensure that interactive management access, such as SSH, is possible if an AAA server is unavailable.

Role-based CLI allows administrator to create views. Views are the set of operational commands and configurational capabilities. These provide selective or partial access. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information which means that views can define what commands should be accepted and information is visible which in turn means network administrators can exercise better control.Although users can control CLI access via both privilege levels and enable mode passwords, these functions do not provide network administrators with the necessary level of detail needed when working with Cisco IOS routers and switches. CLI views provide a more detailed access control capability for network administrators, thereby, improving the overall security and accountability.