© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Securing Administrative Access to Cisco Routers

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Configuring Router Passwords Setting a Login Failure Rate Setting Timeouts Setting Multiple Privilege Levels Configuring Role-Based CLI Securing the Cisco IOS Image and Configuration Files Configuring Enhanced Support for Virtual Logins Configuring Banner Messages Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring the Router Password A console is a terminal connected to a router console port. The terminal can be a dumb terminal or a PC with terminal emulation software. Console Boston Router Console Port

© 2006 Cisco Systems, Inc. All rights reserved. SND v Password Creation Rules Follow these rules when you create passwords for Cisco routers: Passwords should have a minimum of 10 characters. Passwords can include the following: –Alphanumeric characters –Uppercase and lowercase characters –Symbols and spaces Password-leading spaces are ignored, but all spaces after the first character are not ignored. Change passwords often.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Initial Configuration Dialog Would you like to enter the initial configuration dialog? [yes/no] y Configuring global parameters: Enter host name [Router]: Boston The enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration. Enter enable secret: CantGessMe The enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images. Enter enable password: WontGessMe The virtual terminal password is used to protect access to the router over a network interface. Enter virtual terminal password: CantGessMeVTY Sample Router Configuration

© 2006 Cisco Systems, Inc. All rights reserved. SND v Password Minimum Length Enforcement Sets the minimum length of all Cisco IOS passwords router(config )# security passwords min-length length Boston(config)# security passwords min-length 10 router(config )#

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configure the Enable Password Using enable secret Command Hashes the password in the router configuration file Uses a strong hashing algorithm based on MD5 router(config)# enable secret password Boston(config)# enable secret Curium2006 Boston# show running-config ! hostname Boston ! no logging console enable secret 5 $1$ptCj$vRErS/tehv53JjaqFMzBT/ !

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configure the Console Port Line-Level Password Enters console line configuration mode router(config)# line console 0 router(config-line)# login Boston(config)# line con 0 Boston(config-line)# password ConUserNo1 Boston(config-line)# login Enables password checking at login router(config-line)# password Sets the line-level password to password (for example, ConUser1)

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configure a vty Line-Level Password Boston(config)# line vty 0 4 Boston(config-line)# login Boston(config-line)# password CantGessMeVTY router(config)# line vty start-line-number end-line-number router(config-line)# login Enters vty line configuration mode Specifies the range of vty lines to configure Enables password checking at login for vty (Telnet) sessions Sets the line-level password to password (for example: CantGessMeVTY) router(config-line)# password

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configure an Auxiliary Line-Level Password Boston(config)# line aux 0 Boston(config-line)# password NeverGessMeAux Boston(config-line)# login router(config)# line aux 0 Enters auxiliary line configuration mode Sets the line-level password to password (for example, NeverGessMeAux) router(config-line)# password router(config-line)# login Enables password checking at login for auxiliary line connections

© 2006 Cisco Systems, Inc. All rights reserved. SND v Encrypting Passwords Using the service password-encryption Command router(config)# service password-encryption Encrypts all clear text passwords in the router configuration file Boston(config)# service password-encryption Boston# show running-config enable password A061E ! line con 0 password F57A109A ! line vty 0 4 password 7 034A18F366A0 ! line aux 0 password 7 7A4F A router(config)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v Enhanced Username Password Security router(config)# username name secret {[0] password | 5 encrypted- secret} Uses MD5 hashing for better username password security Better than the type 7 encryption found in the service password-encryption command Boston(config)# username rtradmin secret 0 Curium2006 Boston(config)# username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing ROMMON with the no service password-recovery Command router(config)# no service password-recovery By default, Cisco routers are factory configured with service password-recovery set. The no version prevents console from accessing ROMMON. Boston(config)# no service password-recovery WARNING: Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure you want to continue? [yes/no]: yes Boston(config)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v Authentication Failure Rate with Logging router(config)# security authentication failure rate threshold- rate log This command configures the number of allowable unsuccessful login attempts. By default, the router allows 10 login failures before initiating a 15-second delay. This command generates a syslog message when the rate is exceeded. Boston(config)# security authentication failure rate 10 log router(config)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v Setting Timeouts for Router Lines router(config-line)# exec-timeout minutes [seconds] Default is 10 minutes Terminates an unattended console connection Provides an extra safety factor when an administrator walks away from an active console session Terminates an unattended console or auxiliary connection after 3 minutes and 30 seconds Boston(config)# line console 0 Boston(config-line)#exec-timeout 3 30 Boston(config)# line aux 0 Boston(config-line)#exec-timeout 3 30 router(config-line)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v Setting Multiple Privilege Levels router(config)# privilege mode {level level command | reset command} Level 0 is predefined for user-level access privileges. Levels 1 to 14 may be customized for user-level privileges. Level 15 is predefined for enable mode (enable command). Boston(config)# privilege exec level 2 ping Boston(config)# enable secret level 2 Patriot2006 router(config)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Role-Based CLI If AAA is enabled on a device, you can limit the privileges of users at the CLI by configuring views. The command sequence to configure views is as follows : –Step 1: Enable view. –Step 2: Configure terminal. –Step 3: Parser view view-name. –Step 4: Set secret 5 encrypted password. –Step 5: Commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-me | command]. –Step 6: Exit. –Step 7: Exit. –Step 8: Enable [view name]. –Step 9: Show parser view [all].

