If you talk about basic router security, you discuss how to protect the router itself from being accessed by unauthorized persons. For example, a router could be configured to protect the network behind it, but an intruder could access the router easily because of the weak passwords that were used or some services the administrator forgot to turn off. In this case, the network behind that router is no longer safe because the intruder can easily change the router's configuration to gain access to the network behind it.
This section describes how to configure secure administrative access to Cisco routers. Configuring this access is an extremely important security task. Otherwise, an unauthorized person could alter the routing parameters, change access lists, and gain access to other systems in the network. To perform basic router configuration tasks, access via a console is required. A
console is a terminal that is connected to a router console port and can be either a dumb terminal or a PC running terminal emulation software. Consoles are just one way administrators obtain access to routers. Access can also be gained by Telnet, Hypertext Transfer Protocol (HTTP), and Simple Network Management Protocol (SNMP) if these services are turned on.Chapter 11, "Remote Access." Passwords should be as strong as possible. Never use existing words, birthdays, or names that are easy to guess. Most companies have creation rules for passwords in their security policies, such as how often a password must change and which characters have to be used in passwords.
There are two commands available to configure a password on a Cisco router.
enable passwordpassword enable secret
secret
If both commands are configured, the password is ignored and only the secret is used. Using
enable secret is more secure than using
enable password because
enable secret hashes the password in the router configuration file. To hash the password, it uses a strong hashing algorithm based on MD5. When looking at the configuration file after using the
enable secret command, you see only the hash and not the password anymore, as shown in Example 8-1.
Tokyo#show running-config Building configuration... Current configuration : 2394 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Tokyo ! no logging console enable secret 5 $1$Y82T$u.8TyPS9Ne9kFs3hhABF.. ...
NOTE
If you forget the enable secret or password, you will not be able to configure the router anymore. The only solution is to use the password-recovery procedure. More information on password recovery can be found at the following URL:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801746e6.l
By default, the console port does not have a password configured. An administrator should always configure a console password by using following commands in configuration mode:
Tokyo#conf t Tokyo(config)#
line console 0 Tokyo(config-line)#
password cisco Tokyo(config-line)#
login
Also, Cisco routers support multiple Telnet sessions, up to five simultaneous sessions by default but more can be added. Each session is serviced by a logical virtual type terminal (VTY) line. By default, Cisco routers do not have any user-level password configured for these VTY lines. If an administrator does not configure a password on the VTY lines, no access to the router is available via Telnet, and you encounter an error message similar to Example 8-2.
Brussels#telnet 10.10.10.1 Trying 10.10.10.1 ... Open Password required, but none set [Connection to 10.10.10.1 closed by foreign host] Brussels#
To configure a VTY password, the following commands can be used:
Tokyo#configure terminal Tokyo(config)#
line vty 0 4 Tokyo(config-line)#
password cisco Tokyo(config-line)#
login
Notice that in the sample configuration, the passwords are configured for all the VTY lines as a whole. They can also be configured line by line, but that is not recommended. There is always a chance that you might forget to configure one line, thereby opening a security hole.
Some routers also have an auxiliary port that is sometimes used by administrators to remotely configure and monitor the router using a dialup modem connection. Setting a password on this port is one of several steps that have to occur when configuring this port for remote dialup. This process is beyond the scope of this book. For more information on this topic, check this URL:
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094bbc.l
Example 8-3 shows the configuration of a router where the enable and all the user-level passwords are configured.
Brussels#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Brussels(config)#enable secret YsnktFp Brussels(config)#line con 0 Brussels(config-line)# exec-timeout 0 0 Brussels(config-line)# password c0npa55 Brussels(config-line)# login Brussels(config-line)#line aux 0 Brussels(config-line)# exec-timeout 3 30 Brussels(config-line)# password au6pa55 Brussels(config-line)# login Brussels(config-line)#line vty 0 4 Brussels(config-line)# exec-timeout 5 0 Brussels(config-line)# password vt1pa55 Brussels(config-line)# login Brussels(config-line)#! Brussels(config-line)#end Brussels#
By default, an administrative interface stays active for 10 minutes after the last session activity. After that, the interface times out and logs out. It is recommended that you fine-tune these timers. They can be configured by using the
exec-timeout command in line configuration mode for each of the line types used. You can specify how long a user can be inactive by the minutes and the seconds after the
exec-timeout command, as you can see in Example 8-4.
Example 8-4 displays a configuration file from a router with passwords assigned to the console, VTY, AUX lines, and enable.
