Cover | Table of Contents | Colophon

Table of Contents

Chapter 1: Router Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In Webster's dictionary the definition of hard is particularly relevant to the field of information security:

Not easily penetrated or separated into parts; not yielding to pressure.

By hardening a router, we make it difficult to penetrate and unyielding under the pressure of attacks. This chapter discusses why hardening network routers is one of the most important and overlooked aspects of Information Security. It will talk about what can go wrong when routers are left insecure and identify which routers are at the most risk from attack.

When asking about Information Security (InfoSec), most people immediately think about stolen credit cards, defaced web sites, and teenage hackers with names like B@D@pple. An InfoSec professional might extend the list to items like firewalls, Virtual Private Networks (VPN)s, penetration testing, and risk analysis. What is almost never listed is router security—network security, yes, but never specifically router security. The distinction is important.

Network security is most often thought of as something that protects machines on a network. To do this, companies put up firewalls, configure VPNs, and install intrusion detection systems. Router security, however, involves protecting the network itself by hardening or securing the routers. Specifically, it addresses preventing attackers from:

• Using routers to gain information about your network for use in an attack (information leakage)
• Disabling your routers (and therefore your network)
• Reconfiguring your routers
• Using your routers to launch further internal attacks
• Using your routers to launch further external attacks

Organizations spend hundreds of thousands of dollars on firewalls, VPNs, intrusion detection, and other security measures, and yet they run routers with out-of-the-box configurations. From personal experience, at least eight or nine out of every ten networks has routers that are vulnerable to one of the five preceding problems.

A layperson who is asked what the foundation of the Internet is will probably say the World Wide Web, with the explanation that it is what everyone uses. Ask an MCSE and you may get a claim about how everyone runs Windows. Ask a network engineer and you will get routers and the statement "nothing works without them." Without routers there is no Web, no email, no Internet.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Router Security?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

When asking about Information Security (InfoSec), most people immediately think about stolen credit cards, defaced web sites, and teenage hackers with names like B@D@pple. An InfoSec professional might extend the list to items like firewalls, Virtual Private Networks (VPN)s, penetration testing, and risk analysis. What is almost never listed is router security—network security, yes, but never specifically router security. The distinction is important.

Network security is most often thought of as something that protects machines on a network. To do this, companies put up firewalls, configure VPNs, and install intrusion detection systems. Router security, however, involves protecting the network itself by hardening or securing the routers. Specifically, it addresses preventing attackers from:

• Using routers to gain information about your network for use in an attack (information leakage)
• Disabling your routers (and therefore your network)
• Reconfiguring your routers
• Using your routers to launch further internal attacks
• Using your routers to launch further external attacks

Organizations spend hundreds of thousands of dollars on firewalls, VPNs, intrusion detection, and other security measures, and yet they run routers with out-of-the-box configurations. From personal experience, at least eight or nine out of every ten networks has routers that are vulnerable to one of the five preceding problems.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Routers: The Foundation of the Internet

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A layperson who is asked what the foundation of the Internet is will probably say the World Wide Web, with the explanation that it is what everyone uses. Ask an MCSE and you may get a claim about how everyone runs Windows. Ask a network engineer and you will get routers and the statement "nothing works without them." Without routers there is no Web, no email, no Internet.

The fundamental piece of information on the Internet is the IP packet. A router's primary function is to direct these packets. Therefore, routers truly work at the most basic and fundamental level of the Internet. Every network attached to the Internet is attached by a router. Some may be Linux boxes acting as routers, others may be firewalls also performing routing, but most will be dedicated Cisco routers. Current estimates indicate that 80 percent of the Internet runs on Cisco equipment.

Routers are not only the foundation of the Internet; they are the foundation of how your company communicates both externally and internally. Additionally, there is a strong trend toward converging voice, data, and even video into a single network running IP. With this push, routers are becoming the foundation of data, voice, and video communication. With this convergence, almost all of a company's information will pass through routers, causing them to become extremely attractive targets.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Can Go Wrong

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Efforts to improve awareness about the importance of router security are not helped by the lack of media attention on incidents involving compromised routers. Why the lack of reported cases? There are two major reasons:

• Routers are often used to provide attackers with valuable information about your network and servers rather than being the object of direct attack themselves.
• Router compromises are much less likely to be detected.

