Access List

Routers use access lists to control incoming or outgoing traffic. You should know the following
characteristics of an access list.

• Access lists describe the traffic type that will be controlled.

• Access list entries describe the traffic characteristics.
• Access list entries identify either permitted or denied traffic.
• Access list entries can describe a specific traffic type, or allow or restrict all traffic.
• When created, an access list contains an implicit deny any entry at the end of the access list.
• Each access list applies only to a specific protocol.
• Each router interface can have up to two access lists for each protocol, one for incoming traffic
and one for outgoing traffic.
• When an access list is applied to an interface, it identifies whether the list restricts incoming or
outgoing traffic.
• Access lists exist globally on the router, but filter traffic only for the interfaces to which they
have been applied.
• Each access list can be applied to more than one interface. However, each interface can only
have one incoming and one outgoing list.
• Access lists can be used to log traffic that matches the list statements.
• Access lists applied to inbound traffic filter packets before the routing decision is made.
Access lists applied to outbound traffic filter packets after the routing decision is made.

When you create an access list, it automatically contains a deny any statement, although this
statement does not appear in the list itself. For a list to allow any traffic, it must have at least one
permit statement, either permitting a specific traffic type or permitting all traffic not specifically
restricted.

There are two general types of access lists: basic and extended.

Use a standard list to filter on... Use an extended list to filter on...
Source IP protocol (i.e. IP, TCP, UDP, etc.)
Source hostname or host IP address
Source hostname or host IP address Source or destination socket number
Destination hostname or host IP address
Precedence or TOS values

Wildcard Mask

The wildcard mask is used with access list statements to identify a range of IP addresses (such as all
addresses on a specific network). When used to identify network addresses in access list statements,
wildcard masks are the exact opposite of a subnet mask. To calculate the wildcard mask:

1. Identify the decimal value of the subnet mask.

2. Subtract each octet in the subnet mask from 255.

For example, suppose you wanted to allow all traffic on network 10.12.16.0/21. To find the wildcard
mask:

1. A mask that covers 21 bits converts to 255.255.248.0

2. The wildcard mask would be:
o First octet: 255 - 255 = 0
o Second octet: 255 - 255 = 0
o Third octet: 255 - 248 = 7
o Fourth octet: 255 - 0 = 255
 This gives you the mask of: 0.0.7.255

Like subnet masks, wildcard masks operate at the bit level. Any bit in the wildcard mask with a 0 value
means that the bit must match to match the access list statement. A bit with a 1 value means that the
bit does not have to match. For example, let's examine the subnet address, subnet mask, and
wildcard mask in binary form for the preceding example.

Address Type Decimal Values Binary Values

Subnet address 10.12.16.0 00001010.00001100.00010000.00000000

Subnet mask 255.255.248.0 11111111.11111111.11111000.00000000

Wildcard mask 0.0.7.255 00000000.00000000.00000111.11111111

Notice how the bits in the wildcard mask are exactly opposite of the bits in the subnet mask. Suppose
an access list were created with a statement as follows:

access-list 12 deny 10.12.16.0 0.0.7.255

Suppose that a packet addressed to 10.12.16.15 was received. The router uses the wildcard mask to
compare the bits in the address to the bits in the subnet address.

Address Type Decimal Values Binary Values

Subnet address 10.12.16.0 00001010.00001100.00010000.00000000

Wildcard mask 0.0.7.255 00000000.00000000.00000111.11111111

Target address #1 10.12.16.15 00001010.00001100.00010000.00001111
How the router applies the mask to the address
m=match mmmmmmmm.mmmmmmmm.mmmmmiii.iiiiiiii
i=ignored
x=doesn't match

In this example, all bits identified with a 0 in the wildcard mask must match between the address and
the network address. Any bit identified with a 1 is ignored. In this example, 10.12.16.15 matches the
access list statement and the traffic is denied.

Now suppose that a packet addressed to 10.13.17.15 was received. The router uses the wildcard
mask to compare the bits in the address to the bits in the subnet address.

Address Type Decimal Values Binary Values

Subnet address 10.12.16.0 00001010.00001100.00010000.00000000

Wildcard mask 0.0.7.255 00000000.00000000.00000111.11111111

Target address #1 10.13.17.15 00001010.00001101.00010001.00001111
How the router applies the mask to the address mmmmmmmm.mmmmmmmx.mmmmmiii.iiiiiiii
 • m=match
• i=ignored
• x=doesn't match

Notice that this address does not match the access list statement as identified with the wildcard mask.
In this case, traffic would be permitted.

Tip: If you use a table to help you identify subnet masks, be aware that the wildcard mask value is one
less than the magic number, as shown in the following table:

Bits in the mask /25 /26 /27 /28 /29 /30 /31 /32
Magic number 128 64 32 16 8 4 2 1
Decimal mask value 128 192 224 240 248 252 254 255
Wildcard mask value 127 63 31 15 7 3 1 0

Access List Configuration

Configuring access lists involves two general steps:

1. Create the list and list entries with the access-list command.
2. Apply the list to a specific interface or line.
o Use the ip access-group command to apply the list to an interface.
o Use the access-class command to apply the list to a line.

When constructing access list statements, keep in mind the following:

• The access list statement includes the access list number. The type of list (standard or
extended) is indicated by the access list number. Use the following number ranges to define
the access list:
o 1-99 = Standard IP access lists
o 100-199 = Extended IP access lists
• A single access list can include multiple access list statements. The access list number groups
all statements into the same access list.
• List statements include an action, either permit or deny.
• To identify a host address in the access list statement, use the following formats:
n.n.n.n
n.n.n.n 0.0.0.0
OR host n.n.n.n
Where n.n.n.n is the IP address of the host.
• To identify a network address, use the format:
n.n.n.n w.w.w.w
Where n.n.n.n is the subnet address and w.w.w.w is the wildcard mask.
• Enter access list statements in order, with the most restrictive statements at the top. Traffic is
matched to access list statements in the order they appear in the list. If the traffic matches a
statement high in the list, subsequent statements will not be applied to the traffic.
• Each access list has an implicit deny any statement at the end of the access list. Your access
list must contain at least one allow statement, or no traffic will be allowed.
• When you remove an access list statement, the entire access list is deleted. Use Notepad or
another text editor to construct and modify access lists, then paste the list into the router
console.
• A single access list can be applied to multiple interfaces.
 • Extended access lists include a protocol designation (such as IP, TCP, or UDP). Use IP to
match any Internet Protocol (including TCP and UDP). Use other keywords to match specific
protocols.
• Newer routers include an access list command prompt mode.
o Before you can enter access list statements, you must first enter the configuration
mode for access lists. For example, typing ip access-list standard 3 creates the
standard IP address list number 3, and changes the router prompt to: Router(config-
std-nacl)#
o In access list mode, you can use a sequence number to identify the order of access
list statements.
o Removing an access list statement removes only that statement, not the entire access
list.

