Lock-and-Key Security

Lock-and-Key Security or also known as dynamic Access Lists is a feature which allows dynamic IP traffic which will normally be blocked. Lock-and-Key is configured over a dynamic extended ACL. Lock-and-Key security allows users to open dynamic openings into existing ACLs to get temporary access to a resource which they normally wont have access to. Lock-and-Key reconfigures the ACL if it gets triggered over a successful telnet login onto the blocking router to allow the user to access those resources.

When should we use Lock-and-Key?

The following list describes two possible scenarios where Lock-and-Key could be used:

  • If a specified remote user (or a group of users) needs access to a host or subnet which is normally not reachable.
  • If a/some hosts on a local network need access to resources in a remote network, which is blocked via firewall.

How Lock-and-Key works

The following process describes the function of Lock-and-Key:

  1. The user starts a telnet session to the router on which the feature is configured. The Cisco IOS receives the telnet packet, opens the telnet session and askes for a user and password to authenticate the user. The user authentication can be done with the local user database or over TACACS+ and radius servers.
  2. The telnet session will be automatically closed after a successful authentication and the router creates the configured dynamic opening into the existing ACL.
  3. The router deletes all created temporary entries after the timeout has been reached or the entries have been manually deleted. The timeout can either be an idle timer or an absolute timeout. Important to know is that the existing entries will not be automatically deleted after the use has ended his session, they only get deleted after the timeout.

Spoofing risk with Lock-and-Key

As soon as a dynamic access has been opened over Lock-and-Key a unauthorized user could spoof the address to gain access to the resource but this is a generic problem to all ACLs and not Lock-and-Key specific. Spoofing could be prevented over a secured connection where the user traffic gets encrypted on a secure router and does not get unencrypted until it reaches the local routers interface on which Lock-and-Key is configured.

Lock-and-Key and its consequences on the router performance

The router performance can be affected with the use of Lock-and-Key as follows:

  • As soon as Lock-and-Key gets triggered the dynamic ACL will enforce an ACL rebuild within the Silicon Switching Engine (SEE). This will lead to a temporary slow down of the SSE switching path.
  • Dynamic ACLs use the idle timeout facility (even when the timeout is left to its default) and therefore is not switchable over SSE. The entries have to be handled by the protocol fast-switching path.
  • As soon as a user triggers the Lock-and-Key new ACL entries get installed on the interface hence the ACLs will grow and shrink dynamically on that interface. Big ACLs can therefore lead to disturbance of the packet switching performance.

Configuration guidelines

The following rules should be considered during the configuration of Lock-and-Key:

  • There can only be one dynamic ACL for each ACL.
  • A dynamic ACL can only be assigned to one ACL.
  • Attributes can be assigned to a dynamic ACL the same way as it is done to a static ACL. The temporary entries inherit the attributes of the ACL.
  • Telnet has to be configured before the user can gain access to the resource.
  • An idle timeout has to be configured either with the timeout keyword from the access-enable command, within the autocommand command or over an absolute timeout from the access-list command. If no timeout is configured the temporary entries will never be deleted.
  • The configured idle timeout should be the same as the WAN idle timeout.
  • If both timeouts, the idle and the absolute timeout, are configured the idle timeout has to be smaller then the absolute timeout.
  • It is possible to extend the absolute timeout by 6 minutes with the command access-list dynamic-extend if a session lasts longer then the absolute timeout. With this command it is possible to open another telnet session to the router and extend the timer.
  • The only attributes that get changed within a temporary ACL entry are the source and destination addresses depending if the ACL is inbound or outbound. All other attributes, like the port, stay the same.
  • Every addition to a dynamic ACL is set to the beginning of the ACL.
  • Temporary ACL entries will never be saved in the NVRAM.