Before any attack, hackers will gather as much information about a company, its network, and its servers as possible. The more information an attacker can get, the easier it is to compromise a site—knowledge is power. This type of information gathering is called footprinting, and routers are routinely used when footprinting a site. With default configurations, an attacker can query routers and map out entire networks, including subnets, addressing schemes, and redundant paths. With this information, an attacker can determine the most vulnerable locations on the network. Footprinting a site, however, is a tedious and unglamorous process. The media reports that it took a hacker 15 minutes to break into NASA; they don't point out that the hacker spent 6 weeks gathering information before launching the attack.

Making matters worse, few organization have any controls or monitoring on their routers. When asked, "How would you know if someone reconfigured your router?" the answer invariably comes back, "When it stops working." Prodding further with a question about how to detect changes that kept the network functional but allowed an attacker to bypass a firewall usually gets a comment about how the intrusion detection system (IDS) would catch them. Pointing out that if a router were compromised, attackers could probably bypass the IDS finally induces concern. With the current lack of controls and auditing on routers, compromises will probably go unnoticed unless they disrupt service. Attacks that disrupt service are bad, but at least companies know something is wrong—they know they have been hacked. Attacks in which a hacker does disable anything are the truly dangerous ones. Without adequate monitoring and auditing, no one knows the network has been compromised. An attacker can spend weeks or months monitoring all network traffic, gaining bank account numbers, client lists, or personnel records. This information could be sold to competitors, given to other hackers, or used to blackmail the company.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Routers Are at Risk?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A simple, but useful, risk analysis formula defines risk as:

Risk = vulnerability × threat × cost

where vulnerability is how likely an attack is to succeed, threat is the likelihood of an attack, and cost is the total cost of a threat succeeding.

The link between threat and vulnerability can be confusing but is important to understand. If a high-rise office building is designed and built without any protection against earthquakes, then the office building has a vulnerability to earthquakes. The vulnerability alone, though, does not necessarily translate into risk for the people working in the office building. If the building is located in California, there is a significant threat of earthquakes, so a vulnerable building provides a great amount of risk. The same building located in Georgia, while being equally vulnerable to earthquakes, would have a lower risk since the threat of earthquakes in Georgia is much lower.

When evaluating routers, the vulnerability usually averages around the same level. Even though different routers may run different IOS versions, routers inherently trust other routers. They trust one another in order to exchange routing information, allowing them to correctly transfer packets and route around problems. Once a single router is compromised, this trust can be exploited to manipulate other routers on a network. For this reason, it is advantageous to assume that all routerrs on the network share the same level of vulnerability. This level should be equal to the vulnerability of the most vulnerable router on the network.

With the vulnerability equal, the differentiating factors become threat and cost. The threat to external routers is generally greater due to their visibility. Other routers may provide access to secured or trusted networks, and their compromise would cost much more than a router connected to a public lab or test area.

With these considerations in mind, some of the first routers that need to be secured and actively monitored are:

• Gateway routers that connect your network to the Internet
• Routers that are part of a firewall

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Moving Forward

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter has explained what router security is and why it is vitally important. Routers provide one of the most fundamental functions on a network and are often installed and run with out-of-the-box security. When addressing router security, most administrators think about using access lists to turn off ping or Telnet. Digging further and asking about the specific measures taken to protect the routers themselves usually results in a blank stare or a statement such as, "Our routers don't hold any critical data, and we have never had any security problems with them, so they must be secure." The "we have never had any problems with them" argument sounds very powerful, especially to management and those who hold the purse strings. This chapter provides insight into why this is such a dangerous view.

The rest of this book discusses what it takes to harden a Cisco router; Appendix A provides a checklist that summarizes the steps necessary to harden a router and protect the network.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: IOS Version Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The first item to discuss when talking about router security is the router's operating system (OS). The OS on Cisco routers is called Internetworking Operating System, or IOS. Most routers will be running an IOS version between 11.x and 12.x. By the time this book is published, Cisco may have released 13.x. Every OS has vulnerabilities, and IOS is no exception. These vulnerabilities generally allow an attacker to disable a router (a denial of service attack), collect information from a router (information leakage), or reconfigure a router (an actual compromise).

A key aspect of every good security plan involves operating system security. Every operating system connected to the Internet is subject to attack. Hackers look for OS vulnerabilities to exploit. Cisco IOS has come under increasing scrutiny over the past few years. Bugtraq, a full disclosure vulnerability forum, reports 14 Cisco vulnerabilities between 1992 and 1999, 23 in 2000, and 42 in 2001. Once posted on Bugtraq, these vulnerabilities are seen by thousands of hackers a day and are used in numerous attacks. With such an increase in vulnerabilities, secure routers must have a current and stable version of IOS. The next section on IOS versions provides information on how to identify secure IOS releases.