Examples
The following commands create a standard IP access list that permits all outgoing traffic except the
traffic from network 10.0.0.0, and applies the list to the Ethernet0 interface.

Router(config)#access-list 1 deny 10.0.0.0 0.255.255.255

Router(config)#access-list 1 permit any
Router(config)#int e0
Router(config-if)#ip access-group 1 out

The following commands create a standard IP access list that rejects all traffic except traffic from host
10.12.12.16, and applies the list to the Serial0 interface.

Router(config)#access-list 2 permit 10.12.12.16 0.0.0.0

Router(config)#int s0
Router(config-if)#ip access-group 2 in

The following commands create an extended IP access list that rejects packets from host 10.1.1.1
sent to host 15.1.1.1, and applies the list to the second serial interface.

Router(config)#access-list 101 deny ip 10.1.1.1 0.0.0.0 15.1.1.1 0.0.0.0

Router(config)#access-list 101 permit ip any any
Router(config)#int s1
Router(config-if)#ip access-group 101 in

The following commands create an extended IP access list that does not forward TCP packets from
any host on network 10.0.0.0 to network 11.12.0.0, and applies the list to the first serial interface.

Router(config)#access-list 111 deny tcp 10.0.0.0 0.255.255.255 11.12.0.0

0.0.255.255
Router(config)#access-list 111 permit ip any any
Router(config)#int s0
Router(config-if)#ip access-group 111 in

The following commands create a standard access list that allows VTY lines 0-4 access only from the
internal network of 192.168.1.0/24:

Router(config)#access-list 12 permit 192.168.1.0 0.0.0.255

Router(config)#line vty 0 4
Router(config-line)#access-class 12 in
Monitoring Access Lists

The following list summarizes the commands to use for viewing specific access list information on the
router.

If you want to view... Use...

show run
All access lists that exist on the router show access-lists

show ip int
All access lists applied to an interface show run
Rejected traffic information show log
show run
IP access lists configured on the router show ip access-lists

A specific access list show access-lists <number>

Access List Implementation

A carefully-designed access list provides a measure of security to both the router and any connected
networks. You can use an access list to prevent some forms of Internet attacks, or to restrict the
devices that are allowed to send packets through a router. A router that uses access lists is a form of
firewall because it allows or denies the flow of packets between networks. You can use a Cisco router
with access list statements to protect your private network from the Internet, or to protect Internet
servers from specific attacks.

After you have created an access list, you must apply it to an interface. In many cases, this means you
will need to decide which router, with port, and which direction to apply the access list to. Keep in mind
the following:

• The access list is applied to traffic with a specific direction (either in or out).
• Each interface can only have one inbound and one outbound access list for each protocol.
This means that an interface can have either a standard inbound or an extended inbound IP
access list, but not both.
• You can have two access lists for the same direction applied to an interface if the lists restrict
different networking protocols. For example, you can have one outbound IP access list and
one outbound IPX access list.
• When constructing access lists, place the most restrictive statements at the top. Traffic is
matched to access list statements in the order they appear in the list. If traffic matches a
statement high in the list, subsequent statements will not be applied to the traffic.
• Each access list has an implicit deny any statement at the end of the access list. Your access
list must contain at least one allow statement, or no traffic will be allowed.
• As a general rule, apply extended access lists as close to the source router as possible. This
keeps the packets from being sent throughout the rest of the network.
• As a general rule, apply standard access lists as close to the destination router as possible.
This is because standard access lists can only filter on source address. Placing the list too
close to the source will prevent any traffic from the source from getting to any other parts of
the network.
• When making placement decisions, carefully read all access lists statements and
requirements. Identify blocked and allowed traffic, as well as the direction that traffic will be
traveling. Place the access list on the interface where a single list will block (or allow) all
necessary traffic.
TCP/IP Ports

Network ports are logical connections, provided by the TCP or UDP protocols at the Transport layer,
for use by protocols in the upper layers of the OSI model. The TCP/IP protocol stack uses port
numbers to determine what protocol incoming traffic should be directed to. Some characteristics of
ports are listed below:

• Ports allow a single host with a single IP address to run network services. Each port number
identifies a distinct service.
• Each host can have over 65,000 ports per IP address.
• Port use is regulated by the Internet Corporation for Assigning Names and Numbers (ICANN).

ICANN specifies three categories for ports.

Categories Characteristics

• Assigned for specific protocols and services

Well Known • Port numbers range from 0 to 1023

• ICANN can assign a specific port for a newly created network service
Registered • Port numbers range from 1024 to 49151

• Assigned when a network service establishes contact and released when the
session ends
• Allows applications to 'listen' to the assigned port for other incoming requests
Dynamic (traffic for a protocol can be received through a port other than the port which
(Private or the protocol is assigned, as long as the destination application or service is
High) 'listening' for that type of traffic on that port)
• Port numbers range from 49,152 to 65,535

The following table lists the well known ports that correspond to common Internet services.

Protocol(s) Port(s) Service

TCP 20, 21 File Transfer Protocol (FTP)
TCP
22 Secure Shell (SSH)
UDP
TCP
23 Telnet
UDP
TCP
25 Simple Mail Transfer Protocol (SMTP)
UDP
TCP
53 Domain Name Server (DNS)
UDP
UDP 67, 68 Dynamic Host Configuration Protocol (DHCP)
UDP 69 Trivial File Transfer Protocol (TFTP)
TCP 80 HyperText Transfer Protocol (HTTP)
TCP 110 Post Office Protocol (POP3)
 TCP 119 Network News Transport Protocol (NNTP)
UDP 123 NTP
TCP
143 Internet Message Access Protocol (IMAP4)
UDP
TCP
161, 162 Simple Network Management Protocol (SNMP)
UDP
TCP
389 Lightweight Directory Access Protocol
UDP
TCP 443 HTTP with Secure Sockets Layer (SSL)

Note: When creating access lists, allow only the port numbers that correspond to the services running
on the servers.

Security Facts

Consider the following security threats:

• Internal threats are intentional or accidental acts by employees including:

o Accidental exposure to information or assets that happens when employees explore
or experiment.
o Errors and omissions that negatively impact company assets.
o Malicious acts such as theft or fraud.
• External threats are those events originating outside of the organization that typically focus on
compromising the organization's information assets. Examples include hackers, fraud
perpetrators, and viruses.
• Structured threats include attacks where the attacker is knowledgeable of network
vulnerabilities and systematically attempts to exploit the vulnerabilities.
• Unstructured threats are where an unknowledgeable attacker may download a tool or program
from the Internet and attempt to use it.

