24-23
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Chapter24 Security Audit
Fix It Page
addresses. Without CBAC, advanced application traffic is permitted only by
writing Access Control Lists (ACLs). This approach leaves firewall doors open,
so most administrators tend to deny all such application traffic. With CBAC
enabled, however, you can securely permit multimedia and other application
traffic by opening the firewall as needed and closing it all other times.
To enable CBAC, Security Audit will use Cisco SDM’s Create Firewall screens to
generate a firewall configuration.
Set Access Class on HTTP Server Service
Security Audit enables the HTTP service on the router with an access class
whenever possible. The HTTP service permits remote configuration and
monitoring using a web browser, but is limited in its security because it sends a
clear-text password over the network during the authentication process. Security
Audit therefore limits access to the HTTP service by configuring an access class
that permits access only from directly connected network nodes.
The configuration that will be delivered to the router to enable the HTTP service
with an access class is as follows:
ip http server
ip http access-class <std-acl-num>
!
!HTTP Access-class:Allow initial access to direct connected subnets !
!only
access-list <std-acl-num> permit <inside-network>
access-list <std-acl-num> deny any
Set Access Class on VTY Lines
Security Audit configures an access class for vty lines whenever possible.
Because vty connections permit remote access to your router, they should be
limited only to known network nodes.
The configuration that will be delivered to the router to configur e an access class
for vty lines is as follows:
access-list <std-acl-num> permit <inside-network>
access-list <std-acl-num> deny any
In addition, the following configuration will be applied to each vty line: