CCIE Security v4.0 Quick Reference: Application and Infrastructure Security

HTTP

HTTP is a request/response protocol between clients (user agents) and servers (origin servers) that is used to access web-related services and pages. An HTTP client initiates a request by establishing a TCP connection to a particular port on a remote host (port 80 by default). Resources to be accessed by HTTP are identified using uniform resource identifiers (URI or URL) using the http: or https: URI schemes.

HTTP supports authentication between clients and servers, which involves sending a clear-text password (not secure). HTTP is disabled by default on Cisco routers, but can be enabled for remote monitoring and configuration.

Configuring HTTP

Use the ip http access-class command to restrict access to specific IP addresses, and employ the ip http authentication command to enable only certain users to access the Cisco router via HTTP.

If you choose to use HTTP for management, issue the ip http access-class access-list-number command to restrict access to specific IP addresses. As with interactive logins, the best choice for HTTP authentication is a TACACS+ or RADIUS server. Avoid using the enable password as an HTTP password.

The ip http-server command supports the HTTP server. If a secure HTTP connection is required, ip http secure-server must be configured on the router. The default HTTP port 80 can be changed by using the command ip http port port-number . Varying forms of authentication for login can be set using the ip http authentication [ enable | local | tacacs | aaa ] command. However, to initiate the default login method you must enter the hostname as the username and the enable or secret password as the password. If local authentication is specified by using username username privilege [ 0 - 15 ] password password, the access level on the Cisco router is determined by the privilege level assigned to that user.