Close Menu
    Trending
    Demo
    Blog

    How to Secure CISCO Network Devices

    Tech Buzz InsiderBy Updated:No Comments8 Mins Read3 Views

    In today’s tutorial, we will see how to securely access a Cisco device. When we work with a Cisco router or switch, we have to log in to that device and work. This login or access can be of two types.

    1. Local Access: Almost all types of network devices can be accessed locally. In the case of local access, the device is usually accessed directly through the Console port and accessed through Terminal Emulation software.

    2. Remote Access: In addition to local access, network devices can be remotely logged in from another device through Telnet, SSH, HTTP, HTTPS or SNMP. In the case of remote access, some protocols such as Telnet transmit all the data (including username and password) in plaintext. In this case, if an attacker/hacker can get hold of this information, it is a big threat to the security of the network. Therefore, accessing network devices locally is more secure. However, remote access is often required for the convenience of work. Therefore, some precautionary measures should be taken for remote access to some devices. For example:

    • Use SSH and HTTPS instead of Telnet and HTTP respectively so that the exchanged data (including username and password) is transmitted encrypted.
    • Create a dedicated management network in which only authorized hosts/devices will be present.
    • Take necessary measures to prevent network devices from being accessed from unnecessary computers other than a few specific computers.

    Secure Administrative Access


    One of the main and important steps to ensure the security of any device is to use a security password. While selecting a security password for routers and switches, the following rules should be followed which will make the password stronger and make the device more secure by reducing the effectiveness of various password cracking tools.

    1. The password should have a minimum length, such as 8 characters or more. The longer the password, the harder it will be to hack.
    2. The password should be somewhat complex. In this case, it is better to give a password that combines Uppercase, Lowercase, Number, Special Character.
    3. When setting a password, the use of common names, dictionary words, place names, date of birth, etc. should be avoided.
    4. No password should be written on paper and left anywhere. Apart from that, it is a good habit to change passwords every few days.

    It is important to configure passwords on several access ports in Cisco devices. For example: Console Port, Auxiliary port, Virtual Terminal Connection, etc. Now we will see how these passwords are configured.

    Console Line Password

    Router#configure terminal
    Router(config)#line console 0
    Router(config-line)#password c!$C0
    Router(config-line)#login

    Auxiliary Line Password

    Router#configure terminal
    Router(config)#line aux 0
    Router(config-line)#password c!$C0
    Router(config-line)#login

    VTY Password

    Router#configure terminal
    Router(config)#line vty 0 4
    Router(config-line)#password c!$C0
    Router(config-line)#login

    Enable Secret Password

    This Enable Secret Password controls access to Privileged EXEC mode. The Enable Secret password uses the Message Digest 5 (MD5) Hashing algorithm, which keeps the password encrypted.
    Router#configure terminal
    Router(config)#enable secret p@ssW09d

    By default, passwords other than Enable Secret Password are in Plaintext in the configuration file.

    Router#show running-config
    Building configuration...
    Current configuration : 584 bytes
    !
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Router
    !
    enable secret 5 $1$mERr$nExXm0cPh02z1MS4uURis0
    !
    line con 0
    password c!$C0
    login
    !
    line aux 0
    password c!$C0
    login
    !
    line vty 0 4
    password c!$C0
    login
    !
    end

    If an unauthorized person gets this configuration file or sees the contents of the file, the passwords may be lost. For this, the following command should be used.

    Router#configure terminal
    Router(config)#service password-encryption

    This command will encrypt all passwords currently configured on the device and any passwords that will be configured in the future. If the no service password-encryption command is used, only future passwords will be unencrypted, but the passwords that are currently configured will remain encrypted. Now if we look at the configuration file, we will see that the passwords are no longer displayed in plaintext.

    Router#show running-config
    Building configuration...
    Current configuration : 584 bytes
    !
    version 12.4
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    no service password-encryption
    !
    hostname Router
    !
    enable secret 5 $1$mERr$nExXm0cPh02z1MS4uURis0
    !
    line con 0
    password 7 08220D0A2A49
    login
    !
    line aux 0
    password c!$C0
    login
    !
    line vty 0 4
    password 7 08220D0A2A49
    login
    !
    end

    The service password-encryption command encrypts passwords using the Standard Type 7 (S7) algorithm. But there are some password cracking tools that can help you crack the original password. Here is an example of an online tool:

    http://www.ifm.net.nz/cookbooks/passwordcracker.html

    If we enter the encrypted password 08220D0A2A49 in the text box of the webpage and click on the Crack Password button, the original password c!$C0 will be displayed. But it is very difficult to crack the Enable Secret password encrypted using the MD5 algorithm. That is why we should always use the Enable Secret password, which will restrict unauthorized people from entering the Privileged EXEC mode.