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Role-Based CLI (Cont.) router> enable view Enables root view. Enter your privilege level 15 password if prompted parser view view-name router(config)# Creates a new view parser view NetOps router# configure terminal Enters global configuration mode

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Role-Based CLI (Cont.) router(config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command] Adds commands or interfaces to a view Router(config-view)# commands exec include show version

© 2006 Cisco Systems, Inc. All rights reserved. SND v ExampleCreating a View Called NetOps Router#enable view Password: Curium2006 Router#configure terminal router(config)#parser view NetOps router(config-view)#secret 0 hardtocrackpw router(config-view)#commands exec include ping router(config-view)#commands exec include all show router(config-view)#commands exec include telnet router(config-view)#commands exec include traceroute router(config-view)#commands exec include write router(config-view)#commands exec include configure router(config-view)#commands configure include access-list router(config-view)#commands configure include all interface router(config-view)#commands configure include all ip

© 2006 Cisco Systems, Inc. All rights reserved. SND v ExampleVerifying Commands Available to the NetOps View router#enable view NetOps Password: hardtocrackpw router# Jan 3 13:45:03.887: %PARSER-6-VIEW_SWITCH: successfully set to view 'NetOps'. router#? Exec commands: configure Enter configuration mode enable Turn on privileged commands exit Exit from the EXEC ping Send echo messages show Show running system information telnet Open a telnet connection traceroute Trace route to destination write Write running configuration to memory, network, or terminal router#configure terminal router(config)#? Configure commands: access-list Add an access list entry do To run exec commands in config mode exit Exit from configure mode interface Select an interface to configure ip Global IP configuration subcommands

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Cisco IOS Image and Configuration Files The command sequence to save a primary bootset to a secure archive in persistent storage is as follows: Step 1: enable Step 2: configure terminal Step 3: secure boot-image Step 4: secure boot-config Step 5: end Step 6: show secure bootset

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Cisco IOS Image and Configuration Files (Cont.) router(config)# secure boot-image Enables Cisco IOS image resilience secure boot-config router(config)# Stores a secure copy of the primary bootset in persistent storage

© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Cisco IOS Image and Configuration Files (Cont.) Router#show secure bootset IOS resilience router id FHK085031MD IOS image resilience version 12.3 activated at 05:00:59 UTC Fri Feb Secure archive flash:c1841-advsecurityk9-mz T1. bin type is image (elf) [] file size is bytes, run size is bytes Runnable image, entry point 0x8000F000, run from ram IOS configuration resilience version 12.3 activated at 05:01:02 UTC Fri Feb Secure archive flash:.runcfg ar type is config configuration archive size 4014 bytes show secure bootset router# Stores a secure copy of the primary bootset in persistent storage

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Enhanced Support for Virtual Logins For secure virtual login connections, these requirements have been added to the login process: Delays between successive login attempts Login shutdown if DoS attacks are suspected Generation of system logging messages for login detection

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Enhanced Support for Virtual Logins (Cont.) The command sequence to secure virtual login connections is as follows: Step 1: enable Step 2: configure terminal Step 3: login block-for seconds attempts tries within seconds Step 4: login quiet-mode access-class {acl-name | acl-number} Step 5: login delay seconds Step 6: login on-failure log [every login] Step 7: login on-success log [every login]

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Enhanced Support for Virtual Logins (Cont.) router(config)# login block-for seconds attempts tries within seconds This command sets login parameters that help provide DoS detection. login quiet-mode access-class {acl-name | acl- number} router(config)# If this command is not enabled, all login requests will be denied during quiet mode. Router(config)# login block-for 100 attempts 2 within 100 Router(config)# login quiet-mode access-class myacl

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Enhanced Support for Virtual Logins (Cont.) router(config)# login delay seconds (Optional) Configures a delay between successive login attempts login on-failure log [every login] router(config)# (Optional) Generates logging messages for failed login attempts login on-success log [every login] router(config)# (Optional) Generates logging messages for successful login attempts show login router# Verifies that the login block-for command is issued

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring Banner Messages Specifies what is proper use of the system Specifies that the system is being monitored Specifies that privacy should not be expected when using this system router(config)# banner {exec | incoming | login | motd | slip-ppp} d message d Boston(config)# banner motd % WARNING: You are connected to $(hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Administrative access for enterprise routers can be secured in these ways: Routers can have locally configured passwords for privileged access. These passwords should be a minimum of 10 characters and should be changed often. Configure passwords by using the enable secret command in global configuration mode Configure the number of allowable unsuccessful login attempts using the security authentication failure rate command in global configuration mode. Limit the amount of time an inactive administrative interface remains logged-in by using the exec-timeout minutes [seconds] command Privileges are assigned to levels 2 to 14 using the privilege mode command in global configuration mode An administrator can limit the tasks a user can carry out on a router by configuring views in role-based CLI. In global configuration mode, create a new view with the parser view command then assign commands to the view with the commands command. An administrator should secure the Cisco IOS software image and configuration files. This is known as Cisco IOS Image Resilience and is configured in global configuration mode with the secure boot-config command and the secure boot-image command. The Cisco IOS Login Enhancements feature provides improved security for virtual login connections by implementing delay between successive login attempts, shutting down login if DoS attacks are suspected, and logging both failed login attempts and successful logins. Banner messages should be used to warn would-be intruders that they are not welcome on your network. Configure banner messages with the banner command.

© 2006 Cisco Systems, Inc. All rights reserved. SND v