Understanding Cisco Router Security
After you secure physical access to your network, you must ensure that access to the Cisco router through the console and vty ports is secure. In addition, you must ensure that unused router ports do not become a security risk. The following sections describe router security.
Physical and Environmental Threats
Improper and incomplete network device installation is an often-overlooked security threat. Software-based security measures alone cannot prevent network damage because of poor installation. This topic describes how to mitigate hardware, environmental, electrical, and maintenance-related security threats to Cisco routers.
There are four classes of insecure installations or physical access threats, as follows:
- Hardware threats: Threats of physical damage to the router or router hardware
- Environmental threats: Threats such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
- Electrical threats: Threats such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
- Maintenance threats: Threats such as poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, poor labeling, and so on
Configuring Password Security
You can use the command-line interface (CLI) to configure the password and other console commands.
CAUTION The passwords used here are for instructional purposes only. Passwords used in an actual implementation should meet the requirements of a “strong” password
You can secure a router by using a password to restrict access. Using a password and assigning privilege levels are simple ways to provide terminal access control in a network. A password can be established on individual lines, such as the console, and to the privileged EXEC mode. Passwords are case sensitive.
Each Telnet port on the router is known as a vty terminal. There are a default of five vty ports on the router, allowing five concurrent Telnet sessions. On the router, the vty ports are numbered from 0 through 4.
You can use the line console 0 command followed by the login and password subcommands to require login and establish a login password on a console terminal or a vty port. By default, login is not enabled on a console port.
You can use the line vty 0 4 command followed by the login and password subcommands to require login and establish a login password on incoming Telnet sessions.
You can use the login local command to enable password checking on a per-user basis using the username and password specified with the username global configuration command. The username command establishes username authentication with passwords.
The enable password global command restricts access to the privileged EXEC mode. You can assign an encrypted form of the enable password command, called the enable secret password, by entering the enable secret command with the desired password at the global configuration mode prompt. If the enable secret password is configured, it is used rather than the enable password command, not in addition to it.
You can also add a further layer of security, which is particularly useful for passwords that cross the network or are stored on a TFTP server. Cisco provides a feature that allows the use of encrypted passwords. To set password encryption, enter the service passwordencryption command in global configuration mode.
Passwords that are displayed or set after you configure the service password-encryption command will be encrypted.
To disable a command, enter no before the command. For example, use the no service password-encryption command to disable password encryption.
Configuring the Login Banner
You can use the CLI to configure the message-of-the-day and other console commands. This topic describes some essential configuration tasks to enable the login banner. To define a customized banner to be displayed before the username and password login prompts, you can use the banner login command in global configuration mode. To disable the login banner, you can use the no banner login command.
When you enter the banner login command, follow the command with one or more blank spaces and a delimiting character. After the banner text has been added, terminate the message with the same delimiting character.
WARNING Be careful when selecting the words that are used in the login banner. Words like welcome can imply that access is not restricted and allow a hacker to defend his actions.
Telnet and SSH Access
Telnet is the most common method of accessing a network device. However, Telnet is an insecure way of accessing a network. SSH is a secure replacement for Telnet that gives the same type of access. Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. Implement SSH version 2, if possible, because it uses a more enhanced security encryption algorithm. When encryption is enabled, a Rivest, Shamir, and Adleman (RSA) encryption key must be generated on the router. In addition, an IP domain must be assigned to the router.
When implementing SSH, first test the authentication without SSH to make sure that authentication works with the router before you add SSH. Example 4-16 shows local authentication, which allows you to telnet into the router with the username cisco and password cisco.
Example 4-16 Local Authentication
!--- The username command create the username and password for the SSH session username cisco password 0 cisco ip domain- name mydomain. com crypto key generate rsa ip ssh version 2 line vty 0 4 login local
To test authentication with SSH, you must add to the previous statements to enable SSH.
Then test SSH from the PC and UNIX stations.
To prevent non-SSH connections, add the transport input ssh command to limit the router to SSH connections only. Straight
(non-SSH) Telnets are refused. line vty 0 4 !--- Prevent non-SSH Telnets. transport input ssh
Test to ensure that non-SSH users cannot telnet to the router.