Commands

Command
Description
router(config)# access-list access-list-number {dynamic dynamic-name {timeout minutes}} {deny ¦ permit} telnet source source-wildcard destination destination-wildcard {precedence precedence} {tos tos} {established} {log} Defines a dynamic ACL as template and placeholder for the temporary entries.
router(config)# access-list dynamic-extend (Optional) Extends the absolute timeout by 6 minutes, if another telnet session has been opened and successful authenticated.
router(config)# autocommand access-enable {host} {timeout minuten} Allows the creation of temporary ACL entries. All hosts are allowed to access the temporary entrie if the optional keyword host is not used.
outer(config# username name autocommand access-enable {host} {timeout minuten} Configures the user which is allowed to telnet to the router and open the temporary access. All hosts are allowed to access the temporary entrie if the optional keyword host is not used.
router(config-line)# autocommand access-enable {host} {timeout minuten} Allows the creation of temporary ACL entries on the vty level. All hosts are allowed to access the temporary entrie if the optional keyword host is not used.
router# clear access-template {access-list-number ¦ name} {dynamic-name} {source} {destination} Deletes a temporary ACE

Configuration example

This example shows the basic configuration for Lock-and-Key on R3 based on the local user database.

username test password 0 cisco
username test autocommand access-enable host timeout 1
!
interface FastEthernet0/0
 ip address 116.1.123.3 255.255.255.0
 ip access-group 100 in
 duplex auto
 speed auto
!
access-list 100 permit ospf any any
access-list 100 permit tcp any host 116.1.123.3 eq telnet
access-list 100 dynamic ACCESS permit ip any any
access-list 100 deny   ip any any log
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login local

R1 and R2 got their access to R3 and R4 blocked (except OSPF and telnet) except the dynamic ACL entry which allows a temporary access after a successful authentication. Login local is configured on the VTY level to allow the telnet access to use the local user database for authentication, while the command autocommand is used on the user level. If we start a telnet session from R1 and authenticate with the configured user and password, R3 will create the temporary entry and allows everything from R1 to R3 and R4. Since we use the host keyword, R2 is still not allowed to access R3 and R4.

R1#telnet 116.1.123.3
Trying 116.1.123.3 ... Open

User Access Verification

Username: test
Password:
[Connection to 116.1.123.3 closed by foreign host]
R1#ping 116.1.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 116.1.34.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/51/96 ms

R2#ping 116.1.34.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 116.1.34.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R3#sh ip access-lists
Extended IP access list 100
    10 permit ospf any any (563 matches)
    20 permit tcp any host 116.1.123.3 eq telnet (186 matches)
    30 Dynamic ACCESS permit ip any any
       permit ip host 116.1.123.1 any (15 matches) (time left 58 )
    40 deny ip any any log

The time left information corresponds to the configured timeout value of 1 minute.

Even though we could use a named ACL it is better to use a numbered ACL since the temporary entry can only be manually deleted if the ACL is numbered (IOS 12.4(17)):

R3#clear access-template 100 ACCESS host 116.1.123.1 any
R3#sh ip access-lists
Extended IP access list 100
    10 permit ospf any any (605 matches)
    20 permit tcp any host 116.1.123.3 eq telnet (252 matches)
    30 Dynamic ACCESS permit ip any any
    40 deny ip any any log (5 matches)

As a last example in this configuration I’ve left out the host keyword. As we can see from the temporary ACL entry, every host is now allowed to access R3 and R4 and not only R1 from which we opened the telnet session.

R3#sh ip access-lists
Extended IP access list 100
    10 permit ospf any any (637 matches)
    20 permit tcp any host 116.1.123.3 eq telnet (402 matches)
    30 Dynamic ACCESS permit ip any any
       permit ip any any
    40 deny ip any any log (5 matches)
Advertisements

2 comments

  1. Roy

    Hi Pashtuk

    This is a very good tutorial on lock&key.
    As a side note you can also create the dynamic ACL entry as:

    ip access-list extended 100
    dynamic ACCESS permit…

    Plus the access-enable [host] feature can be done manually when R1 or R2 telnets to R3 if autocommand is not being used.

    i.e
    R1 or R2: telnet to R3
    type: access-enable or access-enable host

    R1 or R2: exit telnet connection to R3

  2. Roy

    Additionally you can just have eg.

    line vty 0 4
    password cisco
    login

    And just have all users enter the password to gain telnet access to R3.

    Thanks again for the article!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s