    Disable Unattended Connection

    Sometimes we get up and go to work on devices and the console is open. In this case, someone else can view our original configuration or give the wrong command intentionally/unintentionally. By default, a terminal is active as a standby for 10 minutes. If we want, we can reduce this time even more.

    Router#configure terminal
    Router(config)#line console 0
    Router(config-line)#exec-timeout 2

    With the above command, we set the console’s exec-timeout to two minutes. Also, if we give the exec-timeout 2 30 command, the exec-timeout will be two minutes and thirty seconds. We can return to the default state with the no exec-timeout command.

    Minimum Password Length

    In Cisco devices, this is an option through which the minimum length of the password can be determined.

    Router#configure terminal
    Router(config)#security passwords min-length 10

    That is, if we set the minimum length to 10, then the devices will never accept passwords of less than 10 characters while creating passwords and will show an Error Message.

    % Password too short - must be at least 10 characters. Password not configured.

    Configuring Different User

    It may be necessary for more than one person to log in to a router/switch at the same time. For this, more than one user can be created on that router/switch.

    Router#configure terminal
    Router(config)#username admin secret @dmiN13479
    Router(config)#username support password $uPPt13579
    Router(config)#line console 0
    Router(config-line)#login local

    We created two users in the router named admin and support and gave them passwords. If we use the secret keyword while entering the password, the password will be encrypted using the MD5 algorithm, and if we use the password keyword, it will be encrypted using the S7 algorithm. Since MD5 is stronger than S7, the secret keyword should be used while creating users. The created usernames and passwords are stored in the local database of the device, so the login local command has been used so that the device checks its local database and authenticates the users during login through the console.

    Configuring Secure Virtual Login

    A device cannot be secured by using only long and complex passwords. For this, it is important to take several more steps. Hackers use various tools to create thousands of username and password combinations every minute and try to access the device. Even if hackers cannot access the device, the device/network may become slow since it is very busy during their DoS attack. To get rid of this type of problem, the device should be configured in such a way that if a user from a computer tries to login with a wrong username/password a certain number of times (5 times) within a certain period of time (1 minute), then the login system on the device is blocked for a certain period of time (1 minute). This greatly reduces the effectiveness of the Dictionary/Bruit-Force attack by hackers.

    Router#configure terminal
    Router(config)#login block-for 60 attempts 5 within 60

    Through the above command, we configured the router in such a way that if someone gives a wrong username/password 5 times within a period of 60 seconds, then the login system on the device will be blocked for 60 seconds. For this, the router must have a local username configured for VTY login. Otherwise, this feature will not work. However, the problem is that during this blocking period, other Valid Users will not be able to login to the device. For this, Valid Users have to give special permission to certain IPs.

    Complete configuration:

    Router#configure terminal
    Router(config)#username admin secret @dmiN13479
    Router(config)#username support secret $uPPt13579
    Router(config)#line vty 0 4
    Router(config-line)#login local
    Router(config-line)#exit
    Router(config)#login block-for 60 attempts 5 within 60
    Router(config)#ip access-list standard PERMIT-VTY
    Router(config-std-nacl)#permit 192.168.1.11
    Router(config-std-nacl)#permit 192.168.1.12
    Router(config-std-nacl)#remark PERMIT VTY ADMIN ONLY
    Router(config-std-nacl)#exit
    Router(config)#login quiet-mode access-class PERMIT-VTY
    Router(config)#login delay 3
    Router(config)#login on-success log
    Router(config)#login on-failure log
    Router(config)#exit

    This feature is disabled by default on Cisco devices, it must be enabled using the login block-for command. This feature works in two modes:

    1. Watch Mode: In this mode, the device counts the failed login attempts within a specified time. If the specified number of failed login attempts are made, the device goes into Quiet Mode.
    2. Quiet Mode: The device stays in this mode for a specified time and then goes back to Watch Mode. By default, no one can login to the device while in Quiet Mode. However, in the above configuration, some specific IPs have been given permission to login while in this mode by using ACL. If a login attempt fails once, the devices accept the next command after 1 second by default. Here it has been changed to 3 seconds. In this, if someone tries unsuccessfully once, he will have to wait for 3 seconds for the next attempt. In addition, a log will be generated for each failed or successful login so that the network administrator can see who, when, from where and from where he logged in or attempted to log in.

    Some of the commands are as follows:

    #show users
    #show login
    #show login failures

    Share.

    Related Posts

    Leave A Reply