You must know what IOS version your routers are currently running before determining whether you should use the latest release. To determine the IOS version, log into your router and type show version. The output will be similar to:

Cisco Internetwork Operating System Software IOS(tm)
GS Software (RSP-P-MZ), Version 12.0(16), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by Cisco Systems, Inc.
Compiled Wed 06-Jan-99 08:15 by preetha

The author has highlighted the important IOS information. The first is Version 12.0(16), showing the IOS release version. This is followed by text indicating the release type. For the sake of security and stability, this text should normally read RELEASE SOFTWARE. If it reads anything else, such as EARLY DEPLOYMENT RELEASE SOFTWARE or MAINTENANCE INTERIM SOFTWARE

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Need for a Current IOS

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A key aspect of every good security plan involves operating system security. Every operating system connected to the Internet is subject to attack. Hackers look for OS vulnerabilities to exploit. Cisco IOS has come under increasing scrutiny over the past few years. Bugtraq, a full disclosure vulnerability forum, reports 14 Cisco vulnerabilities between 1992 and 1999, 23 in 2000, and 42 in 2001. Once posted on Bugtraq, these vulnerabilities are seen by thousands of hackers a day and are used in numerous attacks. With such an increase in vulnerabilities, secure routers must have a current and stable version of IOS. The next section on IOS versions provides information on how to identify secure IOS releases.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Determining the IOS Version

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You must know what IOS version your routers are currently running before determining whether you should use the latest release. To determine the IOS version, log into your router and type show version. The output will be similar to:

Cisco Internetwork Operating System Software IOS(tm)
GS Software (RSP-P-MZ), Version 12.0(16), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by Cisco Systems, Inc.
Compiled Wed 06-Jan-99 08:15 by preetha

The author has highlighted the important IOS information. The first is Version 12.0(16), showing the IOS release version. This is followed by text indicating the release type. For the sake of security and stability, this text should normally read RELEASE SOFTWARE. If it reads anything else, such as EARLY DEPLOYMENT RELEASE SOFTWARE or MAINTENANCE INTERIM SOFTWARE, the router is not running one of the most stable and secure releases.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

IOS Versions and Vulnerabilities

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Once you know what IOS version your routers are running, you need to understand the IOS release process. Without this understanding, identifying and choosing the most secure release can be very difficult.

Cisco has a very defined and often confusing procedure for releasing IOS versions. There are two major types of IOS releases:

Early Deployment

Early Deployment (ED) releases are used to add features to Cisco's IOS. These releases contain feature and platform support that has not yet been tested extensively in production systems. It is relatively easy for Cisco to add additional features or platform support to ED releases, but these additions have had very little testing in production environments.

Major Release

The goal of Major Releases is stability and quality. Major Releases provide images for all Cisco hardware and once a release become a Major Release, no additional features or platforms added. The only changes to these releases are in the form of bug fixes.

Both Early Deployment and Major Releases are broken down into subcategories. Early Deployment releases are broken down into four types:

Consolidated Technology Early Deployment (CTED)

Cisco uses the CTED to add enhancements, new features, and new hardware platforms to the IOS. These releases are extremely feature rich, but at the cost of stability and reliability.

Specific Technology Early Deployment (STED)

STED releases are similar to CTED releases, but are targeted toward a specific technology and are always released on specific platforms.

Specific Market Early Deployment (SMED)

These releases target specific market segments such as ISPs or financial institutions. Unlike STED releases, which are organized according to technology, SMED releases are organized around a specific market segment. These releases are built only for the specific platforms needed by the target market.

X Releases

X Releases are short-lived, one-time releases. These releases exist to allow Cisco to add new features and platforms to a CTED release in an extremely short period of time in order to get these enhancements to market quickly. After successful testing, X Releases are ported back into the CTED releases immediately.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

IOS Security Checklist

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.

• Make sure that all routers are running a current IOS.
• Make sure that the IOS version is in General Deployment (unless all risks with the non-GD IOS version have been addressed).
• Check the IOS version against existing Cisco Security Advisories.
• Regularly check Cisco Security Advisories for IOS vulnerabilities.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Basic Access Control

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter addresses what most people think about when they start to secure a router—authenticating users and restricting access. There are many more ways to access Cisco routers than most network administrators realize. Each of these methods can have different authentication methods and can be set to allow various levels of privilege access. It is important that all methods of access are either secured or disabled. The chapter briefly discusses the differences between authentication and authorization and then moves on to the fundamentals of how Cisco routers handle controlling and protecting access.

