Introduction
Many network administrators do only the minimum when it comes to setting up user access to their routers. In many cases, this is sufficient. In a lot of networks there are no serious security issues, and only a small number of people ever want to or need to access the router. But, unfortunately, not everybody can be quite so cavalier.
Most of the recipes in this chapter discuss methods for securing access to routers through important measures like usernames, passwords, controlling access line parameters, controlling remote access protocols, and affecting privileges of users and commands.
There are several important prerequisite concepts for this discussion. You should understand what VTYs and access lines are. You also need to understand a little bit about user and command privilege levels. These levels both are discussed in some detail in O’Reilly’s Cisco IOS in a Nutshell in Chapters 4 and 13, respectively.
We discuss best practices, and provide a number of valuable recommendations in this chapter. In particularly, we refer to the National Security Agency (NSA) router security document throughout the chapter. The NSA has compiled an extremely useful set of recommendations for many different types of systems, including specifically Cisco routers. You can download a copy of this document from http://www.nsa.gov/snac/.
This chapter also contains three scripts written by the authors of this book. Two of these scripts are written in Perl, and the other in Expect. For more ...