HOME  |    TRAINING  |   FREE TUTORIALS   |   JOBS
Find out more about our new RSS feed.
FREE Tutorial
SECURING THE ROUTER

CATEGORY
SEARCH OUR OTHER TUTORIALS

DESCRIPTION

Network security has never been so important than it is now. There are literally thousands of hackers operating all over the world constantly scanning IP addresses and ports trying to gain access to your PC or network equipment.


TUTORIAL TAKEN FROM COURSE : CCNA MODULE 7 - SECURITY AND ACCESS LISTS

FULL COURSE DETAILS

At the end of all the modules within this course you will be able to – understand LAN and WAN networking concepts. You will understand TCP/IP and IP addressing and subnetting. You will understand the routing process and be able to configure a Cisco router and switch for use in a live network environment.

TO ACCESS THE FULL COURSE AND HUNDREDS OF OTHERS, CLICK HERE.


"Pass your IT exams by learning with our world class consultant trainers. Your hands on course comes with a 100% satisfaction money back guarantee and lifetime e-mail support to give you the very best chances of passing." This tutorial has been written and prepared by http://www.networksinc.co.uk

FOR THE EXAM: You will not be specifically questioned on security issues on the CCNA exam but you will be expected to be able to carry out some simple measures to make it more difficult for people to access your router.

Any good CCNA technician will be able to configure a router to only allow certain people to access it and only allow certain traffic to pass through from your network to the internet or vice versa.

Passwords

Do you want just anybody to access your router? Perhaps you want only a handful of people to be able to log onto the router and a few others to be able to remotely connect to the router and administer it in cases of emergency. Logical router access needs to be protected from internal staff and external intruders.

Enable Password

Protecting privileged mode (or enable mode) on your router is a very important thing to do and very straight forward. When any person attempts to enter privileged mode from user exec mode they will be prompted for a password.

Router>
Router>enable
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password $%kk12ER
Router(config)#disable
Router>
Password:
Router#

By default, the enable password can be seen when any user looks at the running configuration of the router. You probably do not want this to happen.

Router#sh run
01:34:42: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...

Current configuration : 813 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password $%kk12ER

You can take off the enable password by entering a ‘no’ in front of the command again.

IN THE REAL WORLD: Most commands on a router can be shortened to save time and effort. In the exam unfortunately, a lot of the shortened commands will not work since you will be working on a router simulator. Practise the long versions for the exam but then in the real world always use the shortened commands to save time.

Enable Secret Password

Router#conf t <- Short for configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no enable password <- Take off the enable password
Router(config)#
Router(config)#
Router(config)#enable secret l?cCas£%
Router(config)#exit
Router#disable
01:32:39: %SYS-5-CONFIG_I: Configured from console by console
Router>enable
Password:
Router#

You can see that when a ‘show running-configuration’ command is issued the enable secret password is encrypted. Only the relevant part of the configuration is shown.

Router#show run <- Short for show running-configuration
Building configuration...

Current configuration : 838 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ <- MD5 algorithm

The number 5 after the enable secret stands for level 5 encryption which uses something called the MD5 algorithm. This is harder to crack than level 7.

IN THE REAL WORLD: Cisco advise users to use the enable secret method of securing their routers. The ‘service password-encryption’ method is less secure and cracker programs are available on the internet to break these.

http://www.cisco.com/warp/public/701/64.html

IN THE REAL WORLD: Never use an obvious word for your passwords. You could be made subject of a dictionary attack which will crack your password in minutes.

You can actually encrypt all of the passwords on the router with the ‘service password-encryption’ command.

Router(config)#
Router(config)#
Router(config)#enable password @&%ghFR
Router(config)#service pas
Router(config)#service password-encryption
Router(config)#exi
Router#show run
Building configuration...

Current configuration : 819 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable password 7 070724404206 <-Weaker ‘reversible’ algorithm

Auxiliary Password

In order to protect connections through your aux port you will need to assign a password to it. Note that when you configure a port the router drops into something called ‘config-line’.

Router#
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number

Router(config)#line aux 0
Router(config-line)#login <- Config-line mode
Router(config-line)#password l#2$mMw23
Router(config-line)#^Z
Router#

The ‘login’ command is very important, it tells the router to ask the user for a password. The command ‘login local’ tells the router to check a username and password you have configured on the router itself. You can put a server on the network which does the job of authenticating all the users.

Telnet Password

In order to connect to your router over the internet or remotely you may want to telnet to it. In order to allow telnet sessions you need to have a password set on the telnet port. Telnet ports are not physically there, you will normally telnet via the serial port and a virtual terminal (known as vty) will be opened. The number of available ports depends upon your model of router.

RouterA#
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#line vty ?
<0-4> First Line number

RouterA(config)#line vty 0 4 <- There are 5 vty ports on this router 0-4 inclusive
RouterA(config-line)#login
RouterA(config-line)#password Uu&%p@#
RouterA(config-line)#^Z

Now I can telnet to Router A from Router B:

RouterB#
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
User Access Verification

Password:
RouterA>
RouterA>
RouterA>enable
Password:
RouterA# <- I am now connected to Router A from Router B
RouterA#exit

[Connection to 192.168.1.1 closed by foreign host]
RouterB#

Console Password

It is very important to protect your console port on the router. If not, any person who can get physical access to the router will be able to reconfigure it and reboot it.

RouterA#
RouterA#config t
Enter configuration commands, one per line. End with CNTL/Z.
RouterA(config)#line console ?
<0-0> First Line number

RouterA(config)#line console 0
RouterA(config-line)#login
RouterA(config-line)#password hello
RouterA(config-line)#
RouterA(config-line)#exit
RouterA(config)#exit
RouterA#
02:15:43: %SYS-5-CONFIG_I: Configured from console by console
RouterA#

Banner Messages

You can configure the router to show a warning message when a user logs or telnets into the router. Administrators normally enter some sort of legal notice. You have to enter the command ‘banner motd =’. The = could be any character you choose but when you type that character it tells the router that you have finished typing the banner so don’t choose a letter from the alphabet.

RouterA(config)#banner motd =
Enter TEXT message. End with the character '='.

Unauthorised access to this network will result in prosecution
=
RouterA(config)#
RouterA(config)#

Now I telnet to Router A from Router B.

RouterB>en
RouterB#telnet 192.168.1.1
Trying 192.168.1.1 ... Open

Unauthorised access to this network will result in prosecution

User Access Verification

Password:


8 RELATED COURSES AVAILABLE
CCNA MODULE 1 - INTRODUCTION TO INTERNETWORKING
At the end of all the modules within this course you will be able to – understand LAN and WAN networking concepts....
CCNA MODULE 2 - CONNECTING AND CONFIGURING CISCO DEVICES
At the end of all the modules within this course you will be able to – understand LAN and WAN networking concepts....
CCNA MODULE 3 - LAN SWITCHING
At the end of all the modules within this course you will be able to – understand LAN and WAN networking concepts....
CCNA MODULE 4 - IP ADDRESSING
At the end of all the modules within this course you will be able to – understand LAN and WAN networking concepts....
CCNA MODULE 5 - ROUTING PROTOCOLS
At the end of all the modules within this course you will be able to – understand LAN and WAN networking concepts....
 
1 RELATED JOBS AVAILABLE
SUPPORT SERVICES ENGINEER
<P>Support services Engineer</P><P>My client is looking for an experienced IT Maintenance....
CONTACT US TERMS & PRIVACY SHOP (UK)
Wednesday 3rd December 2008  © COPYRIGHT 2008 - VISUALSOFT