Be aware of the following types of security threats:

Threat Description
A reconnaissance attack is exploring or probing a system to discover information
about the system. Most malicious attacks are preceded by a reconnaissance
attack. There are two types of reconnaissance attacks:

• Passive reconnaissance is characterized by gathering data. Passive

reconnaissance does not directly affect the target. Examples of this stage
include:
o Eavesdropping on employee conversations.
o Looking over the shoulder of an employee.
o Going through the trash looking for information (dumpster diving).
o Browsing the organization's website.
Reconnaissance
• Active scanning is coming into contact with the system. Active scanning
can include:
o Scanning for wireless access points within the organization (war
driving).
o Trying to access phone lines that will answer a calling modem
(war dialing).
o Capturing information transmitted by the remote host including the
application type, application version and even operating system
type and version (banner grabbing).
o Probing the corporate network with scanning tools.
 Social engineering is a form of reconnaissance attack that exploits human nature
by convincing someone to reveal information or perform an activity. Examples of
social engineering include:

• Impersonating support staff or management, either in person or over the

phone.
Social
• Asking for someone to hold open a door rather than using a key for
engineering
entrance.
• Spoofed e-mails that ask for information or ask for tasks to be performed
(such as delete a file or go to a Web site and enter sensitive information).
This is also known as phishing.
• Looking on desks for usernames and passwords.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks impact
system availability by flooding the target system with traffic or requests or by
exploiting a system or software flaw. The main purpose of a DoS attack is to
overwhelm the system to make it unavailable for legitimate use. Examples include:

• A ping flood is a where the victim is overwhelmed with ICMP Echo

Request (ping) packets.
Denial of service
• The SYN flood exploits the TCP three-way handshake.
• Spam is sending unwanted e-mail messages.
• A buffer overflow is when software code receives more input than it was
designed to handle and when the programmer of that code failed to
include input validation checks, thus allowing the attacker to perform any
operation on a system.

Malicious code (sometimes called malware) is a type of software designed to take

over or damage a computer user's operating system without the user's knowledge
or approval. Common malware examples are listed below:

• A virus is a program that attempts to damage a computer system and

replicate itself to other computer systems.
• A worm is a self-replicating program that can be designed to do any
number of things, such as delete files or send documents via e-mail.
Malware
• A Trojan horse is a malicious program that is disguised as legitimate
software.
• Spyware monitors the actions you take on your machine and sends the
information back to its originating source.
• Adware is a software package which automatically plays, displays, or
downloads advertising material to a computer after the software is installed
on it or while the application is being used.

Access attacks refer to attackers trying to gain unauthorized access to networks or

computer systems. Common access attacks are listed below:

• Spoofing is used to hide the true source of packets or redirect traffic to

another location. The most common form of spoofing on a typical IP
Access attacks packet is modification of the source address.
• Man-in-the-middle attacks are used to intercept information passing
between two communication partners.
• Password cracking is the process of recovering secret passwords from
data that has been stored in or transmitted by a computer system.
Examples include the following:
 o A brute force attack is a method of defeating a password by
exhaustively working through all possibilities in order to find the
password.
o A dictionary attack refers to the technique of trying to guess a
password by running through a list of words from a dictionary.
o A hybrid attack refers to the technique of adding appendages to
known dictionary words. For example, 1password, password07,
p@ssword1.

Security Solution Recommendations

Use the following general measures to improve security:

• Use passwords to protect consoles and ports.

• Restrict physical access to devices.
• Update device firmware and BIOS.
• Use ACLs on routers and firewalls to filter and control traffic.
• Install antivirus software on the network.
• Create a written security policy. The security policy outlines security measures to implement to
protect the network.
• Implement training so that users are aware of security policies and understand the need to
follow established procedures. Training and education is often the most effective solution for
social engineering attacks.
• Periodically review the security policy and security methods to ensure that they are adequate.
• Implement multiple security measures to protect the same asset. Defense in depth or security
in depth is the premise that no single layer is completely effective in securing the organization.

Specific network security methods and devices include the following:

Implementation Description
A firewall is a network device installed on the border of secured networks
to protect a private network from a public network or to separate one
private network from another.

• Most firewalls use an access list to control traffic entering and

leaving the trusted network environment.
• Firewalls that use access lists filter traffic based on source or
Firewall destination IP address, port number, service protocol, or
application or service type.
• Firewalls typically examine each packet separately, and make
decisions on a single packet.

Cisco implemented a brand of firewall products called PIX firewalls. PIX

firewalls are being replaced by Cisco's Adaptive Security Appliance (ASA)
line of devices.
A demilitarized zone (DMZ), or screened subnet, is a subnet protected by
two firewalls: the outer firewall screens traffic coming from the Internet,
Demilitarized zone
while the inner firewall controls the traffic that is allowed inside the private
(DMZ)
network. If the firewall managing traffic into the DMZ fails, only the servers
in the DMZ are subject to compromise.
 Cisco's Adaptive Security Appliance (ASA) is a security appliance that
provides a range of security features including:

• Anti-virus tools prevent the transmission of known viruses (and

other types of malware) based on signatures.
• Anti-spyware tools scan network traffic to prevent the transmission
of spyware programs.
• Anti-spam tools examine and delete or segregate unwanted e-mail
before it reaches the user.
• Anti-phishing tools monitor URLs sent in messages through the
network, looking for the fake URLs inherent in phishing attacks.
Adaptive Security • URL filtering prevents users from connecting to inappropriate sites
Appliance (ASA) based on URLs.
• E-mail filtering prevents e-mail containing offensive materials from
reaching the user, potentially protecting the enterprise from
lawsuits.

Because the names of several of the tools start with anti-, Cisco uses the
term anti-x to refer to the whole of the class of security tools.

Note: Cisco's ASA hardware can act as a firewall. So when speaking

about security, the term firewall still refers to the firewall functions, but
today the Cisco product may be an older, still-installed PIX firewall or a
new ASA.
Network Admission Control (NAC), Cisco's version of Network Access
Control, is an access control function that can restrict a device's access to
the network to ensure network security. When a network device (such as a
Network Admission switch, router, access point, or DHCP server) is configured for NAC, it can
Control (NAC) force user or machine authentication prior to granting access to the
network. It can also perform checks to ensure that the connecting device
meets minimum standards for security such as having an installed
antivirus software.
An Intrusion Detection System (IDS) is a hardware or software device that
examines the network to identify possible in-progress attacks.

