Home > Articles > Cisco > CCNP Security

Securing Cisco Routers

This chapter is from the book

Securing Administrative Access to a Cisco Router

Configuring administrative access on the Cisco router is an important step toward network security. You can access all Cisco routers in various ways:

  • Console

  • VTY

  • Aux

  • SNMP

  • HTTP

Connection Through the Console Port

To protect administrative access to the routers, you must protect the console port via a password policy. You can store passwords locally on the router or use some kind of remote administration using a CiscoSecure Access Control Server authentication, authorization, and accounting (AAA) server. You can store passwords locally on the router or use Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System + (TACACS+) for remote AAA using CSACS.

Password Policy

You should keep the following rules in mind when formulating a password policy:

  • Acceptable password length must be between 1 and 25 characters. Blank passwords are not a part of a good security policy. The passwords should contain alphanumeric, uppercase, and lowercase characters.

  • On Cisco equipment, the first character in the password cannot be a number.

  • Leading spaces in the password are ignored; however. spaces after the first character are not ignored.

  • Passwords must be changed often, and using the same passwords over again should be avoided. Be creative and generate unique passwords every time. Do not use obvious passwords such as your dog's name or your date of birth.

Securing Privilege EXEC Mode Using the enable secret Command

When you first power on the router, assuming that there is no prior configuration stored in the nonvolatile RAM (NVRAM), the router enters the Initial Configuration dialog box. The Initial Configuration dialog box is a menu system that assists you in applying basic configuration on the router. You can use Ctrl+Z to break out of the Initial Configuration dialog box.

To make changes to the router configuration, you have to first enter privilege EXEC mode. By default, you do not need a password to access privilege EXEC mode. You can use the enable command to access the privilege EXEC mode of a router:

Router> enable
Router#

Once you are in privilege EXEC mode, you can then secure privilege EXEC mode on the routers using the enable secret command in global configuration mode. The enable secret command encrypts the password to the privilege EXEC mode using the Message Digest 5 (MD5) hashing algorithm. It is a one-way hash. In other words, once you have a password using MD5, you cannot unhash it:

Router> enable
Router# configure terminal
Router(config)# enable secret Passwordciscorocks
Router(config)#

Figure 3.1 shows how to configure an MD5 password on a router.

Figure 3.1Figure 3.1 Configuring the enable secret password on a router.

In the example, Passwordciscorocks is the password that will be used to access the privilege EXEC mode of this router.

Let us look at another example:

Router> enable
Router# configure terminal
Router(config)# enable secret Password cisco rocks
Router(config)#

In this example, what is the password assigned to the privilege EXEC mode?

  • cisco

  • cisco rocks

  • password cisco rocks

  • Password cisco rocks

  • I have no idea; please explain.

The password assigned to the privilege EXEC mode will be Password cisco rocks because all spaces after the first character are part of the password.

If you do a show running-config on the router, you will note that the enable secret is encrypted and the 5 after enable secret identifies that it is an MD5 hash.

Here is an example to illustrate this concept:

Router# show running-config

! Last configuration change at 14:34:43 MST Wed Jul 16 2003
! NVRAM config last updated at 14:34:44 MST Wed Jul 16 2003
!
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$oeJp$08vrQkQWGgsz5S5h.VqQe/
!

Figure 3.2 shows how the enable secret password appears in a show running-config command.

If you forget your enable secret password, the only way to access the router's privilege EXEC mode would be by doing a password recovery. Different Cisco routers have different ways of doing password recovery. You can get information on password recovery by doing a search on the keywords "password recovery" on http://www.cisco.com. Always use the enable secret command instead of the older enable password command; enable password uses a very week encryption algorithm.

Figure 3.2Figure 3.2 Displaying the enable secret password command output in a show running-config command.

Securing Console Access Using a Console Password

A Cisco router's console port is the most important port on the device. Password recovery on the router can only be done using the console port. This port can be used to access the ROMMON mode on the router as well. The console port allows a hard break signal that interrupts the boot sequence of the router. You can issue the break sequence on a router within 60 seconds of the reboot, and it gives complete access to the user issuing this command.

Cisco routers are vulnerable if you have physical access to the devices. However, if someone is trying to access the console port of the router remotely, you can apply an additional layer of security by prompting the user for a password.