Access control involves both authentication and authorization. People often confuse the two. Authentication is the process of identifying a user; authorization restricts what a user is allowed to do. Cisco router authentication controls can be divided into two main categories—those that use the AAA (authentication, authorization, accounting) access methods and those that don't. The non-AAA methods include line authentication (console, auxiliary, and VTY ports), local username authentication, and Terminal Access Controller Access Control System (TACACS) or extended TACACS authentication. The AAA authentication methods add TACACS+, RADIUS, and Kerberos. AAA provides much greater control over authentication, authorization, and accounting than do non-AAA methods. While Cisco calls AAA the primary and recommended method of access control, you must configure AAA on your router manually. This chapter describes non-AAA methods of access. AAA will be discussed in Chapter 5.

There are many ways to access a Cisco router. Each way can provide different levels of authorization, from viewing router information to completely reconfiguring the router or some level in between. Each access method is either out-of-band, which does not rely on the network, or in-band, which requires the network to be functional. The primary methods of access are through the console port, the auxiliary port, or network access through virtual TTYs (VTYs), HTTP, TFTP, or SNMP. The first three—console, auxiliary, and VTYs—are called

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Authentication Versus Authorization

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Access control involves both authentication and authorization. People often confuse the two. Authentication is the process of identifying a user; authorization restricts what a user is allowed to do. Cisco router authentication controls can be divided into two main categories—those that use the AAA (authentication, authorization, accounting) access methods and those that don't. The non-AAA methods include line authentication (console, auxiliary, and VTY ports), local username authentication, and Terminal Access Controller Access Control System (TACACS) or extended TACACS authentication. The AAA authentication methods add TACACS+, RADIUS, and Kerberos. AAA provides much greater control over authentication, authorization, and accounting than do non-AAA methods. While Cisco calls AAA the primary and recommended method of access control, you must configure AAA on your router manually. This chapter describes non-AAA methods of access. AAA will be discussed in Chapter 5.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Points of Access

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There are many ways to access a Cisco router. Each way can provide different levels of authorization, from viewing router information to completely reconfiguring the router or some level in between. Each access method is either out-of-band, which does not rely on the network, or in-band, which requires the network to be functional. The primary methods of access are through the console port, the auxiliary port, or network access through virtual TTYs (VTYs), HTTP, TFTP, or SNMP. The first three—console, auxiliary, and VTYs—are called lines. Each of the six methods has different characteristics.

Console port

The console port is the main access point on Cisco routers. It is the only one enabled by default and it requires physical access to the router. The console port has special abilities not associated with the other methods of access (such as performing password recovery in the event that a router is misconfigured or passwords are forgotten).

The console port is the only port that is automatically authorized to perform the special function of password recovery. If an organization loses all passwords to a router or if a router is compromised and reconfigured, there must to be a way to access the router without a password. Password recovery allows an administrator to access the router and delete or change the current passwords. Regarding password recovery, the only method of authentication is physical access to the router—anyone with physical access to the router can perform password recovery. This makes physical security of the router vitally important. See Appendix B for a checklist on how to secure physical access to the router.

Auxiliary port

The auxiliary or AUX port is used to provide out-of-band access to the router by allowing a modem or terminal server to be attached to the router. This port allows remote administration of the router even if the network itself is disabled.

Virtual TTY

Virtual TTYs (VTYs) provide terminal access to the router through the network itself. To gain access through a VTY, the network must be up and functioning. The most common protocol used to access a VTY is Telnet, but many other protocols, such as

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Basic Access Control

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

By default, there are two levels of authorization on Cisco routers (level 1 and level 15), and both require separate authentication. Level 1 is equivalent to read-only access, and level 15 give privileged or read/write access. Level 1 authorization allows users to view information about the router (but not make any changes) and is generally referred to as user mode. Level 15 gives the user full rights to reconfigure the router and is referred to as privileged mode.

Default router access first requires an administrator to gain user-level access before attempting privileged-level access. Thus, protecting and controlling user-level access into the routers is a primary concern. The default methods for access are the lines—console port, auxiliary port, and virtual TTYs. Additional methods include HTTP, TFTP, and SNMP access, and each method of access requires its own access control configuration.

