Basic Security on Cisco Routers

You can access a Cisco router in a number of ways. You can physically access a router through the console port, or you can access a router remotely through a modem via the auxiliary port. You can also access a router through a network or virtual terminal ports (vty lines), which allow remote Telnet access.

If you do not have physical access to a router—either through a console port or through an auxiliary port via dialup—you can access a router through the software interface, called the virtual terminal (also referred to as a vty port). When you telnet to a router, you might be required to enter the vty password set by the network administrator. For example, on Router R1, the administrator types R2's remote address and tries to telnet to one of the vty lines.

Example 3-24 provides the session dialog when a user telnets to the router with the IP address 131.108.1.2.

Example 3-24 Using a Vty Port to Establish a Telnet Connection

R1#Telnet 131.108.1.2 Trying 131.108.1.2 ... Open User Access Verification Password: xxxxx R2>

Cisco routers can have passwords set on all operation modes, including the console port, privilege mode, and virtual terminal access. To set a console password to prevent unauthorized console access to the router, issue the commands shown in Example 3-25.

NOTE All passwords are case sensitive.

Example 3-25 Setting a Console Password

R1(config)#line con 0 R1(config-line)#password cisco

!You can also set a password on the auxiliary port R1(config)#line aux 0 R1(config-line)#password cisco

To set the privilege mode password, you have two options: the enable password and the secret password. To set these passwords, use the respective commands listed in Example 3-26.

Example 3-26 Setting the Enable Password and Secret Password

R1(config)#enable password cisco R1(config)#enable secret ccie

The command to set an enable password is enable password password. You can also set a more secure password, called a secret password, which is encrypted when viewing the configuration with the enable secret password command.

The enable secret password IOS command overrides the enable password password command. Cisco IOS does permit you to configure the same password if you apply both commands but warns you that you should apply different passwords. It is a good security practice to use only the secret password.

In Example 3-26, the secret password will always be used. Now, issue the show running-config command to display the configuration after entering the enable and secret passwords in Example 3-26.

Example 3-27 displays the output from the show running-config IOS command after entering enable and secret passwords.

Example 3-27 show running-config Command on R1

R1#show running-config

Building configuration

Current configuration: !

version 12.2 !

hostname R1 !

enable secret 5 $1$Aiy2$GGSCYdG57PdRiNg/.D.XI. enable password cisco

Example 3-27 shows that the secret password is encrypted (using a Cisco proprietary algorithm), while the enable password is readable. This setup enables you to hide secret passwords when the configuration is viewed.

If you want, you can also encrypt the enable password by issuing the service password-encryption command, as displayed in Example 3-28. Cisco uses the MD5 algorithm to hash the secret password. You can easily reverse-engineer the hashed password (for example, $1$Aiy2$GGSCYd G57PdRiNg/.D.XI.) with a number of open-source tools that can brute-force or apply dictionary attacks to the secret hash and attain the password. For the simple user, though, MD5 might be just enough to stop an intruder from gaining access and going to the next router.

Example 3-28 service password-encryption Command IR1(config)#service password-encryption

The service password-encryption command encrypts all passwords issued to the router by using a simple Vigenere cipher, which can be easily reversed. Example 3-29 shows an example of how these passwords appear when the configuration is viewed after all passwords have been encrypted.

Example 3-29 show running-config Command on R1 After Encrypting All Passwords

R1#show running-config

Building configuration... Current configuration: !

service password-encryption version 12.2

hostname R1 !

enable secret 5 $1$Aiy2$GGSCYdG57PdRiNg/.D.XI. enable password 7 0822455D0A16

NOTE Note the digits, 5 and 7, before the encrypted passwords. The number 5 signifies that the MD5 hash algorithm is used for encryption, whereas the number 7 signifies a weaker algorithm. You are not expected to know this for the written exam, but it is valuable knowledge for troubleshooting complex networks. In fact, a great network engineer is measured by his well-defined troubleshooting techniques, and not by how many CCIE lab exams he has passed.

Notice in Example 3-29 that both the secret and enable passwords are encrypted. If you enable the service password-encryption command in global configuration mode, all passwords will be encrypted and will not be viewable when displaying the configuration on the Cisco router.

The final Cisco password you can set is the virtual terminal password. This password verifies remote Telnet sessions to a router. Example 3-30 displays the commands necessary to set the virtual terminal password on a Cisco router.

Example 3-30 password Command to Set a Virtual Terminal Password to ccie

R4(config)#line vty 0 4 R4(config-line)#password ccie

If you issue the no login command below the virtual terminal command (line vty 0 4), remote Telnet users are not asked to supply a password and automatically enter EXEC mode. Example 3-31 displays the Telnet session dialog when the no login command is entered.

Example 3-31 Dialog Display When no Login Is Enabled

Keep in mind that the preceding setup is not a secure access method for a router network.

0 0

Post a comment