Basic Router Security

If you talk about basic router security, you discuss how to protect the router itself from being accessed by unauthorized persons. For example, a router could be configured to protect the network behind it, but an intruder could access the router easily because of the weak passwords that were used or some services the administrator forgot to turn off. In this case, the network behind that router is no longer safe because the intruder can easily change the router's configuration to gain access to the network behind it.

Administrative Access

This section describes how to configure secure administrative access to Cisco routers. Configuring this access is an extremely important security task. Otherwise, an unauthorized person could alter the routing parameters, change access lists, and gain access to other systems in the network. To perform basic router configuration tasks, access via a console is required. A console is a terminal that is connected to a router console port and can be either a dumb terminal or a PC running terminal emulation software. Consoles are just one way administrators obtain access to routers. Access can also be gained by Telnet, Hypertext Transfer Protocol (HTTP), and Simple Network Management Protocol (SNMP) if these services are turned on.

The first step in securing administrative access is to configure secure system passwords. These passwords can be stored either on the router itself or remotely on an authentication, authorization, and accounting (AAA) server. This chapter covers only the configuration of local passwords. Password authentication using AAA is discussed in Chapter 11, "Remote Access." Passwords should be as strong as possible. Never use existing words, birthdays, or names that are easy to guess. Most companies have creation rules for passwords in their security policies, such as how often a password must change and which characters have to be used in passwords.

There are two commands available to configure a password on a Cisco router.

enable password password
enable secret secret

If both commands are configured, the password is ignored and only the secret is used. Using enable secret is more secure than using enable password because enable secret hashes the password in the router configuration file. To hash the password, it uses a strong hashing algorithm based on MD5. When looking at the configuration file after using the enable secret command, you see only the hash and not the password anymore, as shown in Example 8-1.

Example 8-1. enable secret

Tokyo#show running-config
Building configuration...

Current configuration : 2394 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Tokyo
!
no logging console
enable secret 5 $1$Y82T$u.8TyPS9Ne9kFs3hhABF..
...

By default, the console port does not have a password configured. An administrator should always configure a console password by using following commands in configuration mode:

Tokyo#conf t
Tokyo(config)#line console 0
Tokyo(config-line)#password cisco
Tokyo(config-line)#login

Also, Cisco routers support multiple Telnet sessions, up to five simultaneous sessions by default but more can be added. Each session is serviced by a logical virtual type terminal (VTY) line. By default, Cisco routers do not have any user-level password configured for these VTY lines. If an administrator does not configure a password on the VTY lines, no access to the router is available via Telnet, and you encounter an error message similar to Example 8-2.

Example 8-2. VTY Configuration

Brussels#telnet 10.10.10.1
Trying 10.10.10.1 ... Open


Password required, but none set

[Connection to 10.10.10.1 closed by foreign host]
Brussels#

To configure a VTY password, the following commands can be used:

Tokyo#configure terminal
Tokyo(config)#line vty 0 4
Tokyo(config-line)#password cisco
Tokyo(config-line)#login

Notice that in the sample configuration, the passwords are configured for all the VTY lines as a whole. They can also be configured line by line, but that is not recommended. There is always a chance that you might forget to configure one line, thereby opening a security hole.

Some routers also have an auxiliary port that is sometimes used by administrators to remotely configure and monitor the router using a dialup modem connection. Setting a password on this port is one of several steps that have to occur when configuring this port for remote dialup. This process is beyond the scope of this book. For more information on this topic, check this URL:

http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094bbc.shtml

Example 8-3 shows the configuration of a router where the enable and all the user-level passwords are configured.

Example 8-3. Configuration of All Passwords

Brussels#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Brussels(config)#enable secret YsnktFp
Brussels(config)#line con 0
Brussels(config-line)# exec-timeout 0 0
Brussels(config-line)# password c0npa55
Brussels(config-line)# login
Brussels(config-line)#line aux 0
Brussels(config-line)# exec-timeout 3 30
Brussels(config-line)# password au6pa55
Brussels(config-line)# login
Brussels(config-line)#line vty 0 4
Brussels(config-line)# exec-timeout 5 0
Brussels(config-line)# password vt1pa55
Brussels(config-line)# login
Brussels(config-line)#!
Brussels(config-line)#end
Brussels#

By default, an administrative interface stays active for 10 minutes after the last session activity. After that, the interface times out and logs out. It is recommended that you fine-tune these timers. They can be configured by using the exec-timeout command in line configuration mode for each of the line types used. You can specify how long a user can be inactive by the minutes and the seconds after the exec-timeout command, as you can see in Example 8-4.

Example 8-4 displays a configuration file from a router with passwords assigned to the console, VTY, AUX lines, and enable.

Example 8-4. Configuration File for the Brussels Router

Brussels#show running-config
Building configuration...

