Securing Remote Access
Since you will not always be physically close to the network devices and access them through the console port, you can enable them for remote access. A remote session can be established using either Telnet or SSH.
Although both protocols allow you to access a device remotely, they function opposite to each other when security is at stake. While Telnet exchanges everything in cleartext, including the password, SSH works similarly to a VPN and protects the exchanged data. Therefore, you should always use SSH when communicating over untrusted networks.
When someone makes a remote connection to your Cisco device, it assigns a virtual terminal line to the remote session. A different number of virtual terminal lines will be supported depending on the device and IOS version. To protect the virtual terminal lines, you must use the same concept to protect the console line.
You can either define a password in the configuration mode for the virtual lines or define a local account in the device database to authenticate the remote user. Although you can use both methods for Telnet, you can only use the local database for SSH since this protocol requires a username and password to be provided during authentication.
The configuration process for protecting the virtual lines is the same as with the console port. The following commands provide example configuration for each authentication approach on the VTY:
Just like the inactivity timeout configuration for console access, the exec-timeout period can also be set to a different value than the default of 10 minutes.
Enabling SSH
Only Telnet is allowed by default on Cisco devices, so you need to configure SSH and enable the device to support it. Although the configuration steps are the same on different Cisco devices, we will focus on configuring SSH on a router.
First, change the device's default name and define a domain name. You can define the domain name using the “ip domain-name domain-name” command.
Those parameters are needed so that the device can generate a private and public key pair. The configuration is done using the “crypto key generate rsa” command. According to today's standards, using at least 2048 bits for the keys is recommended.
Once defined, an account must be created in the local database required for SSH authentication. Based on your requirements, you can also allow only SSH access on the device and deny any Telnet requests by using the “transport input ssh” command inside the mode of the VTY lines. Additionally, you can permit only SSH version 2 by configuring “ip ssh version 2” in global configuration mode.
The commands below show the full SSH configuration on R1:
Limiting Remote Access
Additionally, you can filter out devices that will be allowed to establish remote connections to a Cisco device. The easiest way to achieve this is by configuring an ACL that only permits certain devices and denies everything else.
As you can see in the figure above, PC1 should be allowed to make a Telnet session to router R1, while PC2 should be denied. You can do this by configuring an ACL on R1 and applying it to the virtual terminal lines in the inbound direction. The following commands on R1 achieve the goal: