Interactive Access

Besides those already discussed, there are additional ways to get interactive connections to routers. Cisco IOS Software, depending on the configuration and software version, might support connections via Telnet; rlogin; SSH; non-IP-based network protocols, such as Local Area Transport (LAT), Maintenance Operation Protocol (MOP), X.29, V.120, and possibly other protocols as well as via local asynchronous connections and modem dial ins. More protocols for interactive access are always being added. Interactive Telnet access is available not only on the standard Telnet Transmission Control Protocol (TCP) port (port 23) but also on a variety of higher-numbered ports.

All interactive access mechanisms use the Cisco IOS tty abstraction. (In other words, they all involve sessions on "lines" of one sort or another.) Local asynchronous terminals and dialup modems use standard lines, known as ttys. Remote network connections, regardless of the protocol, use virtual ttys, or vtys. The best way to protect a system is to make certain that appropriate controls are applied on all lines, including both TTY lines and vty lines.

Because it is difficult to be certain that all possible modes of access have been blocked, make sure that logins on all lines are controlled using some sort of authentication mechanism, even on machines that are supposed to be inaccessible from untrusted networks. Doing so is especially important for vty lines and for lines connected to modems or other remote-access devices.

0 0

Post a comment