Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to improve the security of these devices as part of your information security program. Within this article three basic access controls you can implement on any Cisco device will be discussed. These access controls are intended for those who are new to Cisco, so if you are a Cisco veteran, please peruse some of our more advanced articles on Cisco and information security.
The three basic access controls you can implement are as follows:
- Set passwords for all methods of access
- Encrypt the enable mode password
- Encrypt passwords stored in the configuration
Set passwords for all methods of access
Cisco devices can be managed in a number of ways. The device can be managed by using the console, auxiliary line, virtual terminal, or asynchronous serial lines. A brief description of each of these lines is necessary. Each of these lines can and should be configured with a password so that none of them will provide unauthenticated access to the network device. You can configure passwords for the devices using the following commands issued from the global configuration mode. This can be accessed by entering enable mode (typing “enable” or “en”) and then typing “configure terminal” or “config t”. Note that the prompt will change from router> to router# when you issue this command.
Enter configuration commands, one per line. End with CNTL/Z.
The console port is a physical RJ45 connector that is located on the device. It is configured for sending serial data. Using a Cisco console cable, you can connect the serial port on a computer to this console port on the Cisco device to perform administrative tasks. You can set a password on this line by issuing the following commands. In this example, I set the password to console password. The first line puts you in line configuration mode so you can configure settings for the console line. The next line sets the password. This is followed by the “login” command which tells the device to prompt for the password. The last line puts you back into global configuration mode.
router(config)#line con 0
The auxiliary line or “aux” is also a physical port on the device and it is a backup to the console port. It can be used in much the same way and therefore must be secured in the same way. Note the example below where I set the password to auxpassword.
router(config)#line aux 0
The virtual terminal or “VTY” lines are virtual lines that allow connecting to the device using telnet or Secure Shell (SSH). Cisco devices can have up to 16 VTY lines. You can determine how many VTY lines you have by issuing “line vty 0 ?” from global configuration mode. This example has 16 lines and it sets the password to vtypassword.
router(config)#line vty 0 15
The last method of managing a device is with asynchronous serial lines. These are enabled by installing an asynchronous serial card into the router. These lines can be used to connect terminals or models to the device. The commands for configuring a password on the asynchronous line are similar to the above commands but the lines are usually assigned a logical group and then this group is configured. For example purposes, we will assign the interface to group 1.
router(config)#interface group=async 1
router(config)#group-range 1 8
router(config)#line 1 8
Encrypt the enable mode password
Enable mode is a privileged made on the firewall that allows you to modify major settings on the device. An important information security step is to ensure that a password is required to enter this mode. This password is called an enable password. Furthermore, the password should be encrypted. Unencrypted passwords can be revealed in plain text to unauthorized users if someone executes a show running-configuration from the device. Note: the show running-configuration command does not need to be executed from enable mode. Set an encrypted enable password with the following command from enable mode:
Router#enable secret insertpasswordhere
Encrypt passwords stored in the configuration
Just like the enable password, other passwords are stored by default as unencrypted and could be viewed by issuing the show running-configuration command. Also, you may be storing Cisco configurations somewhere on your network, and if you do, others might be able to access this and view your passwords if they are not encrypted. It is important to make it a practice to encrypt all passwords on the device. One command can encrypt the rest of the passwords and is as follows:
router(config)#run service password-encryption
However, this command encrypts the passwords using a rather weak algorithm, type 7 that can be reversed to reveal the password. This link provides a Perl script that will decrypt type 7 passwords.
Because of this, an alternative to type 7, called type 5 encryption is available. To encrypt the passwords using type 5, issue the above service password-encryption command and then for each of the methods of access mentioned earlier in the article add “5 encrypted-secret” to the end of the line as follows:
router(config)#password consolepassword 5 encrypted-secret
This article presented you with three basic things you can do to better secure access to your Cisco devices. They are (1) Set passwords for all methods of access, (2) Encrypt the enable mode password, and (3) Encrypt passwords stored in the configuration. Remember that this is only a basic step but an important one. Look for further articles on Cisco information security to better protect your networking equipment.