Section 3.3.1.1: Console password

The console port is used for direct access to the router and must be configured for secure access. By default, the console port's authentication method is a password (no username) and its authorization level is user or read-only. To configure the console port password from privileged mode, you must:

• Enter global configuration mode with the config terminal command
• Enter the line console with the line console 0 command
• Enable logins using the login command
• Establish a password with the password command

Here is an example:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#line console 0
Router(config-line)#login
Router(config-line)#password console-password
Router(config-line)#^Z
Router#

Never put a modem on a console port. With a little patience and a war dialer, attackers can use the console port to perform password recovery remotely over the modem.

Section 3.3.1.2: AUX and VTY passwords

Setting passwords on AUX and VTY ports is similar to setting the console password. Setting the password on the AUX port looks like:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Remote Administration

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The console port is useful only if you have physical access to the router. This physical access is not always convenient. Many network administrators are responsible for national and international networks. These administrators require a way to monitor and administer a router from anywhere in the world. Cisco routers provide three main methods of remote administration. The first is an out-of-band method through dial-up on the AUX port; the other two are in-band VTY and HTTP access. These in-band methods can be used only when the network is functional.

Some dangers are inherent to remote administration, and it is important to recognize what they are in order prevent them. Depending on how authentication and authorization are configured, common dangers include:

Spoofing

If authentication depends on a trusted network or trusted IP address, attackers can create packets with fake source addresses, making the router believe that a packet came from a trusted source.

Trusted-host compromise

If authorization depends on a trusted host, attackers can compromise that host and make modifications to grant themselves access. A central access control server (ACS) such as TACACS or RADIUS would be a prime target for an attacker. If attackers could hack into the ACS, they could create an account to give themselves access to every router or system that relies on that ACS.

Sniffing

Sniffing used to be a difficult attack that required significant knowledge to perform, but current programs automatically capture and record logins and passwords as they are sent across the network. This makes sniffing a significant threat when logging into routers remotely.

Brute force attacks

If attackers can get a login prompt, then they can attempt to guess login names and passwords. A moderately skilled attacker can easily write a program that automates the guessing process. By default, routers do not limit unsuccessful login attempts, nor do they log them. Logging can be configured through AAA, however.

Hijacked sessions

Many TCP sessions are susceptible to hijacking. When this occurs, an attacker takes over a connection, such as a Telnet session, after you have logged in and authenticated yourself. If attackers can take over your connection, they then have the same access to the router as you do.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Protection with IPSec

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

While a router that allows only console or SSH access is ideal, you may sometimes be required to set up configurations that you know have security vulnerabilities. Your organization might require SNMP Version 1 or need to allow certain administrators Telnet access to the router. A way to help mitigate the risk associated with these protocols and to add an additional layer of security to your existing methods is to use IPSec. IPSec is traditionally used to set up VPNs between networks or between a roaming user and her home network. If your routers and management stations all support IPSec, you can create a VPN between the router and management stations, encrypting all traffic sent between the two.

A full tutorial on IPSec and VPNs is out of the scope of this book, but a brief overview on how to configure your router for an IPSec VPN to the management station follows. In this example, the router is named RouterOne, and the management station has an IP of 130.18.10.10. Also, this example uses preshared keys (a password manually configured on both sides). Advanced VPN solutions can use key management systems instead of statically configured keys.

To configure the router end of your VPN, you must:

1. Set up ISAKMP with the preshared key. ISAKMP defines how the key exchange is implemented.
2. Create an Extended ACL on the router. With IPSec, Extended ACLs are used to configure which packets are encrypted and which aren't. This configuration lets an interface support both encrypted and regular traffic. In relation to IPSec, permit means encrypt and deny means do not encrypt.
3. Create IPSec transforms. Transforms are Cisco's way of defining what type of authentication and encryption is used for each IPSec packet. This example uses some standard transforms, but may need to be changed depending on which ones the management station supports.
4. Create a crypto map. The crypto map ties our ISAKMP, ACL, and transform configurations together. The crypto map is also configured with the IP address of the management station with which we create a VPN.
5. Apply the crypto map to the router interface. After creating the crypto map, it must be applied to the appropriate interface to take effect.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Basic Access Control Security Checklist

