Table of Contents
Advertisement
Chapter 24
Security Audit
Set Access Class on HTTP Server Service
Set Access Class on VTY Lines
OL-4015-12
addresses. Without CBAC, advanced application traffic is permitted only by
writing Access Control Lists (ACLs). This approach leaves firewall doors open,
so most administrators tend to deny all such application traffic. With CBAC
enabled, however, you can securely permit multimedia and other application
traffic by opening the firewall as needed and closing it all other times.
To enable CBAC, Security Audit will use Cisco SDM's Create Firewall screens to
generate a firewall configuration.
Security Audit enables the
whenever possible. The HTTP service permits remote configuration and
monitoring using a web browser, but is limited in its security because it sends a
clear-text password over the network during the authentication process. Security
Audit therefore limits access to the HTTP service by configuring an access class
that permits access only from directly connected network nodes.
The configuration that will be delivered to the router to enable the HTTP service
with an access class is as follows:
ip http server
ip http access-class <std-acl-num>
!
!HTTP Access-class:Allow initial access to direct connected subnets !
!only
access-list <std-acl-num> permit <inside-network>
access-list <std-acl-num> deny any
Security Audit configures an access class for
Because vty connections permit remote access to your router, they should be
limited only to known network nodes.
The configuration that will be delivered to the router to configure an access class
for vty lines is as follows:
access-list <std-acl-num> permit <inside-network>
access-list <std-acl-num> deny any
In addition, the following configuration will be applied to each vty line:
Cisco Router and Security Device Manager 2.5 User's Guide
HTTP
service on the router with an access class
vty
Fix It Page
lines whenever possible.
24-23
Advertisement
Table of Contents
Troubleshooting