• A passive IDS looks for security breaches but effectively takes no

action. A passive IDS can log suspicious activity and generate
alerts if the attack is deemed to be severe. It is the network
administrator's job to interpret the degree of the threat and to
respond accordingly.
• An active IDS (also called an Intrusion Prevention System or IPS)
can also be configured to take specific actions when security
breaches occur. If it detects a security breach or identifies possible
Intrusion Detection in-progress attacks (such as a Denial of Service attack), the IPS
System (IDS) and will react to the attack and take measures to stop the attack
Intrusion Prevention altogether or prevent further damage from happening.
Systems (IPS)
Both an IDS or an IPS uses the following mechanisms for identifying
attacks:

• The anomaly recognition engine monitors normal traffic to define a

standard activity pattern as normal.
• The signature recognition engine looks for patterns in network
traffic and compares it to known attack patterns called signatures.

Network traffic is compared to the signature files for a match. If the traffic
does not match a known signature, it is allowed. If the traffic matches a
 signature, the alert or action is triggered. One disadvantage to a signature-
based IDS is the potential for errors:

• A false positive means that the legitimate traffic was identified as

malicious, and was not allowed. False positives result in lost data.
An e-mail from a business associate identified as spam is an
example of a false positive.
• A false negative means that malicious traffic was not properly
identified as malicious was allowed. Spam that is not caught but is
delivered to your inbox is an example of a false negative.

Be aware of the following:

• Antivirus software is the most common form of a host-based IDS.

• For adequate protection, keep the signature files up to date.
• A false negative is typically worse than a false positive. A false
negative allows malicious traffic that can cause damage, while a
false positive only results in lost data that can be resent if
required.
• Unlike an access list that filters only on individual packets, IDS
and IPS devices can look for patterns that cross multiple packets.
• The actions that the IPS might take in response to an attack could
expose you to legal risk. For example, a wireless IPS could spoof
the attacker and send de-authentication frames to the wireless
victim in response to a perceived threat. In the case of a litigation
suit, you must provide proof that the incident was an attack and
not just the result of a misconfiguration.

A Virtual Private Network (VPN) is a network that uses encryption to allow

IP traffic to travel securely over the TCP/IP network. A VPN can be used
over a local area network, across a WAN connection, over the Internet,
Virtual Private Network
and even between a client and a server over a dial-up connection through
(VPN)
the Internet. VPNs work by using a tunneling protocol that wraps and
encrypts packets in transit. Only the destination device can unwrap the
packets to read them.
A Network Operation Center (NOC) is one or more locations from which
control is exercised over a computer or telecommunications network.
Network Operation
Large organizations may operate more than one NOC, either to manage
Center (NOC)
different networks or to provide geographic redundancy in the event of one
site being unavailable or offline.
Centralized authentication is where a protocol centrally validates or
authenticates remote clients through user account names and passwords.
Centralized authentication protocols include the following:

Centralized
• Remote Authentication Dial In User Service (RADIUS)
Authentication
• Terminal Access Controller Access-Control System (TACACS)

Centralized authentication simplifies administration and reduces errors

caused by needing to configure multiple devices.
Hardening Facts

Hardening is the process of securing devices and software by reducing the security exposure and
tightening security controls. Take the following general actions to secure your devices and network:

Security
Description
Measure
Ensure physical security by keeping network devices in a locked room. If someone
Physical
can gain access to the physical Cisco device, they can easily bypass any configured
security
passwords. Passwords are useless if physical access is not controlled.
Use the following methods to secure Cisco device passwords:

• Set the enable secret password instead of the enable password. Make sure
Secure the two passwords are different.
passwords • Use the service password-encryption command to encrypt other
passwords in the configuration file. This provides a low level of security, but
passwords can be easily broken.

Secure remote access through the following actions:

• Configure VTY passwords. Use the login command with a password to

Control
require a password. Use the login command without a password to prevent
remote
access.
access
• Configure SSH (Secure Shell) as an allowable (default) method for VTY lines.
• Use an access list on VTY lines to prevent access from specific locations.

Use access lists to control incoming or outgoing traffic with the following criteria:

• Source IP protocol (i.e. IP, TCP, UDP, etc.)

• Source hostname or host IP address
Access lists
• Source or destination socket number
• Destination hostname or host IP address
• Precedence or TOS values

Use the banner command to provide a warning banner to users who try to log into
the router. Be aware of the following:

• In some jurisdictions, civil and criminal prosecution of crackers who break

Banner into your systems is made much easier if you provide a banner that informs
unauthorized users that their use is unauthorized.
• In other jurisdictions, you can be forbidden to monitor the activities of even
unauthorized users unless you have taken steps to notify them of your intent.

Use no cdp run on the device or no cdp enable on an interface to avoid sharing
CDP information about the Cisco device with neighboring devices. This helps to reduce
exposure due to reconnaissance attacks.
SSH Configuration

SSH (Secure Shell) is a secure and acceptable alternative to Telnet. SSH uses RSA public key
cryptography for both connection and authentication. Use the following commands to configure SSH
on a VTY line.

Use . . . To . . .

Generate a matched public and private key pair, as

well as a shared encryption key. To generate the key
router_name(config)#crypto key
generate rsa pair, the device must have both a hostname (other
than Router) and an ip domain-name configured.

Enable advanced security features for authentication

router_name(config)#aaa new-model
router_name(config)#username and configure a local username and password that will
<value> password <value> be used for SSH authentication.

router_name(config- Tell the device which type of connections to allow. Use

line)#transport input ssh the telnet or ssh keyword to identify the type of
router_name(config- allowed access. Use both keywords to accept both
line)#transport input telnet
router_name(config- access types.
line)#transport input telnet ssh

Example
The following commands configure SSH to accept a username of admin with a password of cisco,
allowing only SSH on lines VTY 0-4:

RouterA#config t
RouterA(config)#ip domain-name westsim.com
RouterA(config)#crypto key generate rsa
RouterA(config)#aaa new-model
RouterA(config)#username admin password cisco
RouterA(config)#line vty 0 4
RouterA(config-line)#transport input ssh

Port Security

Under normal circumstances, there are no restrictions on the devices that can be attached to a switch
port. With switch port security, the devices that can connect to a switch through the port are restricted.

• Port security uses the MAC address to identify allowed and denied devices.
• By default, port security allows only a single device to connect through a switch port. You can,
however, modify the maximum number of allowed devices.
• MAC addresses are stored in RAM in a table, and are identified with the port and by a MAC
address type. Port security uses the following three MAC address types:

Type Description
A SecureConfigured address is a MAC address that has been manually
SecureConfigured identified as an allowed address. The address is configured in interface
mode and stored in the running-config file.
A SecureDynamic address is a MAC address that has been dynamically
SecureDynamic
learned and allowed by the switch.
 1. When a device connects to the switch port, its MAC address is
identified.
2. If the maximum number of allowed devices has not been
reached, its MAC address is added to the table, and use of the
port is allowed.

