Tutorial

Securing the router

Any good CCNA technician will be able to configure a router to only allow certain people to access it and only allow certain traffic to pass through from your network to the Internet or vice versa.

FOR THE EXAM: You will not be specifically questioned on security issues on the CCNA exam but you will be expected to be able to carry out some simple measures to make it more difficult for people to access your router.


Passwords


Do you want just anybody to access your router? Perhaps you want only a handful of people to be able to log onto the router and a few others to be able to remotely connect to the router and administer it in cases of emergency. Logical router access needs to be protected from internal staff and external intruders.

Enable Password


Protecting privileged mode (or enable mode) on your router is a very important thing to do and very straight forward. When any person attempts to enter privileged mode from user exec mode they will be prompted for a password.

Router>
Router>enable
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password $%kk12ER
Router(config)#disable
Router>
Password:
Router#

By default, the enable password can be seen when any user looks at the running configuration of the router. You probably do not want this to happen.

Router#sh run
01:34:42: %SYS-5-CONFIG_I:

    Requires Free Membership to View

    Login

Configured from console by console
Building configuration...

Current configuration : 813 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password $%kk12ER

You can take off the enable password by entering a 'no' in front of the command again.

IN THE REAL WORLD: Most commands on a router can be shortened to save time and effort. In the exam unfortunately, a lot of the shortened commands will not work since you will be working on a router simulator. Practise the long versions for the exam but then in the real world always use the shortened commands to save time.

Enable Secret Password


Router#conf t <- Short for configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no enable password <- Take off the enable password
Router(config)#
Router(config)#
Router(config)#enable secret l?cCas£%
Router(config)#exit
Router#disable
01:32:39: %SYS-5-CONFIG_I: Configured from console by console
Router>enable
Password:
Router#

You can see that when a 'show running-configuration' command is issued the enable secret password is encrypted. Only the relevant part of the configuration is shown.

Router#show run <- Short for show running-configuration
Building configuration...

Current configuration : 838 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ <- MD5 algorithm

The number 5 after the enable secret stands for level 5 encryption which uses something called the MD5 algorithm. This is harder to crack than level 7.

IN THE REAL WORLD: Cisco advise users to use the enable secret method of securing their routers. The 'service password-encryption' method is less secure and cracker programs are available on the internet to break these.

http://www.cisco.com/warp/public/701/64.html

IN THE REAL WORLD: Never use an obvious word for your passwords. You could be made subject of a dictionary attack which will crack your password in minutes.

You can actually encrypt all of the passwords on the router with the 'service password-encryption' command.

Router(config)#
Router(config)#
Router(config)#enable password @&%ghFR
Router(config)#service pas
Router(config)#service password-encryption
Router(config)#exi
Router#show run
Building configuration...

Current configuration : 819 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password 7 070724404206 <-Weaker 'reversible' algorithm

Auxiliary Password


In order to protect connections through your aux port you will need to assign a password to it. Note that when you configure a port the router drops into something called 'config-line'.

Router#
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number

Router(config)#line aux 0
Router(config-line)#login <- Config-line mode
Router(config-line)#password l#2$mMw23
Router(config-line)#^Z
Router#

The 'login' command is very important, it tells the router to ask the user for a password. The command 'login local' tells the router to check a username and password you have configured on the router itself. You can put a server on the network which does the job of authenticating all the users.

Telnet Password


In order to connect to your router over the internet or remotely you may want to telnet to it. In order to allow telnet sessions you need to have a password set on the telnet port. Telnet ports are not physically there, you will normally telnet via the serial port and a virtual terminal (known as vty) will be opened. The number of available ports depends upon your model of router.

RouterA#
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#line vty ?
<0-4> First Line number

RouterA(config)#line vty 0 4 <- There are 5 vty ports on this router 0-4 inclusive
RouterA(config-line)#login
RouterA(config-line)#password Uu&%p@#
RouterA(config-line)#^Z

Now I can telnet to Router A from Router B:

RouterB#
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification

Password:
RouterA>
RouterA>
RouterA>enable
Password:
RouterA# <- I am now connected to Router A from Router B
RouterA#exit

[Connection to 192.168.1.1 closed by foreign host]
RouterB#

Console Password


It is very important to protect your console port on the router. If not, any person who can get physical access to the router will be able to reconfigure it and reboot it.

RouterA#
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#line console ?
<0-0> First Line number

RouterA(config)#line console 0
RouterA(config-line)#login
RouterA(config-line)#password hello
RouterA(config-line)#
RouterA(config-line)#exit
RouterA(config)#exit
RouterA#
02:15:43: %SYS-5-CONFIG_I: Configured from console by console
RouterA#

Banner Messages


You can configure the router to show a warning message when a user logs or telnets into the router. Administrators normally enter some sort of legal notice. You have to enter the command 'banner motd ='. The = could be any character you choose but when you type that character it tells the router that you have finished typing the banner so don't choose a letter from the alphabet.

RouterA(config)#banner motd =
Enter TEXT message. End with the character '='.

Unauthorized access to this network will result in prosecution
=
RouterA(config)#
RouterA(config)#

Now I telnet to Router A from Router B.

RouterB>en
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

Unauthorized access to this network will result in prosecution

User Access Verification

Password:


The people at FreeSkills.com were nice enough to share one of their many free tutorials with us in order to make "Securing the router" available to SearchNetworking.com readers. FreeSkills.com has more than 400 free tutorials and many reasonably-priced courses available for different IT subjects. We recommend you stop by and visit this wonderful resource!


This was first published in July 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top