Fundamentals of Lock and Key Security
Figure 7.3 details the steps involved when a host on an outside network would like to gain authorized access to a host behind a router configured with Lock and Key security. Host B would like to access Host A behind the perimeter router, Router A, but first must be authenticated using Lock and Key Security. The steps are as follows:
Figure 7.3: Example of Host B accessing Host A through Router A configured with dynamic access lists.
1.Host B opens a Telnet session to the virtual terminal port of Router A.
2.Router A receives the Telnet request and opens a Telnet session with Host B.
3.Depending on the authentication method Router A is configured to perform, Router A asks Host B to provide the proper authentication credentials (configured on a security access server or within the local authentication database).
4.After Host B passes the authentication phase, Router A logs Host B out of the Telnet session. At this time Router A creates a temporary access list entry within the dynamic access list.
5.Host B now has a dynamic access list entry within Router A, allowing access to Host A.
6.Finally, Router A will delete the temporary access entry after the configured idle timeout period or absolute timeout period is reached.
Additional Access List Features
Prior to Cisco IOS 11.2 code, IP access list configuration was somewhat limited. However, many enhancements have since been added within the IOS. Named access lists, time−based access lists, and access lists comments are just a few.
Named Access Lists
Typical numbered access lists have a finite number of lists that can be created. As of Cisco IOS 11.2 you can identify IP access lists with an alphanumeric string rather than a number. When you use named access lists, you can configure more IP access lists in a router than you could if you were to use numbered access lists. Another advantage to using a named access list is that descriptive names can make large numbers of access lists more manageable. If you identify your access list with a name rather than a number, the mode and command syntax is slightly different. Keep a few things in mind when configuring named access lists: Not all access lists that accept a number will accept a name, and a standard access list and an extended access list cannot have the same name.
Time−Based Access Lists
Cisco IOS 12.0(1) introduced timed−based access lists, which are implemented based on the time range specified within the list configuration. Prior to the introduction of this feature, access lists that were defined were in effect for an infinite period of time or until they were deleted by the administrator. With time−based access list configured, administrators can control traffic according to service provider rates (which might vary during certain times of the day) and have finer granularity of control when permitting or denying certain traffic within their network.
Note The time−based access list feature is dependant on a reliable clock source. It is therefore recommended that the router be configured to utilize the features of the Network Time Protocol (NTP).
Commented Access Lists
Commented access lists give security administrators the opportunity to configure a remark within the access list. This feature allows for ease of identification when defining an access list. The commented access list feature is configurable within both named and numbered access lists. Commented remarks within the access list are limited to 100 characters.