SecureDynamic addresses are only saved in the MAC address table in

RAM, and are not added to the configuration file.
A SecureSticky address is a MAC address that is manually configured or
dynamically learned and saved. With sticky learning enabled:

3. When a device connects to the switch port, its MAC address is

identified.
4. If the maximum number of allowed devices has not been
reached, its MAC address is added to the table, and use of the
port is allowed.
5. The MAC address is automatically entered into the running-
config file as a sticky address.
SecureSticky
Be aware of the following:

o You can manually configure an address and identify it as a sticky

address.
o If you disable the sticky feature, all sticky addresses are
converted to SecureDynamic addresses.
o If you enable the sticky feature, all SecureDynamic addresses
are converted to SecureSticky addresses, even if they have been
learned before the sticky feature was enabled.

• A port violation occurs when the maximum number of MAC addresses has been seen on the
port, and an unknown MAC address is then seen.
• You can configure the switch to take one of the following actions when a violation occurs:
o Shut down the port. This is the default setting.
o Drop all frames from unauthorized MAC addresses.
o Drop all frames and generate an SMNP trap.

Be aware of the following when using port security:

• You can only enable port security on an access port.

• Port security does not protect against MAC address spoofing (where an attacker changes the
MAC address to match the MAC address of an allowed device).
• If you do not manually configure allowed MAC addresses for a port, the switch will allow the
first MAC addresses it detects to connect, up to the maximum number.
• Once the maximum number of MAC addresses for a port has been reached, either through
manual, dynamic, or sticky learning, no more MAC addresses will be allowed, and a violation
will occur.
• Save the running-config file to the startup-config to make manually-configured and sticky
addresses available when the system restarts. Otherwise, the switch will need to relearn sticky
addresses.
• When using Voice-over-IP phones and workstations on a single port, increase the maximum
allowed number above 1, allowing at least one MAC address for the phone and one for the
workstation. The recommended value is 3.
Port Security Configuration

Each switch port has its own port security settings. To configure port security, take the following
general actions:

• Explicitly configure the port as an access port.

• Enable switch port security.
• (Optional) Configure MAC addresses and other settings. When you enable port security, the
following default settings are used:
o A maximum of 1 device
o Violation mode is shutdown
o Dynamic learning is enabled, but sticky learning is disabled

Use the following commands to manage switch port security:

Command Function

switch(config-if)#switchport Identifies the port as an access port.

mode access Note: You can only configure port security after explicitly
making the port an access port.
Enables port security.
switch(config-if)#switchport Note: You can enter port security commands for an
port-security interface without port security being enabled. However, port
security will not be enforced (enabled) if this entry is
missing.
Configures the maximum number of MAC addresses that
switch(config-if)#switchport can be allowed for a port. The default allows only a single
port-security maximum <1- MAC address per port.
8320> Use the no form of the command to reset the value to its
default.
Enables sticky learning of MAC addresses.
Without this command, addresses are dynamically learned
switch(config-if)#switchport but not recorded. With this command, learned addresses
port-security mac-address are added to the running-config file.
sticky Using the no form of the command disables sticky learning,
removes any sticky entries from the configuration file, and
converts the sticky addresses to dynamic addresses.
switch(config-if)#switchport
port-security mac-address Identifies an allowed MAC address (h.h.h is a hexadecimal
h.h.h number).

switch(config-if)#switchport
port-security mac-address Identifies an allowed MAC address, making it a sticky
sticky h.h.h address.

Identifies the action the switch will take when an

unauthorized device attempts to use the port. Action
keywords are:
switch(config-if)#switchport
• protect drops the frames from the unauthorized
port-security
violation action device
• restrict does the same as protect and also
generates an SNMP trap
• shutdown disables the port

switch#errdisable recovery Recovers from a port security violation (enables disabled

cause psecure-violation ports).
 You can also enable disabled ports by using the
shutdown/no shutdown commands for the interface.

Note: You cannot configure more MAC addresses for a port than the maximum allowed number. To
add more MAC addresses to an interface after the limit has been reached, increase the maximum
number first or delete existing MAC addresses. This limitation applies to MAC addresses with or
without the sticky parameter.

Examples
The following commands configure switch port security to allow only host 5ab9.0012.02af to use Fast
Ethernet port 0/12:

switch(config)#interface fast 0/12

switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address 5ab9.0012.02af

The following commands configures Fast Ethernet port 0/15 to accept the first MAC address it
receives as the allowed MAC address for the port:

switch(config)#interface fast 0/15

switch(config-if)#switchport mode access
switch(config-if)#switchport port-security
switch(config-if)#switchport port-security mac-address sticky

Port Security Monitoring

Use the following commands to verify port security operations:

Command Description
Shows a summary of port security settings for enabled interfaces.
Information includes:

• An interface that has port security enabled

• The maximum allowed MAC addresses
switch#show port-security
• The current number of MAC addresses allowed on the
port
• The number of security violations
• The action to take for a violation

Shows a list of MAC addresses used by port security. Information

includes:

switch#show port-security • The MAC address

address • Its type (SecureConfigured, SecureDynamic,
SecureSticky)
• The associated interface

Shows detailed port security information for a specific interface.

Shows all details included with the show port-security command
switch#show port-security and adds:
interface <type and
number>
• Enabled or disabled state of port security on the interface
• The port status
 • The total numbers of configured and sticky addresses
• The MAC address and VLAN of the last device to use the
port

Listed below is a sample output from the show port-security interface command:

switch#show port-security interface fa0/3

Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0800.46f5.491c:1
Security Violation Count : 1

Individual entries are explained in the following table:

Entry Description
Shows the enabled or the disabled state of port security.

• Enabled means that the switchport port-security command has been

Port Security issued for the interface.
• Disabled means that the interface is not enforcing port security. It does
not mean that the interface is shut down or is not operational.

The port status indicates the operational status of the port as viewed by port
security. A status of Secure-down could mean any of the following conditions:

• The interface has been shut down

• There is no device connected to the interface
Port Status • Port security is disabled, but the interface is operational and in use by a
device
• The interface has been disabled because of a port security violation

A status of Secure-up indicates that the line is operational and port security is
being enforced.
Identifies the configured violation mode for the interface (shutdown, protect, or
Violation Mode
restrict).
Maximum MAC
Identifies the configured maximum number of allowed devices.
Addresses
Identifies the total number of known MAC addresses on this port. This includes all
Total MAC
addresses in the running-config file (including sticky addresses) and all dynamic
Addresses
addresses that have been learned.
Configured MAC Identifies the number of addresses configured with the switchport port-security
Addresses mac-address command (excluding sticky addresses).
 Sticky MAC Identifies the number of addresses in the running-config file identified with the
Addresses switchport port-security mac-address sticky entries.
Security Identifies the number of violations detected. If this value is anything other than 1,
Violation Count then the port has already taken the action specified by the Violation Mode line.

