Allowing Access to the Router

Problem

You just installed your router and can log in to it only through the console port. You want to allow administrators to securely log in to it over the network.

Solution

You should use SSH to provide secure encrypted sessions to the router:

aviva@router1# set system services ssh

 

Discussion

With SSH, both the password you type and the connection itself are encrypted using a well-tested industry-standard protocol, so both are protected. The systems that you use to connect to the router must have SSH client software. For greater security, you should use SSH keys on the client. You can find information about obtaining SSH software at http://www.ssh.com and http://www.openssh.com.

When you log in to the router with SSH, you are prompted for your password:

aviva-server1% 122: ssh router1 The authenticity of host 'router1-mycompany.com (192.168.71.246)' can't be established. DSA key fingerprint is 2c:a9:35:c5:2a:db:12:5b:b6:6e:0b:17:ae:ec:d4:55. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'router1-mycompany.com' (DSA) to the list of known hosts. aviva@router1-mycompany.com's password: --- JUNOS 7.4R1.7 built 2005-10-24 08:10:28 UTC aviva@router1>

You can also allow users to connect to the router with Telnet, but if security is your highest priority, you should not use Telnet. Telnet connections and passwords are not encrypted so they can be intercepted. However, if your network itself is well protected with firewalls, you can enable Telnet to let users access the router:

aviva@router1# set system services telnet

The only user who can never log in using Telnet is root. To log in as root, you must use SSH or the console.

SSH and Telnet provide terminal sessions to the router so you can log in to the router. The commands in the JUNOS software that copy files to and from the router use SSH, but they can also use FTP. Because FTP is not secure in and of itself, if you want to use it to copy files, the best thing to do is to enable FTP just before you need to copy the files:

aviva@router1# set system services ftp aviva@router1# commit

You need to enable FTP only if you want to FTP something to the routerthat is, when the router is the FTP server. If the router is the FTP client and you are fetching a file from an FTP server, you do not need to enable FTP on the router. The FTP client on the router is always present and running.

Then disable FTP after you have copied the files:

aviva@router1# delete system services ftp aviva@router1# commit

One way to secure FTP is to create a firewall filter that uses source address filters to limit access to the FTP port, particularly if the source addresses are forced to come through an encrypted tunnel. Recipe 9.8 discusses how to create firewall filters.

If you are using a router that supports the J-Web browser for configuring and monitoring the router, you can enable secure HTTP on the router:

[edit system] aviva@router1# set services web-mangement https

 

See Also

Recipes 2.14 and 9.8

Related

Категории