Sunday, April 25, 2010

Basic Cisco Router Security and Ethernet Support


Abstract: We're going to quickly configure and secure a stock Cisco 2505 router and enable ethernet support. The tasks that follow:

1) shutdown unnecessary serial ports
2) set passwords
3) change the IP address

The router will start in user (boot) mode. In this mode we can see configuration data but not make alterations. The example router is named Bart and this is the current prompt:

Bart>

Moving into privileged (aka enable) mode allows the admin to make changes. The system indicates privileged mode with # for the prompt:

Bart> enable
Bart#

Closing Unnecessary Serial Ports

The router's serial ports will not be used for this network and both must be turned off. On the prompts, notice that (config) is general configuration mode and (config-if) indicates that a particular 'interface' (serial, ethernet, etc. port) has been selected.

Bart# configure terminal
Bart(config)# interface Serial0
Bart(config-if)# shutdown
(to reenable the command is no shutdown)
Bart(config-if)# exit
(repeat for Serial1)
Bart# write terminal
At this point the configuration information is printed to the screen. Check to ensure the data is properly entered.
Bart# write memory

Enabling and Encrypting Passwords

We'll start with securing the console (initial screen).

Bart# config term
Bart(config)# line console 0
Bart(config-line)# login
Bart(config-line)# password Sk@teb0ard
Bart(config-line)# exit

Remote terminal sessions:

Bart# config term
Bart(config)# line vty 0 4
Bart(config-line)# login
Bart(config-line)# password Krus%Ycl0wn
Bart(config-line)# exit

Privileged mode:

Bart# config term
Bart(config)# enable password Tr<>4ouSe
Bart(config)# exit
Bart# disable (exits privileged mode into user mode)
Bart> enable
Password:


Viewing the system configuration at this point reveals the passwords in plain text. To ensure no one accidentally views sensitive info, it must be encrypted.

Bart# config term
Bart(config)# service password-encryption
Bart(config)# exit
Bart# write terminal (check that all passwords are encrypted)
Telnet into the router to ensure your password works. All changes have been tested.
Bart# write memory (saves the configuration information to NVRAM and will persist through power cycles)
Bart# reload (restarts the router)

System configuration was modified. Save? [yes/no] yes
Proceed with reload? [confirm] *press enter*

Close the terminal window so that someone can't scroll up and collect password data that was previously displayed.

Changing the IP Address

Bart> enable
Bart# conf term
Bart(config)# interface Ethernet0
Bart(config-if)# ip address 192.168.9.1 255.255.255.255
Bart(config-if)# exit
Bart(config)# exit
Bart# write term (check that change was made)
Bart# write mem

2 comments:

  1. Hi David.

    I recommend you to use the command "secret" instead the command "password" if your devices support it, this is because the "password" command is made with a reverible algorithm

    Regards!!!!

    ReplyDelete
  2. Hello Inner Trax,

    Thanks for your comment - I will forward to Rob, who contributed this article!

    Thanks - Dave

    ReplyDelete