Here is how you protect the console port on the router:

Router> enable
Router# configure terminal
Router(config)# line console 0
Router(config-line)# password Ciscorocks123
Router(config-line)# login
Router(config-line)# end
Router#

Figure 3.3 shows how to configure password protection on the console port of a router.

Figure 3.3Figure 3.3 Configuring a password on the console port of a router.

Remember, to assign a password to the console port of the router, you first have to access the global configuration mode of the router. Once in the global configuration mode, you access the console port by issuing the line console 0 command. Remember, the console port is always 0 because there is only one console port on every Cisco device, and Cisco starts its numbering of the ports with 0:

Router> enable
Router# configure terminal
Router(config)# line console 0

Once in the line configuration mode, you issue the password command followed by the password. This password by default is not encrypted:

Router(config-line)# password Ciscorocks123

Once you issue the password command, you issue the login command. The login command tells the router to ask for the password when someone is typing to access the router using the console port:

Router(config-line)# login

When you do a show running-config on the router, you note that the password is not encrypted. This output is truncated to fit the page; however, you must note that the line console information is always at the bottom of the configuration:

Router# show running-config
!
line con 0
 login
 password Cisco123
line aux 0
line vty 0 4
!
end

Securing VTY Access Using a Telnet Password

By default, all Cisco routers support up to five simultaneous Telnet sessions, and by default, no passwords are assigned to these Telnet or VTY lines. There is built-in security on the VTY lines that mandates the use of passwords to access the router via a Telnet session. If a Telnet session is initiated to a router that does not have a password assigned to the VTY lines, the following message appears on the screen:

telnet 172.31.100.11

Trying...
Connected to 172.31.100.11
Escape character is '^]'.
Password required, but not set
Connection closed by remote host

Figure 3.4 shows how Telnet behaves when there is no password and login assigned to the VTY lines.

Figure 3.4Figure 3.4 Displaying the Telnet behavior when no password is assigned to the VTY lines.

Essentially, no Telnet sessions are allowed to the router. This measure is good security, but it disallows everyone to access the router, even the legitimate user. To remotely manage the routers using Telnet, it is imperative that you assign a password to the VTY lines.

Here is how you protect the Telnet lines on the router:

Router> enable
Router# configure terminal
Router(config)# line vty 0 4
Router(config-line)# password VtyLines123
Router(config-line)# login
Router(config-line)# end
Router#

In this example, the configuration logic is the same as that for the console port. The only difference is the following line:

Router(config)# line vty 0 4

This line can be interpreted as follows: As we said earlier, by default, Cisco routers allow up to five simultaneous Telnet sessions, and in the Cisco world, all counting begins with 0. Hence, 0 4 would give you five Telnet lines.

In the example, the password VtyLines123 is assigned to all five VTY lines. You can assign separate passwords to each and every line. However, managing the passwords becomes an administrative nightmare.

You should consider a few guidelines when configuring VTY access to the router:

  • If there is no password set on the router to access the privilege EXEC mode, you will not be able to access the privilege EXEC mode of the router via the Telnet session.

  • Telnet transmits and receives all data in cleartext, even the passwords. To provide additional security in this aspect, you can use Secured Shell (SSH) or administer the router via an IPSec tunnel. You can provide additional security by using access lists to manage administrative access to the routers from specific IP addresses. Remember, Cisco routers work with SSH1 only.

  • Make sure you have a password assigned to the VTY lines of the router; otherwise, no one will be able to access the router via Telnet.

Our recommendation: Do not use Telnet, use SSH instead. SSH encrypts all data flowing between you and the router, thus providing high-level security.

CAUTION

Cisco supports SSH1 only.

The aux port on the router is another way you can gain access to the router. You can protect the aux port on the router by assigning a password to it. Here is how you accomplish the task:

Router> enable
Router# configure terminal
Router(config)# line aux 0
Router(config-line)# password ProtectAux0
Router(config-line)# login
Router(config-line)# end
Router#

In this example, every time a user accesses the router via the aux port, he or she will be prompted for a password.

If you are not using the aux port on the router, you can disable it by issuing the following command:

Router(config)# line aux 0
Router(config-line)# no exec

Figure 3.5 shows how to disable the aux port if it is not being used.

Figure 3.5Figure 3.5 Disabling the aux port.

