Lock and Key

1
Lock and Key

• by Linda Wier

2
Lock and Key

• Lock key is a Cisco IOS traffic filtering
  security feature that dynamically filters IP
  protocol traffic.It temporarily provides a hole
  in the firewall without compromising other
  configured security restrictions.Lock Key may
  be configured using IP dynamic extended access
  lists and can be used in conjunction with other
  standard access lists and static extended access
  lists.

3
Lock Key

• Dynamic Access List
• For Lock Key to work
• When to use lock key
• Configuring lock key

4
Dynamic Access List

• Dynamic access lists enable designated users
  to gain temporary access to protected resources,
  no matter what IP address they come in on. When
  configured, lock key modifies the existing IP
  access list of the interface so that it permits
  the IP addresses of designated users to reach
  specific destinations. After the user
  disconnects, lock key returns the access list
  back to its original state.
• You should always define either an idle timeout
  (with the timeout keyword in this command) or an
  absolute timeout (with the timeout keyword in the
  access-list command). Otherwise, the dynamic
  access list will remain, even after the user has
  terminated the session.

5
For lock key to work

• The user must first telnet to the router.
  Telnetting gives the user a chance to tell the
  router who he or she is (by authenticating with a
  username password), and and what IP address he
  or she is currently sending from. When
  authenticated to the router successfully, the
  users IP address can be granted temporary access
  through the router. Dynamic access list
  configuration determines the length of the access
  granted.

6
When to use lock key

• To permit a user or a group of users to securely
  access a host within a protected network via the
  internet. Lock key authenticates the user and
  than permits limited access through your firewall
  router, only for that individual host or subnet
  for a certain period of time.
• To allow certain users on a local network to
  access a host on a remote network protected by a
  firewall. Lock key requires users to
  authenticate before allowing their hosts to
  access the remote hosts.

7
Configuring lock key

• Start by defining a dynamic access list.
• Configure a router to authenticate VTY users
  using a local database.
• Enable router to create a temporary access list
  entry in a dynamic access list.

8
Lock Key Config Through Router

• LabAgten
• Password
  
  Note This config example
• LabAgtconfig t
  
  was intended to
• LabA(Config)username (project) password (cisco)
  demonstrate
  class
• LabA(ocnfig)line vty 0 4
  
  purpose. Check
• LabA(config-line)login local
  
  group , int accordingly.
• LabA(config-line)z
• LabA(config)access-list 101 permit tcp any any
  eq telnet
• LabA(config)access-list 101 dynamic unlock
  timeout 120 permit ip any any
• LabA(config)int s0/0
• LabA(config-if)ip access-group 101 in
• LabA(config-if)z
• LabAshow access-lists
• Result Extended IP access list 101
• Permit tcp any any eq telnet
• Dynamic unlock permit ip any any
  (time left 2061)
• Lock Key is usually configured using a TACACS
  server for authentication query process.
• For more information about Lock and Key go to
  Ciscos search engine.

9
Benefits of Lock Key

• Lock Key uses a challenge mechanism to
  authenticate individual users.
• Lock Key provides simpler management in large
  internetworks.
• In many cases, Lock Key reduces the amount of
  router processing required for access lists.
• Lock Key reduces the opportunity for network
  break-ins by network hackers.
• With Lock Key, you can specify which users
  are permitted access to which source/destination
  hosts. These users must pass a user
  authentication process before they are permitted
  access to their designated host(s). Lock Key
  creates dynamis user access through a firewall,
  without compromising other configured security
  restrictions.