Lock and Key by Linda Wier 2/23/2019

Lock and Key Lock & key is a Cisco IOS traffic filtering security feature that dynamically filters IP protocol traffic.It temporarily provides a hole in the firewall without compromising other configured security restrictions.Lock & Key may be configured using IP dynamic extended access lists and can be used in conjunction with other standard access lists and static extended access lists. 2/23/2019

Lock & Key Dynamic Access List For Lock & Key to work When to use lock & key Configuring lock & key 2/23/2019

Dynamic Access List Dynamic access lists enable designated users to gain temporary access to protected resources, no matter what IP address they come in on. When configured, lock & key modifies the existing IP access list of the interface so that it permits the IP addresses of designated users to reach specific destinations. After the user disconnects, lock & key returns the access list back to its original state. You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session. 2/23/2019

For lock & key to work The user must first telnet to the router. Telnetting gives the user a chance to tell the router who he or she is (by authenticating with a username & password), and and what IP address he or she is currently sending from. When authenticated to the router successfully, the users IP address can be granted temporary access through the router. Dynamic access list configuration determines the length of the access granted. TACACS- Terminal Access Controller Access Control System: TACACS is an access control protocol that a switch to authenticate all login attempts through a central authentication server. TACACS consists of 3 services: Authentication, authorization and accounting. Authentication action of determining who the user is & whether or not allowed access to the server. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage. 2/23/2019

When to use lock & key To permit a user or a group of users to securely access a host within a protected network via the internet. Lock & key authenticates the user and than permits limited access through your firewall router, only for that individual host or subnet for a certain period of time. To allow certain users on a local network to access a host on a remote network protected by a firewall. Lock & key requires users to authenticate before allowing their hosts to access the remote hosts. 2/23/2019

Configuring lock & key Start by defining a dynamic access list. Configure a router to authenticate VTY users using a local database. Enable router to create a temporary access list entry in a dynamic access list. Defining a dynamic access list Router (config)#access-list access-list-number dynamic dynamic-name[timeout minutes][deny – permit] protocol source address source wild card destination- address destination wildcard Configuring a dynamic access list 2/23/2019

Lock & Key Config Through Router LabA>en Password: *Note: This config example LabA>config t was intended to LabA(Config)#username (project) password (cisco) demonstrate class LabA(ocnfig)#line vty 0 4 purpose. Check LabA(config-line)#login local group #, int accordingly. LabA(config-line)#^z LabA(config)#access-list 101 permit tcp any any eq telnet LabA(config)#access-list 101 dynamic unlock timeout 120 permit ip any any LabA(config)#int s0/0 LabA(config-if)#ip access-group 101 in LabA(config-if)#^z LabA#show access-lists Result: Extended IP access list 101 Permit tcp any any eq telnet Dynamic unlock permit ip any any (time left 2061) *Lock & Key is usually configured using a TACACS server for authentication query process. For more information about Lock and Key go to Cisco’s search engine. 2/23/2019

Benefits of Lock & Key Lock & Key uses a challenge mechanism to authenticate individual users. Lock & Key provides simpler management in large internetworks. In many cases, Lock & Key reduces the amount of router processing required for access lists. Lock & Key reduces the opportunity for network break-ins by network hackers. With Lock & Key, you can specify which users are permitted access to which source/destination hosts. These users must pass a user authentication process before they are permitted access to their designated host(s). Lock & Key creates dynamis user access through a firewall, without compromising other configured security restrictions. 2/23/2019