Brussels#show running-config Building configuration... Current configuration : 701 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Brussels !enable secret YsnktFp ! interface Ethernet0/0 ip address 10.10.10.2 255.255.255.0 half-duplex ! interface Serial0/0 no ip address shutdown ! interface TokenRing0/0 no ip address shutdown ! interface Serial0/1 no ip address shutdown ! ip classless ip http server ! line con 0 exec-timeout 0 0
password c0npa55 login line aux 0 exec-timeout 3 30
password au6pa55 login line vty 0 4 exec-timeout 5 0
password vt1pa55 login ! end
The console port has an exec-timeout of 0 0, which means that it never times out. You have to be careful when using this timeout. All router passwords are stored in clear-text form by default, as you can see in Example 8-4, with the exception of the enable secret. These passwords can also be seen by a network monitor if your configuration file traverses the Internet. By using the
service password-encryption command, all passwords are encrypted using a proprietary Cisco algorithm indicated by the number 7 when viewing the configuration file, as seen in Example 8-5. This method is not as safe as MD5, which is used for the enable secret, but it makes it harder for the intruder to gain access to the router.
line con 0 exec-timeout 0 0 password 7 121A5519020A5951 login line aux 0 exec-timeout 3 30 password 7 094D5B5F09044247 login line vty 0 4 exec-timeout 5 0 password 7 0210100A1B075A74 login !
Another useful feature that can be used is the banner. The banner does not protect the router from intruders, but by using it, you can warn intruders that the device is for authorized people only.
To enter a banner in configuration mode, use the following command:
banner {
exec |
incoming |
login |
motd |
slip-ppp }
d message d
Table 8-1 describes all the different variances you can use when configuring a banner.
Command | Description |
|---|---|
banner exec | Specifies a message to be displayed when an EXEC process is created (a line is activated or an incoming connection is made to a VTY line). |
banner incoming | Specifies a message used when you have an incoming connection to a line from a host on the network. |
banner login | Specifies a message to be displayed before the username and password login prompts. |
banner motd | Specifies and enables a message-of-the-day (MOTD) banner. |
banner slip-ppp | Specifies and enables a banner to be displayed when a Serial Line Interface Protocol (SLIP) or PPP connection is made. |
d | Represents a delimiting character of your choice (for example, a pound sign #). You cannot use the delimiting character in the banner message. |
message | Represents message text. There are some tokens available to use in the message text:
|
Example 8-6 provides the commands needed to configure the banner and what is displayed when someone uses Telnet to access the router.
Brussels#conf t Enter configuration commands, one per line. End with CNTL/Z. Brussels(config)#banner exec # Enter TEXT message. End with the character '#'. WARNING: You are connected to $(hostname) on the XYZ, Incorporated network # Brussels(config)#banner motd # Enter TEXT message. End with the character '#'. This is just a sample message... # Brussels(config)#exit Brussels# Tokyo#telnet 10.10.10.2 Trying 10.10.10.2 ... Open This is just a sample message... User Access Verification Password: WARNING: You are connected to Brussels on the XYZ, Incorporated network Brussels>
Cisco routers run several services that may or may not be required in certain networks. Network security can be greatly improved by turning them off or at least restricting access to them. One of the most basic rules of router security is to run only the services that are really necessary and no more. Leaving unused network services enabled increases the possibility of those services being used maliciously. The services in the list that follows are all enabled by default on a router.
NOTE
By default, the services that are enabled on a router differ based on the Cisco IOS version that router is running. For this example, Cisco IOS version 12.2 was used.
BOOTP server This service allows a router to act as a BOOTP server for other routers. This is rarely required and should be disabled. Use the following command to disable this service:
Brussels(config)#no ip bootp server
Cisco Discovery Protocol (CDP) This is primarily used to obtain protocol addresses of neighboring devices and the platforms on which they are used. CDP is media- and protocol-independent and runs on all Cisco equipment, including routers, switches, and access servers. Use the following commands to disable CDP:
Brussels(config)#no cdp run Brussels(config-if)#
no cdp enable
The first command is used to disable CDP globally, and the second command is used to disable it on a per interface basis.
DNS lookup By default, Cisco routers broadcast name requests to 255.255.255.255. If the DNS service is used, make sure that the proper DNS server address is configured. Use the following command to turn off the DNS service:
Brussels(config)#no ip domain-lookup
HTTP server The default setting for this device depends on the platform. This service enables a network administrator to modify the configuration using a web browser. You should disable this service if not in use by using the following command:
Brussels(config)#no ip http server
IP redirect This feature enables the sending of redirect packets if the router is forced to resend a packet through the same interface on which it was received. This can be used to map the network and should be turned off on interfaces to untrusted networks. This can be disabled using following command:
Brussels(config-if)#no ip redirects
This is only a selection of the many services that run on a router. Make sure that you use only what you need to run a network and that everything else is turned off.
NOTE
More information on improving security on a Cisco router can be found at the following URL: http://www.cisco.com/warp/public/707/21.pdf.