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

• Secure physical access to the router. (See Appendix B).
• Secure console access with the login and password commands.
• Disable or secure AUX access with the login and password commands.
• Disable or secure all VTY access with the login and password commands.
• Do not use the no login command under any line (con/aux/vty) configurations.
• Set the enable password using the enable secret command.
• In organizations in which multiple administrators access a router, enable accountability by requiring administrators to have separate accounts to access the router. This can be accomplished through local usernames or more centralized methods involving network access servers.
• Do not use TACACS and Extended TACACS in favor of TACACS+, RADIUS, or Kerberos.
• If any version of TACACS is used for user-level authentications, set the method of last resort to the privileged password (set with enable secret) and not to default to open access with no authentication.
• Do not use standard TACACS for privileged-level access.
• If any version of TACACS is used for the enable password—privileged-level access—then set the method of last resort to the enable secret password and not to automatically succeed.
• Make sure the router does not use TFTP to automatically load its configuration at every reboot. If it must, then harden and secure the TFTP server.
• Do not configure the router to serve as a TFTP server.
• With dial-up access to the router, make sure both the AUX port and the modem are password protected.
• With dial-up access to the router, configure callback security to a predefined number, or make sure the telephone company uses a closed user group to restrict which numbers are allowed to call your modems.
• Never connect a modem to the console port.
• Disable reverse Telnet to all physical ports.
• Disable Telnet in favor of SSH on all VTY lines.
• If insecure protocols such at Telnet or HTTP must be used, use IPSec to encrypt all vulnerable traffic.
• Make sure all VTY access uses ACLs to restrict access to a few secured IPs.
• Set the exec-timeout on all VTYs to five minutes or less.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 4: Passwords and Privilege Levels

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Passwords are the core of Cisco routers' access control methods. Chapter 3 addressed basic access control and using passwords locally and from access control servers. This chapter talks about how Cisco routers store passwords, how important it is that the passwords chosen are strong passwords, and how to make sure that your routers use the most secure methods for storing and handling passwords. It then discusses privilege levels and how to implement them.

Cisco routers have three methods of representing passwords in the configuration file. From weakest to strongest, they include clear text, Vigenere encryption, and MD5 hash algorithm. Clear-text passwords are represented in human-readable format. Both the Vigenere and MD5 encryption methods obscure passwords, but each has its own strengths and weaknesses.

The main difference between Vigenere and MD5 is that Vigenere is reversible, while MD5 is not. Being reversible makes it easier for an attacker to break the encryption and obtain the passwords. Being unreversible means that an attacker must use much slower brute force guessing attacks in an attempt to obtain the passwords.

Ideally, all router passwords would use strong MD5 encryption, but the way certain protocols, such as CHAP and PAP, work, routers must be able to decode the original password to perform authentication. This need to decode specific passwords means that Cisco routers will continue to use reversible encryption for some passwords—at least until such authentication protocols are rewritten or replaced.

Chapter 3 sets passwords using line passwords, local username passwords, and the enable secret command. A show run provides the following:

enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1
enable password enable-password
!
username jdoe password 0 jdoe-password
username rsmith password 0 rsmith-password
!
line con 0
 exec-timeout 5 0
 password console-password
 login local
 transport input none
line aux 0
 exec-timeout 5 0
 password aux-password
 login tacacs
 transport input none
line vty 0 4
 exec-timeout 5 0
 password vty-password

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Password Encryption

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Cisco routers have three methods of representing passwords in the configuration file. From weakest to strongest, they include clear text, Vigenere encryption, and MD5 hash algorithm. Clear-text passwords are represented in human-readable format. Both the Vigenere and MD5 encryption methods obscure passwords, but each has its own strengths and weaknesses.

The main difference between Vigenere and MD5 is that Vigenere is reversible, while MD5 is not. Being reversible makes it easier for an attacker to break the encryption and obtain the passwords. Being unreversible means that an attacker must use much slower brute force guessing attacks in an attempt to obtain the passwords.

Ideally, all router passwords would use strong MD5 encryption, but the way certain protocols, such as CHAP and PAP, work, routers must be able to decode the original password to perform authentication. This need to decode specific passwords means that Cisco routers will continue to use reversible encryption for some passwords—at least until such authentication protocols are rewritten or replaced.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Clear-Text Passwords

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Chapter 3 sets passwords using line passwords, local username passwords, and the enable secret command. A show run provides the following:

enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1
enable password enable-password
!
username jdoe password 0 jdoe-password
username rsmith password 0 rsmith-password
!
line con 0
 exec-timeout 5 0
 password console-password
 login local
 transport input none
line aux 0
 exec-timeout 5 0
 password aux-password
 login tacacs
 transport input none
line vty 0 4
 exec-timeout 5 0
 password vty-password
 login    
 transport input ssh

The highlighted parts of the configuration are the passwords. Notice that all passwords, except the enable secret password, are in clear text. This clear text poses a significant security risk. Anyone who can view a copy of the configuration file—whether through shoulder surfing or off a backup server—can see the router passwords. We need a way to make sure that all passwords in the router configuration file are encrypted.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

service password-encryption

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The first method of encryption that Cisco provides is through the command service password-encryption. This command obscures all clear-text passwords in the configuration using a Vigenere cipher. You enable this feature from global configuration mode.