DHCP Snooping

DHCP Snooping is available on both the Cisco Catalyst and Cisco Nexus platform switches. Both
platforms are classified as enterprise-grade switches and fully support all DHCP Snooping functions.

DHCP Snooping is considered a standard security feature and does not require any additional licensing
for the older Catalyst IOS, newer Catalyst IOS XE and Nexus NS-OS operating systems, therefore the
feature is available and readily configurable on all switches.

Examples of Cisco Catalyst switches that support DHCP Snooping are: Cisco Catalyst 2960S, 2960-
X, 3560, 3750, 3750-X, 3850, 4500, 6500, 9300, 9400 and 9500 series.

Examples of Cisco Nexus switches that support DHCP Snooping are: Nexus 2000, 3000, 5000, 7000
and 9000 series.

DHCP Snooping can be enabled globally and on a per-VLAN basis. This means you can enable it for
all VLANs (globally) or only for specific including VLAN ranges e.g VLANs 1-20 & VLANs 45-50.

How DHCP Snooping Works – DHCP Snooping Concepts – Trusted, Untrusted

Ports/Interfaces

DHCP Snooping is a Layer 2 security switch feature which blocks unauthorized (rogue) DHCP
servers from distributing IP addresses to DHCP clients. In fact Cisco was the first vendor to implement
DHCP Snooping as a security feature in its network switches and other vendors have since then followed
with similar features.

It is important to note that DHCP SNOOPING is an access layer protection service – it does not
belong in the core network.

The way DHCP Snooping works is fairly straight forward. DHCP Snooping categorizes all switchports
into two simple categories:

• Trusted Ports
• Untrusted Ports

A Trusted Port, also known as a Trusted Source or Trusted Interface, is a port or source whose
DHCP server messages are trusted because it is under the organization’s administrative control. For
example, the port to which your organization’s DHCP server connects to is considered a Trusted Port.
This is also shown in the diagram below:
 DHCP Snooping Concepts: Trusted and Untrusted Ports

An Untrusted Port, also known as an Untrusted Source or Untrusted Interface, is a port from which
DHCP server messages are not trusted. An example on an untrusted port is one where hosts or PCs
connect to from which DHCP OFFER, DHCP ACK or DHCPNAK messages should never be seen as
these are sent only by DHCP Servers.

Traffic Dropped by DHCP Snooping, DHCP Snooping Violations - Syslog

Messages

When enabling DHCP Snooping the switch will begin to drop specific type of DHCP traffic in order to
protect the network from rogue DHCP servers. Here is a list of the type of traffic DHCP Snooping will
drop:

• DHCP Snooping will drop DHCP messages DHCPACK, DHCPNAK, DHCPOFFER originating from a
DHCP server that is not trusted – that is, connected to an untrusted port.
• DHCP Snooping will drop DHCP messages that release or decline an offer if these messages are
not originating from the port where the original DHCP conversation was held. This stops attackers
from trying to terminate or decline a DHCP offer on behalf of the actual DHCP client.
• A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0,
or the relay agent forwards a packet that includes Option 82 information to an untrusted port. For an
in-depth analysis please refer to our DHCP Option 82 article.
• DHCP Snooping will drop DHCP messages where the Source MAC address and client MAC address
are not identical (see DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL below).

When DHCP Snooping detects a violation the DHCP packet(s) triggering the event is dropped and a
message is logged in the switch’s log. The message can contain one of the following entries:

• %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP Snooping has detected

DHCP server messages from an untrusted port. This is a serious violation and usually points to a
rogue DHCP server operating on an untrusted port.
• %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP Snooping has detected
the Source MAC address of the Ethernet frame and Client MAC address in the DHCP message
are not identical (see image below).

Source MAC address of an Ethernet frame and Client MAC address in the DHCP message must
always match

The IP DHCP Snooping Binding Database – Dynamic ARP Inspection

When DHCP Snooping is enabled it will begin to build a dynamic database containing an entry for
each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP
Snooping enabled. No entries are created for hosts connected to trusted interfaces.

Each entry in the binding database contains the following information:

• MAC address of the untrusted host

• Leased IP address of the untrusted host
• Lease time
• Binding type
• VLAN number & interface the untrusted host is associated with

As untrusted hosts are assigned IP addresses from the trusted DHCP server the switch will
automatically create new entries, update and cleanup the DHCP Snooping Binding Database.

For example, when an IP address lease expires or the switch receives a DHCPRELEASE message
from the untrusted host, it will remove the specific entry from the database. On the other hand an entry
will be created in the database if the switch sees a DHCPACK message from the trusted DHCP server
acknowledging the assignment of an IP address to an untrusted host.
The show ip dhcp snooping binding command displays all entries inside the DHCP Snooping
Binding Database:

Cat3560-Firewall.cx# show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------
D0:76:58:0C:BB:80 192.168.4.50 85228 dhcp-snooping 4 GigabitEthernet0/5

Total number of bindings: 1

The DHCP Snooping Binding Database is also used by other Layer2/3 security features such as
Dynamic ARP Inspection which help protect the network against ARP Poisoning & ARP Spoofing
attacks.

IP DHCP Snooping configuration for Cisco Catalyst and Cisco Nexus switching platforms will be
covered extensively in an upcoming technical article.

Dynamic ARP Inspection, ARP Poisoning, ARP Spoofing attacks will be covered in an upcoming
security article.

DHCP Snooping Option 82 – Relay Agent Information

The DHCP Option 82, aka Relay Agent Information Option, was originally created by RFC 3046 to
allow the DHCP relay agent (e.g switch or router) to identify itself and the DHCP client that sent the
DHCP messages. DHCP Option 82 is used in large metropolitan Ethernet-access deployments where
DHCP is required to centrally manage the IP addresses for a large number of subscribers.

When DHCP Snooping is enabled on a Cisco Catalyst or Nexus switch, it will insert the Option 82 field
into the client’s DHCP message:

DHCP Snooping enabled switch inserting DHCP Option 82 into a DHCP Request
DHCP Option 82 is not often used within organizations but it does provide an additional layer of
protection if the DHCP server supports it. For example the DHCP Server on Windows Server 2012 or
2016 supports Option 82 allowing administrators to create DHCP Policies that control the assignment
of IP addresses to specific switches within the network.
Analyzing the structure of DHCP Option 82 is out of this article’s scope but will be covered in great
depth in an upcoming article.

Read our article "DHCP Option 82 Message Format, Analysis. DHCP Snooping Option 82 Injection &
Removal Method, Trusted – Untrusted Switch Ports" for in-depth analysis of DHCP Option 82.

