Manage Router Security


Basic router security consists of configuring passwords. A strong password is the most fundamental element in controlling secure access to a router. For this reason, strong passwords should always be configured.

Good password practices include the following:

Do not write passwords down and leave them in obvious places such as your desk or on your monitor.
Avoid dictionary words, names, phone numbers, and dates. Using dictionary words makes the passwords vulnerable to dictionary attacks.
Combine letters, numbers, and symbols. Include at least one lowercase letter, uppercase letter, digit, and special character.
Deliberately misspell a password. For example, Smith can be spelled as Smyth or can also include numbers such as 5mYth. Another example could be Security spelled as 5ecur1ty.
Make passwords lengthy. The best practice is to have a minimum of eight characters. You can enforce the minimum length using a feature that is available on Cisco IOS routers, discussed later in this topic.
Change passwords as often as possible. You should have a policy defining when and how often the passwords must be changed. Changing passwords frequently provides two advantages. This practice limits the window of opportunity in which a hacker can crack a password and limits the window of exposure after a password has been compromised.
Note: Password-leading spaces are ignored, but all spaces after the first character are not ignored.

Passphrases
A recommended method for creating strong complex passwords is to use passphrases. A passphrase is basically a sentence or phrase that serves as a more secure password. Make sure that the phrase is long enough to be hard to guess but easy to remember and type accurately.
Use a sentence, quote from a book, or song lyric that you can easily remember as the basis of your strong password or passphrase. The figure provides examples of passphrases.
By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone walking behind you when you are looking at a router configuration could snoop over your shoulder and see the password.
Using the enable password command or the usernameusername password password command would result in these passwords being displayed when looking at the running configuration.

For example:
R1(config)# username Student password cisco123
R1(config)# do show run | include username
username Student password 0 cisco123
R1(config)#
The 0 displayed in the running configuration, indicates that password is not hidden.
For this reason, all passwords should be encrypted in a configuration file. Cisco IOS provides two password protection schemes:
Simple encryption called a type 7 scheme. It uses the Cisco-defined encryption algorithm and will hide the password using a simple encryption algorithm.
Complex encryption called a type 5 scheme. It uses a more secure MD5 hash.
The type 7 encryption can be used by the enable password, username, and line password commands including vty, line console, and aux port. It does not offer very much protection as it only hides the password using a simple encryption algorithm. Although not as secure as the type 5 encryption, it is still better than no encryption.
To encrypt passwords using type 7 encryption, use the service password-encryption global configuration command as displayed in the figure. This command prevents passwords that are displayed on the screen from being readable.

For example:
R1(config)# service password-encryption
R1(config)# do show run | include username
username Student password 7 03075218050061
R1(config)#
The 7 displayed in the running configuration indicates that password is hidden. In the figure, you can see the line console password is now hidden.
Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. MD5 encryption is a strong encryption method. It should be used whenever possible. It is configured by replacing the keyword password with secret.
Therefore, to protect the privileged EXEC level as much as possible, always configure the enable secret command as shown in the figure. Also make sure that the secret password is unique and does not match any other user password.
A router will always use the secret password over the enable password. For this reason, the enable password command should never be configured as it may give away a system password.
Note: If you forget the privileged EXEC password, then you will have to perform the password recovery procedure. This procedure is covered later in this chapter.

The local database usernames should be also configured using the usernameusernamesecretpassword global configuration command. For example:
R1(config)# username Student secret cisco
R1(config)# do show run | include username
username Student secret 5 $1$z245$lVSTJzuYgdQDJiacwP2Tv/
R1(config)#
Note: Some processes may not be able to use type 5 encrypted passwords. For example, PAP and CHAP require clear text passwords and cannot use MD5 encrypted passwords.
Cisco IOS Software Release 12.3(1) and later allow administrators to set the minimum character length for all router passwords using the security passwords min-length global configuration command, as shown in the figure. This command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco."
This command affects any new user passwords, enable passwords and secrets, and line passwords created after the command was executed. The command does not affect existing router passwords.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog