Securing the router

A good CCNA technician configures a router to only allow certain people to access it and only allow certain traffic to pass through from your network to the Internet or vice versa.

This Content Component encountered an error

Any good CCNA technician will be able to configure a router to only allow certain people to access it and only allow certain traffic to pass through from your network to the Internet or vice versa.

FOR THE EXAM: You will not be specifically questioned on security issues on the CCNA exam but you will be expected to be able to carry out some simple measures to make it more difficult for people to access your router.


Passwords




Do you want just anybody to access your router? Perhaps you want only a handful of people to be able to log onto the router and a few others to be able to remotely connect to the router and administer it in cases of emergency. Logical router access needs to be protected from internal staff and external intruders.

Enable Password





























enable password $%kk12ER





Protecting privileged mode (or enable mode) on your router is a very important thing to do and very straight forward. When any person attempts to enter privileged mode from user exec mode they will be prompted for a password. Router> Router>enable Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable password $%kk12ER Router(config)#disable Router> Password: Router# By default, the enable password can be seen when any user looks at the running configuration of the router. You probably do not want this to happen. Router#sh run 01:34:42: %SYS-5-CONFIG_I: Configured from console by console Building configuration... Current configuration : 813 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! You can take off the enable password by entering a 'no' in front of the command again. IN THE REAL WORLD: Most commands on a router can be shortened to save time and effort. In the exam unfortunately, a lot of the shortened commands will not work since you will be working on a router simulator. Practise the long versions for the exam but then in the real world always use the shortened commands to save time.

Enable Secret Password


<- Short for configure terminal

<- Take off the enable password












<- Short for show running-configuration











<- MD5 algorithm





























<-Weaker 'reversible' algorithm

Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#no enable password Router(config)# Router(config)# Router(config)#enable secret l?cCas£% Router(config)#exit Router#disable 01:32:39: %SYS-5-CONFIG_I: Configured from console by console Router>enable Password: Router# You can see that when a 'show running-configuration' command is issued the enable secret password is encrypted. Only the relevant part of the configuration is shown. Router#show run Building configuration... Current configuration : 838 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ The number 5 after the enable secret stands for level 5 encryption which uses something called the MD5 algorithm. This is harder to crack than level 7. IN THE REAL WORLD: Cisco advise users to use the enable secret method of securing their routers. The 'service password-encryption' method is less secure and cracker programs are available on the internet to break these. http://www.cisco.com/warp/public/701/64.html IN THE REAL WORLD: Never use an obvious word for your passwords. You could be made subject of a dictionary attack which will crack your password in minutes. You can actually encrypt all of the passwords on the router with the 'service password-encryption' command. Router(config)# Router(config)# Router(config)#enable password @&%ghFR Router(config)#service pas Router(config)#service password-encryption Router(config)#exi Router#show run Building configuration... Current configuration : 819 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Router ! enable password 7 070724404206

Auxiliary Password











<- Config-line mode






In order to protect connections through your aux port you will need to assign a password to it. Note that when you configure a port the router drops into something called 'config-line'. Router# Router#config t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line aux ? <0-0> First Line number Router(config)#line aux 0 Router(config-line)#login Router(config-line)#password l#2$mMw23 Router(config-line)#^Z Router# The 'login' command is very important, it tells the router to ask the user for a password. The command 'login local' tells the router to check a username and password you have configured on the router itself. You can put a server on the network which does the job of authenticating all the users.

Telnet Password










<- There are 5 vty ports on this router 0-4 inclusive
















<- I am now connected to Router A from Router B





In order to connect to your router over the internet or remotely you may want to telnet to it. In order to allow telnet sessions you need to have a password set on the telnet port. Telnet ports are not physically there, you will normally telnet via the serial port and a virtual terminal (known as vty) will be opened. The number of available ports depends upon your model of router. RouterA# RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#line vty ? <0-4> First Line number RouterA(config)#line vty 0 4 RouterA(config-line)#login RouterA(config-line)#password Uu&%p@# RouterA(config-line)#^Z Now I can telnet to Router A from Router B: RouterB# RouterB#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password: RouterA> RouterA> RouterA>enable Password: RouterA# RouterA#exit [Connection to 192.168.1.1 closed by foreign host] RouterB#

Console Password




















It is very important to protect your console port on the router. If not, any person who can get physical access to the router will be able to reconfigure it and reboot it. RouterA# RouterA#config t Enter configuration commands, one per line. End with CNTL/Z. RouterA(config)#line console ? <0-0> First Line number RouterA(config)#line console 0 RouterA(config-line)#login RouterA(config-line)#password hello RouterA(config-line)# RouterA(config-line)#exit RouterA(config)#exit RouterA# 02:15:43: %SYS-5-CONFIG_I: Configured from console by console RouterA#

Banner Messages







Unauthorized access to this network will result in prosecution










Unauthorized access to this network will result in prosecution







The people at FreeSkills.com were nice enough to share one of their many free tutorials with us in order to make "Securing the router" available to SearchNetworking.com readers. FreeSkills.com has more than 400 free tutorials and many reasonably-priced courses available for different IT subjects. We recommend you stop by and visit this wonderful resource!


You can configure the router to show a warning message when a user logs or telnets into the router. Administrators normally enter some sort of legal notice. You have to enter the command 'banner motd ='. The = could be any character you choose but when you type that character it tells the router that you have finished typing the banner so don't choose a letter from the alphabet. RouterA(config)#banner motd = Enter TEXT message. End with the character '='. = RouterA(config)# RouterA(config)# Now I telnet to Router A from Router B. RouterB>en RouterB#telnet 192.168.1.1 Trying 192.168.1.1 ... Open User Access Verification Password:
This was first published in July 2004

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close