 |
|
| Networking Tips: |
|
|
|
NETWORK ENGINEERING
Securing the router
FreeSkills.com
07.15.2004
Rating: -4.38- (out of 5)
Any good CCNA technician will be able to configure a router to only
allow certain people to access it and only allow certain traffic to
pass through from your network to the Internet or vice versa.
FOR THE EXAM: You will not be specifically questioned on security
issues on the CCNA exam but you will be expected to be able to carry
out some simple measures to make it more difficult for people to access
your router.
Passwords
Do you want just anybody to access your router? Perhaps you want only a
handful of people to be able to log onto the router and a few others to
be able to remotely connect to the router and administer it in cases of
emergency. Logical router access needs to be protected from internal
staff and external intruders.
Enable Password
Protecting privileged mode (or enable mode) on your router is a very
important thing to do and very straight forward. When any person
attempts to enter privileged mode from user exec mode they will be
prompted for a password.
Router>
Router>enable
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password $%kk12ER
Router(config)#disable
Router>
Password:
Router#
By default, the enable password can be seen when any user looks at the
running configuration of the router. You probably do not want this to
happen.
Router#sh run
01:34:42: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...
Current configuration : 813 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password $%kk12ER
You can take off the enable password by entering a 'no' in front of the
command again.
IN THE REAL WORLD: Most commands on a router can be shortened to save
time and effort. In the exam unfortunately, a lot of the shortened
commands will not work since you will be working on a router simulator.
Practise the long versions for the exam but then in the real world
always use the shortened commands to save time.
Enable Secret Password
Router#conf t <- Short for configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no enable password <- Take off the enable password
Router(config)#
Router(config)#
Router(config)#enable secret l?cCas£%
Router(config)#exit
Router#disable
01:32:39: %SYS-5-CONFIG_I: Configured from console by console
Router>enable
Password:
Router#
You can see that when a 'show running-configuration' command is issued
the enable secret password is encrypted. Only the relevant part of the
configuration is shown.
Router#show run <- Short for show running-configuration
Building configuration...
Current configuration : 838 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ <- MD5 algorithm
The number 5 after the enable secret stands for level 5 encryption
which uses something called the MD5 algorithm. This is harder to crack
than level 7.
IN THE REAL WORLD: Cisco advise users to use the enable secret method
of securing their routers. The 'service password-encryption' method is
less secure and cracker programs are available on the internet to break
these.
http://www.cisco.com/warp/public/701/64.html
IN THE REAL WORLD: Never use an obvious word for your passwords. You
could be made subject of a dictionary attack which will crack your
password in minutes.
You can actually encrypt all of the passwords on the router with the
'service password-encryption' command.
Router(config)#
Router(config)#
Router(config)#enable password @&%ghFR
Router(config)#service pas
Router(config)#service password-encryption
Router(config)#exi
Router#show run
Building configuration...
Current configuration : 819 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password 7 070724404206 <-Weaker 'reversible' algorithm
Auxiliary Password
In order to protect connections through your aux port you will need to
assign a password to it. Note that when you configure a port the router
drops into something called 'config-line'.
Router#
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number
Router(config)#line aux 0
Router(config-line)#login <- Config-line mode
Router(config-line)#password l#2$mMw23
Router(config-line)#^Z
Router#
The 'login' command is very important, it tells the router to ask the
user for a password. The command 'login local' tells the router to
check a username and password you have configured on the router itself.
You can put a server on the network which does the job of
authenticating all the users.
Telnet Password
In order to connect to your router over the internet or remotely you
may want to telnet to it. In order to allow telnet sessions you need to
have a password set on the telnet port. Telnet ports are not physically
there, you will normally telnet via the serial port and a virtual
terminal (known as vty) will be opened. The number of available ports
depends upon your model of router.
RouterA#
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#line vty ?
<0-4> First Line number
RouterA(config)#line vty 0 4 <- There are 5 vty ports on this
router 0-4 inclusive
RouterA(config-line)#login
RouterA(config-line)#password Uu&%p@#
RouterA(config-line)#^Z
Now I can telnet to Router A from Router B:
RouterB#
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification
Password:
RouterA>
RouterA>
RouterA>enable
Password:
RouterA# <- I am now connected to Router A from Router B
RouterA#exit
[Connection to 192.168.1.1 closed by foreign host]
RouterB#
Console Password
It is very important to protect your console port on the router. If
not, any person who can get physical access to the router will be able
to reconfigure it and reboot it.
RouterA#
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#line console ?
<0-0> First Line number
RouterA(config)#line console 0
RouterA(config-line)#login
RouterA(config-line)#password hello
RouterA(config-line)#
RouterA(config-line)#exit
RouterA(config)#exit
RouterA#
02:15:43: %SYS-5-CONFIG_I: Configured from console by console
RouterA#
Banner Messages
You can configure the router to show a warning message when a user logs
or telnets into the router. Administrators normally enter some sort of
legal notice. You have to enter the command 'banner motd ='. The =
could be any character you choose but when you type that character it
tells the router that you have finished typing the banner so don't
choose a letter from the alphabet.
RouterA(config)#banner motd =
Enter TEXT message. End with the character '='.
Unauthorized access to this network will result in prosecution
=
RouterA(config)#
RouterA(config)#
Now I telnet to Router A from Router B.
RouterB>en
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
Unauthorized access to this network will result in prosecution
User Access Verification
Password:
The people at
FreeSkills.com
were nice enough to share one of their many free tutorials with us in
order to make "Securing the router" available to SearchNetworking.com
readers. FreeSkills.com has more than 400 free tutorials and many
reasonably-priced courses available for different IT subjects. We
recommend you stop by and visit this wonderful resource!
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchNetworking.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
|
|
|
| TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of . |
|
| | |
All Rights Reserved, , TechTarget |
|
|
|
|
|