Summary

Man-in-the-Middle attacks and network disruptions from rogue DHCP servers is a serious network
security threat organizations are faced to deal with on a daily basis. In this article we explained how
Man-in-the-Middle attacks allow attackers to gain visibility of your network and can potentially lead
exposing sensitive data flowing between servers and clients. We explained what DHCP Snooping is,
examined how DHCP Snooping works and how it can effectively protect the network from these
attacks. We looked at the type of traffic dropped by DHCP snooping, violation warnings and also
explained the purpose and operation of the DHCP Snooping Binding Database.
VPN

A Virtual Private Network (VPN) is a network that uses encryption to allow IP traffic to travel securely
over the TCP/IP network.

• A VPN uses encrypted and authenticated links that provide remote access and routed
connections between private networks or computers.
• A VPN can be used over a local area network, across a WAN connection, over the Internet,
and even between a client and a server over a dial-up connection through the Internet.
• VPNs work by using a tunneling protocol that encrypts packet contents and wraps them in an
unencrypted packet.
• Tunnel endpoints are devices that can encrypt and decrypt packets. When you create a VPN,
you establish a security association between the two tunnel endpoints. These endpoints
create a secure, virtual communication channel. Only the destination tunnel endpoint can
unwrap packets and decrypt the packet contents.
• Routers use the unencrypted packet headers to deliver the packet to the destination device.
Intermediate routers along the path cannot (and do not) read the encrypted packet contents.

Benefits provided by VPNs include the following:

• Confidentiality protects information or data from disclosure to unauthorized users.

• Authentication verifies that the sender of the VPN packet is a legitimate device and not a
device used by an attacker.
• Integrity protects data against alteration during transmission.
• Anti-replay is a security service in which the receiver can reject old or duplicate packets in
order to protect itself against replay attacks.
• Non-repudiation is when a third party can prove that a communication between two other
parties took place. Non-repudiation is desirable if you want to be able to trace your
communications and prove that they occurred.

The following table shows some common VPN security technologies:

Protocol Description
IPSec is a security mechanism that:

• Is the most widely deployed VPN technology

Internet Protocol
• Used with IP only and can encrypt any traffic supported by the IP
Security (IPSec)
protocol
• Requires either digital certificates or pre-shared keys.

SSL is a communication protocol that:

• Provides secure Internet-based client/server interactions

Secure Sockets Layer • Authenticates the server to the client using public key cryptography
(SSL) and digital certificates and encrypts the entire communication
session
• Protects Web (HTTP) traffic as well as Telnet, FTP, and e-mail

TLS is a communication protocol based on SSL that:

Transport Layer • Requires a digital certificate from both the client and server.
Security (TLS) • Provides security for traffic above the Transport layer.
• Does not provide security for Web traffic at the Transport layer.
 PPTP is a Microsoft VPN technology that:

• Uses standard authentication protocols, such as Challenge

Handshake Authentication Protocol (CHAP) or Password
Authentication Protocol (PAP).
Point-to-Point
• Supports TCP/IP only.
Tunneling Protocol
• Encapsulates other LAN protocols and carries the data securely
(PPTP)
over an IP network.
• Does not encrypt data. It must be used in conjunction with a
Microsoft-supported encryption mechanism.
• Is supported by most operating systems and servers.

L2F is a VPN technology developed by Cisco that:

Layer 2 Forwarding • Offers mutual authentication

(L2F) • Does not encrypt data
• Merged with PPTP to create L2TP

L2TP is an open standard for secure multi-protocol routing that:

Layer Two Tunneling • Uses IPSec for encryption

Protocol (L2TP) • Supports multiple protocols (not just IP)
• Is not supported by older operating systems

Cisco VPN

There are two basic types of Cisco VPNs:

Type Description
Site-to-site VPNs connect entire networks to each other, for example, connecting a
branch office network to a company headquarters network.

• All traffic between sites is encrypted using IP Security (IPsec).

• Hosts do not have VPN client software; they send and receive normal TCP/IP
traffic through a VPN gateway, such as a Cisco Adaptive Security Appliance
(ASA).
• The VPN gateway is responsible for encapsulating and encrypting outbound
traffic, sending it through a VPN tunnel over the Internet, to a peer VPN gateway
Site-to- at the target site.
site • The peer VPN gateway strips the headers of received packets, decrypts the
content, and relays the packet towards the target host inside its private network.

Implementations of site-to-site VPNs include:

• Intranet VPNs provide secure connections within the same organization.

• Extranet VPNs provide secure connections between two different organizations.
Typically, an extranet VPN is used to connect a company's network to a third-
party organization, such as customers, suppliers, partners, and other businesses.
 Remote access VPNs connect individual hosts to private networks, for example, travelers
and telecommuters who need to access their company's network securely over the
Internet.

• Traffic between the host and target site is encrypted using IPSec or Secure
Sockets Layer (SSL) technology.
Remote • The host is responsible for encapsulating and encrypting outbound traffic,
access sending it through a VPN tunnel over the Internet, to a peer VPN gateway at the
target site.
• The target VPN gateway behaves the same as site-to-site VPNs.
• Hosts using IPSec encryption need VPN client software.
• Hosts using SSL need a modern Internet browser (that includes built-in SSL
support).

Devices used in a VPN connection may include the following:

• An Adaptive Security Appliance (ASA) is Cisco's security appliance that is configured for many
security functions, such as VPNs.
• Routers can provide VPN functions aside from packet forwarding, such as VPN encryption.
• PIX Firewalls are an older product line of Cisco. The firewall performs the VPN functions, as
well as firewall functions. New installations now use an ASA.
• VPN accelerator cards are PCI cards that fit in Cisco devices, such as the PIX Firewall, to
provide encryption, tunneling, and firewall functions.
• VPN concentrators are an older product line of Cisco, and provide a specific endpoint of a
VPN tunnel.
• VPN client-side software is for access VPNs. It is software installed on the individual's client to
perform the VPN functions.
• VPN client-side hardware is used to provide a VPN to multiple clients on the same device.

IPSec VPN

IPSec provides encryption for site-to-site and remote access VPNs. IPSec encrypts any traffic
supported by the IP protocol, such as Internet, e-mail, Telnet, file transfer, as well as countless others.
IPSec includes the following three protocols for authentication, data encryption, and connection
negotiation:

Protocol Description
Authentication Header (AH) provides integrity and authentication.

• AH provides a message integrity check with the Hashed Keyed Message

Authentication Code (HMAC). With HMAC, a symmetric key is embedded
into a message before the message is hashed. When the message is
Authentication received, the recipient's symmetric key is added back into the message
Header (AH) before hashing the message. If the hash values match, message integrity
is proven.
• AH uses SHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest
v5) for integrity validation.