The no exec command disables all EXEC sessions to the router via that port. Do not issue this command on the console port of the router because it will disallow all exec sessions to the router's console port.

Encrypting All Passwords on the Router

By default, only the enable secret password is encrypted. To encrypt all other passwords configured on the router, issue the following command in global configuration mode:

Router(config)# service password-encryption

In Figure 3.6, the administrator is encrypting all the passwords except the enable secret password.

Figure 3.6Figure 3.6 Configuring the service password-encryption command.

The service password-encryption command uses a Cisco proprietary Vigenere cipher to encrypt all other passwords on the router except the enable secret password (which uses MD5). The Vigenere cipher is easy to break, and if you do a show running-config on the router, it appears as follows:

line con 0
 password 7 110A1016141D
 logging synchronous
 login
 transport input none

Figure 3.7 shows the password parameters after configuring the service password-encryption command.

The number 7 after the keyword password indicates that the password has been encrypted using the Vigenere cipher. This command does not change the fact that the Vigenere cipher can be cracked. In fact, you can download the GETPASS utility, which will decrypt the Vigenere cipher for you.

Figure 3.7Figure 3.7 Output of the service password-encryption command.

Configuring Session Activity Timeouts

You can also control access to the router by configuring activity timeouts. You can use the exec-timeout command to accomplish this task. Here is an example of the configuration:

line console 0
 exec-timeout 5 0
 end

In Figure 3.8, the administrator is configuring the exec timeout value for the console port on a router.

Figure 3.8Figure 3.8 Configuring the enable timeout value for the console port on a router.

This command sets the no activity timeout to 5 minutes. Setting a lower activity timeout automatically locks up the console once the timeout expires.

CAUTION

You can use the exec-timeout command to configure an activity timeout on the routers.

Configuring Access Levels on the Router

You can configure access levels on the routers so the junior administrators do not have complete access to the router. Cisco routers have 16 different privilege levels that you can configure. The 16 levels range from 0 to 15, where 15 is equal to full access. You can customize levels 2 to 15 to provide monitoring abilities to the secondary administrators. Here is a sample configuration for privilege levels on the router:

Central(config)#username junioradmin privilege 3 password 0 s3cUr!tY 
.
.
. 
Central(config)#privilege exec level 3 ping
Central(config)#privilege exec level 3 traceroute
Central(config)#privilege exec level 3 show ip route

Central(config-line)#line vty 0 4
Central(config-line)#password CisC0r0cK5
Central(config-line)#login local 

Figure 3.9 displays the configuration of a privilege level for specific commands and applying local authentication to the VTY lines. Notice that in addition to the login local command a password is configured on the VTY lines. However, users will need to use the local router database to log in to the VTY lines because the login local command takes precedence over the password command.

Looking at this config, whenever junioradmin logs into the router, he or she is allowed only three commands: ping, traceroute, and show ip route. Using the privilege command, you can provide another layer of security to your network backbone.

Figure 3.9Figure 3.9 Configuring Privilege Level and Local Authentication.

Configuring Routers with a Statutory Warning

It is imperative that you configure a statutory warning on all your networking devices that clearly states the repercussions of attempting to log on to an unauthorized system. You can achieve this by using various banner messages:

  • banner exec—You can use this command to specify a message that appears when an EXEC process is initiated.

  • banner motd—You can use this command to enable a message of the day for your admins and team.

  • banner login—You can use this command to enable messages that appear before username and password prompts.

You can configure a few more banner messages on routers to ensure that you get the word out that unauthorized users will be prosecuted.

Just an FYI: Do not use such phrases as "Welcome to the ABC Network" because they can create a loophole that a hacker can use to avoid legal action. We highly recommend that you consult your legal department to come up with the correct verbiage.

Securing SNMP

SNMP is one of the most exploited protocols and can be used to gain administrative access to Cisco routers by establishing communication between a router's internal SNMP agent and management information base (MIB). SNMP uses community strings that act as the passwords to access the routers. Whenever you are setting up SNMP community strings, make sure you know which strings will have read-only access; which ones will have read-write access; and, most of all, which systems will be allowed SNMP access via ACLs.

CAUTION

SNMP version 3 supports MD5 and Secure Hash Algorithm 1 (SHA-1) authentication.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020