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#service password-encryption
Router(config)#^Z

Now a show run command no longer displays the password in humanly readable format.

enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1
enable password 7 02030A5A46160E325F59060B01
!
username jdoe password 7 09464A061C480713181F13253920
username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37
!
line con 0
 exec-timeout 5 0
 password 7 110A160B041D0709493A2A373B243A3017
 login local
 transport input none
line aux 0
 exec-timeout 5 0
 password 7 0005061E494B0A151C36435C0D
 login tacacs
 transport input all
line vty 0 4
 exec-timeout 5 0
 password 7 095A5A1054151601181B0B382F
 login
 transport input ssh

The only password not affected by the service password-encryption command is the enable secret password. It always uses the MD5 encryption scheme.

While the service password-encryption command is beneficial and should be enabled on all routers, remember that the command uses an easily reversible cipher. Some commercial programs and freely available Perl scripts instantly decode any passwords encrypted with this cipher. This means that the service password-encryption command protects only against casual viewers—someone looking over your shoulder—and not against someone who obtains a copy of the configuration file and runs a decoder against the encrypted passwords. Finally, service password-encryption does not protect all secret values such as SNMP community strings and RADIUS or TACACS keys.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Enable Security

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The enable, or privileged, password has an additional level of encryption that should always be used. The privileged-level password should always use the MD5 encryption scheme.

In early IOS configurations, the privileged password was set with the enable password command and was represented in the configuration file in clear text:

enable password ena-password

For additional security, Cisco added the service password-encryption command to obscure all clear-text passwords:

service password-encryption
enable password 7 02030A5A46160E325F59060B01

However, as explained earlier, this uses the weak Vigenere cipher. Because of the importance of the privileged-level password and the fact that it doesn't need to be reversible, Cisco added the enable secret command that uses strong MD5 encryption:

Router#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#enable secret my-secret-password
Router(config)#^Z

A show run now displays:

enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1e

This type of encryption cannot be reversed. The only way to attack it is though brute force methods.

You should always use the enable secret command instead of enable password. The enable password command is provided only for backward compatibility. If both are set, for example:

enable password 7 02030A5A46160E325F59060B01
enable secret 5 $1$Guks$Ct2/uAcSKHkcxNKyavE1i1e

the enable secret password takes precedence and the enable password command is ignored.

Many organizations begin using the insecure enable password command, and then migrate to using the enable secret command. Often, however, they use the same passwords for both the enable password and enable secret commands. Using the same passwords defeats the purpose of the stronger encryption provided by the enable secret command. Attackers can simply decode the weak encryption from the enable password command to get the router's password. To avoid this weakness, be sure to use different passwords for each command—or better yet, don't use the enable password command at all.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Strong Passwords

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In addition to using encryption to keep passwords from appearing in human-readable form, secure password protection requires the use of strong passwords. There are two requirements for strong passwords. First, they are difficult to guess or crack. Second, they are easy to remember. If the password is based on a word found in a dictionary—a name, a place, and so on—the password is weak. If the password is a complete random string of letters and numbers, the password is strong, but users end up writing the password down because they can't remember it. To demonstrate how easy it is to crack weak passwords, the following passwords were encrypted with the strong MD5 encryption:

• hello
• Enter0
• 9spot
• 8twelve8
• ilcic4l

A brute force password-cracking program was used to see how long it would take to guess each password.

On a Sun Ultra 5 with 512MB of RAM and a 333MHz processor, the first password, hello, took less than five seconds to crack. This is the same amount of time it would take to guess most words in the English language (or a word in any other language, if the attacker included foreign language dictionaries). After four hours, the password cracker has guessed the next three passwords as well. Any password based on a word—English or foreign—is vulnerable to brute force attacks.

The last password looks random and was still not cracked when the password cracker stopped running three days later. The problem is remembering a password like this one. See the upcoming sidebar, Choosing and Remembering Strong Passwords for tips on choosing an appropriate password.

