router’s configuration file. Figure lists password
creation rules. When creating passwords for Cisco routers,
always keep these rules in mind: - Make passwords
lengthy. The best practice is to have a minimum of ten
characters. You can enforce the minimum length using a feature
that is available on Cisco IOS routers, discussed later in this
topic. Passwords may include the following:
- Any
alphanumeric character
- A mix of uppercase and
lowercase characters
- Symbols and spaces
- Combine letters, numbers, and symbols. Passwords
should not use dictionary words. Using dictionary words makes
the passwords vulnerable to dictionary attacks.
-
Password-leading spaces are ignored, but all spaces after the
first character are not ignored.
- Change passwords as
often as possible. You should have a policy defining when and
how often the passwords must be changed. Changing passwords
frequently provides two advantages. This practice limits the
window of opportunity in which a hacker can crack a password
and limits the window of exposure after a password has been
compromised.
You may want to add your own rules to
this list, making your passwords even safer. One method of
creating strong passwords is to use pass phrases. A passphrase
is basically a sentence or phrase that serves as a more secure
password. Use a sentence, quote from a book, or song lyric that
you can easily remember as the basis of your strong password or
pass phrase. For example: - “My favorite spy is James
Bond 007.” would translate into MfsiJB007.
-
“It was the best of time, it was the worst of times.” =
Iwtbotiwtwot.
- “Fly me to the moon. And let me
play among the stars.” = FmttmAlmpats.
Content 5.5 Securing Cisco Router
Administrative Access 5.5.2 Initial Password
Configuration One way to perform initial router
configuration tasks, including configuring a password, is to
access the router console port as shown in Figure . A console
is a terminal connected to a router console port. The terminal
can be a dumb terminal or a PC with terminal emulation
software. Consoles are only one of the ways to obtain
administrative access to configure and manage routers. Other
ways to gain administrative access include: -
Telnet
- SSH
- SNMP
- Cisco SDM access
using HTTP or HTTPS
Initial Configuration
Dialog
If you are working on a new router or an
existing router that has been reset (possibly using the Cisco
password recovery procedure), the Cisco IOS CLI asks whether
you want to enter the initial configuration dialog. Figure [2]
shows a router configuration sample with this initial prompt.
The first few questions in the initial configuration dialog
pertain to these password requirements: - The router
enable secret password
- The router enable
password
- The password that you use to access the
router using vty
The enable secret password allows
you to enter enable mode (sometimes referred to as privileged
mode or privileged-EXEC mode). You can set the enable secret
password by entering a password during the initial
configuration dialog, as shown in Figure , or by using the
enable secret command in global configuration mode. The
enable secret overrides the enable password that you configure
with the enable password command. In other words, when
enable secret is configured, you cannot access the privileged
mode using the password that was configured with the enable
password command. The enable secret command uses a
one-way encryption hash based on Message Digest 5 (MD5) and is
considered irreversible by most cryptographers. However, even
this type of encryption is still vulnerable to brute force or
dictionary attacks. If you forget the enable secret password,
you have no alternative but to replace the password using the
Cisco router password recovery procedure. The enable
password command is a holdover from older versions of Cisco
IOS software. By default, the enable password is not encrypted
in the router configuration. Cisco decided to keep the older
enable password command in later versions of Cisco IOS
software even though enable secret password is a safer
way to store privileged-EXEC passwords. The older command was
kept in case the router is downgraded to a version of Cisco IOS
software that did not support enable secret password. The
enable password protects the privileged-EXEC mode. The virtual
terminal password is the line-level password that you enter
when you are connecting to the router using Telnet or SSH. You
can set this password during the initial configuration dialog
or by using the password command in vty line
configuration mode. The virtual terminal password is not
encrypted.
Content 5.5 Securing
Cisco Router Administrative Access 5.5.3
Protecting Line Access To secure the router, you should
protect the access through the console, auxiliary, and vty
lines. Figure shows the command syntax for creating a password
to secure this access. Console Port
By default, the
Cisco router console ports allow a hard BREAK signal (within 60
seconds of a reboot) to interrupt the normal boot sequence and
give the console user complete control of the router. This
interruption is used for maintenance purposes, such as when
running the Cisco router password recovery procedure. Even
though this hard BREAK sequence is, by default, available to
someone who has physical access to the router console port, it
is still important to set a line-level password for users who
might try to gain console access remotely. The hard BREAK
sequence may be disabled using the no service
password-recovery command. Note
If a router is
configured with the no service password-recovery
command, all access to the ROM Monitor (ROMMON) is disabled. By
default, the console port does not require a password for
console administrative access. However, you should always
configure a console port line-level password. There are two
ways to configure a console line password: You can enter the
password during the initial configuration dialog, or you can
use the password command in the console line
configuration mode. vty Lines
Cisco routers support
multiple Telnet sessions (up to five simultaneous sessions, by
default—more can be added), each serviced by a logical vty. By
default, Cisco routers do not have any line-level passwords
configured for these vty lines. If you enable password
checking, you must also configure a vty password before
attempting to access the router using Telnet. If you fail to
configure a vty password and password checking is enabled for
vty, you will encounter an error message similar to the
following: Telnet 10.0.1.2
Trying 10.0.1.2 ….. open
Password required, but none set
[Connection to
10.0.1.2 closed by foreign host] There are two ways to
configure a vty password: You can enter the password during the
initial configuration dialog, or you can use the
password command in line vty configuration mode. The
following are more things to consider when securing Telnet
connections to a Cisco router: - If you fail to set an
enable password for the router, you will not be able to access
privileged-EXEC mode using Telnet. Use either the
enable password or enable secret
password command to set the enable password for your
routers.
- Telnet access should be limited only to
specified systems by building a simple access control list
(ACL) that performs the following:
- Allows Telnet access
from specific hosts only
- Implicitly or explicitly
blocks access from untrusted hosts
- Ties the ACL to the
vty lines using the access-class command
- This
example shows ACL 30 restricting Telnet access only from host
10.0.1.1 and implicitly denying access from all other hosts for
vty 0 to 4:
Boston(config)#access-list 30 permit 10.0.1.1