Current configuration : 701 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Brussels
!
enable secret YsnktFp

!
interface Ethernet0/0
 ip address 10.10.10.2 255.255.255.0
 half-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface TokenRing0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
ip classless
ip http server
!
line con 0
 exec-timeout 0 0
 password c0npa55
 login
line aux 0
 exec-timeout 3 30
 password au6pa55
 login
line vty 0 4
 exec-timeout 5 0
 password vt1pa55
 login
!
end

The console port has an exec-timeout of 0 0, which means that it never times out. You have to be careful when using this timeout. All router passwords are stored in clear-text form by default, as you can see in Example 8-4, with the exception of the enable secret. These passwords can also be seen by a network monitor if your configuration file traverses the Internet. By using the service password-encryption command, all passwords are encrypted using a proprietary Cisco algorithm indicated by the number 7 when viewing the configuration file, as seen in Example 8-5. This method is not as safe as MD5, which is used for the enable secret, but it makes it harder for the intruder to gain access to the router.

Example 8-5. Service Password Encryption

line con 0
 exec-timeout 0 0
 password 7 121A5519020A5951
 login
line aux 0
 exec-timeout 3 30
 password 7 094D5B5F09044247
 login
line vty 0 4
 exec-timeout 5 0
 password 7 0210100A1B075A74
 login
!

Another useful feature that can be used is the banner. The banner does not protect the router from intruders, but by using it, you can warn intruders that the device is for authorized people only.

To enter a banner in configuration mode, use the following command:

banner {exec | incoming | login | motd | slip-ppp} d message d

Table 8-1 describes all the different variances you can use when configuring a banner.

Table 8-1. Banner Command

Command	Description
banner exec	Specifies a message to be displayed when an EXEC process is created (a line is activated or an incoming connection is made to a VTY line).
banner incoming	Specifies a message used when you have an incoming connection to a line from a host on the network.
banner login	Specifies a message to be displayed before the username and password login prompts.
banner motd	Specifies and enables a message-of-the-day (MOTD) banner.
banner slip-ppp	Specifies and enables a banner to be displayed when a Serial Line Interface Protocol (SLIP) or PPP connection is made.
d	Represents a delimiting character of your choice (for example, a pound sign #). You cannot use the delimiting character in the banner message.
message	Represents message text. There are some tokens available to use in the message text: $(hostname): Displays the hostname for the router $(domain): Displays the domain name for the router $(line): Displays the VTY line number $(line-desc): Displays the description attached to the line

Example 8-6 provides the commands needed to configure the banner and what is displayed when someone uses Telnet to access the router.

Example 8-6. Banner Configuration

Brussels#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Brussels(config)#banner exec #
Enter TEXT message.  End with the character '#'.
WARNING: You are connected to $(hostname) on the XYZ, Incorporated network #
Brussels(config)#banner motd #
Enter TEXT message.  End with the character '#'.
This is just a sample message... #
Brussels(config)#exit
Brussels#


Tokyo#telnet 10.10.10.2
Trying 10.10.10.2 ... Open

This is just a sample message...

User Access Verification

Password:
WARNING: You are connected to Brussels on the XYZ, Incorporated network
Brussels>

Services

Cisco routers run several services that may or may not be required in certain networks. Network security can be greatly improved by turning them off or at least restricting access to them. One of the most basic rules of router security is to run only the services that are really necessary and no more. Leaving unused network services enabled increases the possibility of those services being used maliciously. The services in the list that follows are all enabled by default on a router.

• BOOTP server This service allows a router to act as a BOOTP server for other routers. This is rarely required and should be disabled. Use the following command to disable this service:

  Brussels(config)#no ip bootp server
  

  
  

• Cisco Discovery Protocol (CDP) This is primarily used to obtain protocol addresses of neighboring devices and the platforms on which they are used. CDP is media- and protocol-independent and runs on all Cisco equipment, including routers, switches, and access servers. Use the following commands to disable CDP:

  Brussels(config)#no cdp run
  Brussels(config-if)#no cdp enable
  

  
  

  The first command is used to disable CDP globally, and the second command is used to disable it on a per interface basis.

• DNS lookup By default, Cisco routers broadcast name requests to 255.255.255.255. If the DNS service is used, make sure that the proper DNS server address is configured. Use the following command to turn off the DNS service:

  Brussels(config)#no ip domain-lookup
  

  
  

• HTTP server The default setting for this device depends on the platform. This service enables a network administrator to modify the configuration using a web browser. You should disable this service if not in use by using the following command:

  Brussels(config)#no ip http server
  

  
  

• IP redirect This feature enables the sending of redirect packets if the router is forced to resend a packet through the same interface on which it was received. This can be used to map the network and should be turned off on interfaces to untrusted networks. This can be disabled using following command:

  Brussels(config-if)#no ip redirects
  

  
  

This is only a selection of the many services that run on a router. Make sure that you use only what you need to run a network and that everything else is turned off.