The best way to create a password that is easy to remember but difficult to crack is to use pass phrases. Cisco routers support passwords of up to 25 characters. So create a sentence and use that instead of just a password. When you can't use a sentence, choose memorable, but strong, six- to eight-character passwords.

When testing the sample passwords hello, Enter0, 9spot, 8twelve8, and ilcic4l, the only password that wasn't cracked was ilcic4l. The problem is how to remember a password like this. The secret is that this password looks random, but it is not. To create this password, an easily remembered sentence was created. In this case, the sentence was, "I like chocolate ice cream for lunch." Then the first letter of each word was used to create the base of the password:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Keeping Configuration Files Secure

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Except for the enable secret password, all passwords stored on Cisco routers are weakly encrypted. If someone were to get a copy of a router configuration file, it would take only a few seconds to run it through a program to decode all weakly encrypted passwords. The first protection is to keep the configuration files secured.

You should always have a backup of each router's configuration file. You should probably have multiple backups. However, each of these backups must be kept in a secure location. This means that they are not stored on a public server or on each network administrator's desktop. Additionally, backups of all routers are usually kept on the same system. If this system is insecure, and an attacker can gain access, he has hit the jackpot—the complete configuration of your entire network, all access list setups, weak passwords, SNMP community strings, and so on. To avoid this problem, wherever backup configuration files are kept, it is best to keep them encrypted. That way, even if an attacker gains access to the backup files, they are useless.

Encryption on an insecure system, however, provides a false sense of security. If attackers can break into the insecure system, they can set up a key logger and capture everything that is typed on that system. This includes the passwords to decrypt the configuration files. In this case, an attacker just has to wait until the administrator types in the password, and your encryption is compromised.

Another option is to make sure your backup configuration files don't contain any passwords. This requires that you remove the password from your backup configurations manually or create scripts that strip out this information automatically.

Administrators should be very careful not to access routers from insecure or untrusted systems. Encryption or SSH does no good if an attacker has compromised the system you're working on and can use a key logger to record everything you type.

Finally, avoid storing your configuration files on your TFTP server. TFTP provides no authentication, so you should move files out of the TFTP download directory as quickly as possible to limit your exposure.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Privilege Levels

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

By default, Cisco routers have three levels of privilege—zero, user, and privileged. Zero-level access allows only five commands—logout, enable, disable, help, and exit. User level (level 1) provides very limited read-only access to the router, and privileged level (level 15) provides complete control over the router. This all-or-nothing setting can work in small networks with one or two routers and one administrator, but larger networks require additional flexibility. To provide this flexibility, Cisco routers can be configured to use 16 different privilege levels from 0 to 15.

Displaying your current privilege level is done with the show privilege command, and changing privilege levels can be done using the enable and disable commands. Without any arguments, enable will attempt to change to level 15 and disable will change to level 1. Both commands take a single argument that specifies the level you want to change to. The enable command is used to gain more access by moving up levels:

Router>show privilege
Current privilege level is 1
Router>enable 5
Password: level-5-password
Router#show privilege
Current privilege level is 5
Router#

The disable command is used to give up access by moving down levels:

Router#show privilege
Current privilege level is 5
Router#disable 2
Router#show privilege
Current privilege level is 2
Router#

Notice that a password is required to gain more access; no password is required when lowering your level of access. The router requires reauthentication every time you attempt to gain more privileges, but nothing is needed to give up privileges.

The bottom and least privileged level is level 0. This is the only other level besides 1 and 15 that is configured by default on Cisco routers. This level has only five commands that allow you to log out or attempt to enter a higher level:

Router#disable 0
Router>?
Exec commands:
  disable  Turn off privileged commands
  enable   Turn on privileged commands
  exit     Exit from the EXEC
  help     Description of the interactive help system
  logout   Exit from the EXEC
Router>

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Password Checklist

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.

• Enable service password-encryption on all routers.
• Set the privileged-level (level 15) password with the enable secret command and not with the enable password command.
• Make sure all passwords are strong passwords that are not based on English or foreign words.
• Make sure each router has different enable and user passwords.
• Keep backup configuration files encrypted on a secure server.
• Access routers only from secure or trusted systems.
• In large organizations with numerous personnel with router access, use additional privilege levels to restrict access to unnecessary commands.
• Reconfigure the connect, telnet, rlogin, show ip access-lists,