Note: AH does not encrypt data, so it does not provide confidentiality.

Encapsulating
Encapsulating Security Payload (ESP) provides encryption, integrity, anti-replay,
Security Payload
and a weak form of authentication. ESP encrypts with the following standards:
(ESP)
 • Data Encryption Standard (DES) uses a 56-bit key and is easily broken.
• Triple DES (3DES) applies DES three times and uses a 168-bit key.
3DES is IPSec's strongest and slowest method of encryption.
• Advanced Encryption Standard (AES) uses variable key length (128-,
192-, or 256-bit keys), and is resistant to all known attacks. It is
computationally more efficient than 3DES.

Note: If the VPN uses ESP, then the HMAC is not needed because the attacker
would have had to break the ESP encryption key before altering the message.
The Internet Key Exchange (IKE) negotiates the connection. As two end points
are securing an IPSec network, they have to negotiate what is called a Security
Association (SA). An inbound and outbound SA is necessary for each connection
with a remote endpoint. IKE uses the following functions:

• Internet Security Association Key Management Protocol (ISAKMP)

establishes a framework for the negotiation.
• The Diffie-Hellman key exchange generates symmetric keys used for the
Internet Key encryption of the negotiation of the SA. The Diffie-Hellman key exchange:
Exchange (IKE) o Provides for key distribution but does not provide any
cryptographic services.
o Is based on calculating discreet logarithms in a finite field.
o Is used in many algorithms and standards such as DES.
o Is subject to man-in-the-middle attacks and requires strong
authentication to validate the end points.
o Provides three key length configurations: DH-1 (768-bit key), DH-
2 (1024-bit key), & DH-5 (1536-bit key).

After the parameters of the SA have been established, IPSec functions in a mode of operation based
on the relationship of the communicating devices to each other. The two IPSec modes of operation
are:

Mode Characteristics
Tunnel mode is used for site-to-site communications.

• Tunnel mode is often referred to as subnet-to-subnet.

• The entire data packet, including original headers, is encapsulated in a new
Tunnel packet when using IPSec in tunnel mode.
mode • The new packet has a new unencrypted layer two and layer three header that
contains the endpoint addresses and all necessary AH and ESP information.
• The VPN server acts as a gateway by providing encryption support for other
devices on the LAN.

Transport mode is used for end-to-end (or host-to-host) data encryption.

• The end communicating devices are the tunnel endpoints.

Transport • The packet data is encrypted, but the header is left intact, allowing intermediary
mode devices (such as routers) to examine the packet header and use the
information in routing packets.
• Transport mode operates at layer four, encrypting from level four and up.
SSL VPN Facts

A remote access VPN can use Secure Sockets Layer (SSL) to encrypt VPN traffic. SSL encrypts the
entire communication session between the server and client. Cisco SSL VPN (also known as
WebVPN) is a technology that provides remote-access VPN capability by using the security features
that are already built into a modern Internet browser. An SSL VPN allows users from any Internet-
enabled location to launch an Internet browser to establish remote access VPN connections. There
are three modes of Cisco SSL VPNs:

Mode Description
A clientless SSL VPN (browser-based) allows a user to use any common Web browser to
securely access the internal or corporate network. This mode is useful for accessing most
content that you would expect to access in a browser, such as Web content, databases,
and online tools that employ a Web interface.

• Because SSL is already built in to the client Internet browsers, there is no setup
Clientless
required on the client side.
• The client must run the Windows 2000, Windows XP, or Linux operating system.
• Applications that cannot be accessed through a browser are not available.

Use clientless SSL VPNs when the client is a public or private computer or when the user
only needs to access Web-enabled applications.
Cisco's thin-client SSL VPN (also referred to as port forwarding) downloads a small Java-
based applet (plug-in) to the remote client which is used to secure remote access for
Transmission Control Protocol (TCP) applications.

• The remote client must allow the Java applet to download and install through the
Internet browser. This typically requires administrative privileges on the system.
• SSL tunnels can also be established using a smart tunnel. A smart tunnel does
not require installation and therefore does not require administrative privileges.
• Proxy services are an option with the thin-client mode. A proxy acts as an
intermediary between the client and the Internet, intercepting all requests to the
Internet to see if it can fulfill the request using its cache to improve performance.
If the proxy service is enabled, the Java applet acts as a TCP proxy server
through the Internet browser.
• Applications such as FTP, where the ports are negotiated dynamically cannot be
used. You can use TCP port forwarding only with applications that use static
ports, such as:
o Telnet, port 23
Thin- o Secure Shell (SSH), port 22
Client o Post Office Protocol 3 (POP3), port 110
o Internet Message Access Protocol 4 (IMAP4), port 143
o Simple Mail Transfer Protocol (SMTP), port 25
o Microsoft Outlook Express
o Lotus Notes

Microsoft Outlook using the MAPI protocol is not supported.

• Thin-Client access can be used to access shared folders on network servers.

• Local administrator privileges are required to install the Sun Microsystems Java
Runtime Environment (JRE) and configure the local system. Note: The port-
forwarding proxy works only with JRE version 1.4 or later versions. The Java
applet verifies the JRE version and will refuse to run if a compatible JRE version
is not detected.

Use the Thin-Client SSL VPN to provide application access for applications that can be
forwarded on a specific port and to provide access to shared folders on network servers.
 It typically cannot be used on a public computer because administrative privileges are
required to download the Java plug-ins.
Full tunnel mode downloads client-side VPN software to the remote workstation and
allows secure access to most IP-based applications on an internal or corporate network.

• The client software is called the AnyConnect VPN Client. Previous versions of the
client software were called the Cisco SSL VPN Client (SVC).
• The client software can be loaded on the security appliance, where it will
download and install on the client automatically as needed. It can also be
manually installed on the client prior to making the connection.
• The client software can be uninstalled automatically when the session is closed,
or it can be configured to remain on the system.
Full
• Local administrator privileges are required for the initial installation of the Cisco
Tunnel
AnyConnect VPN Client.
• AnyConnect uses TLS in addition to SSL to improve performance.
• The client software can run as a standalone application (not running in the
browser).
• The client software supports IPv6, Windows Vista, running scripts, password
caching, logon using certificates only, and drive mapping.

Use the client software for VPN access to configure a permanent client, or to provide
access to resources not allowed by the clientless or thin-client solutions (such as
Microsoft Outlook using MAPI).

Client requirements for SSL VPNs include:

• An SSL VPN account (username and password).

• An SSL VPN supported browser, such as Internet Explorer 6.0 or 7.0, FireFox 2.0, or Safari
2.0.3.
• Local administrative privileges for the thin-client and full tunnel installation requirements.