Table of Contents
Advertisement
Chapter 16
Security Audit
Set Access Class on HTTP Server Service
Set Access Class on VTY Lines
OL-4015-08
destination addresses. Without CBAC, advanced application traffic is permitted
only by writing Access Control Lists (ACLs). This approach leaves firewall doors
open, so most administrators tend to deny all such application traffic. With CBAC
enabled, however, you can securely permit multimedia and other application
traffic by opening the firewall as needed and closing it all other times.
To enable CBAC, Security Audit will use SDM's Create Firewall screens to
generate a firewall configuration.
Security Audit enables the
class whenever possible. The HTTP service permits remote configuration and
monitoring using a web browser, but is limited in its security because it sends a
clear-text password over the network during the authentication process. Security
Audit therefore limits access to the HTTP service by configuring an access class
that permits access only from directly connected network nodes.
The configuration that will be delivered to the router to enable the HTTP service
with an access class is as follows:
ip http server
ip http access-class <std-acl-num>
!
!HTTP Access-class:Allow initial access to direct connected subnets !
!only
access-list <std-acl-num> permit <inside-network>
access-list <std-acl-num> deny any
Security Audit configures an access class for
Because vty connections permit remote access to your router, they should be
limited only to known network nodes.
The configuration that will be delivered to the router to configure an access class
for vty lines is as follows:
access-list <std-acl-num> permit <inside-network>
access-list <std-acl-num> deny any
In addition, the following configuration will be applied to each vty line:
Cisco Router and Security Device Manager Version 2.2 User's Guide
HTTP, HTTPS
service on the router with an access
vty
Fix It Page
lines whenever possible.
16-23
Advertisement
Table of Contents
Troubleshooting
