Network Device Security - Administrative Practices (Page 5 of 7 )
Cisco routers have a number of methods by which they can be managed. A command-line interface is accessible directly from a console or remotely via either Telnet or the Secure Shell protocol (SSH). Additionally, a web interface can be accessed via a browser, or the router can be monitored and managed via the Simple Network Management Protocol (SNMP). It is important to adequately secure these services to provide adequate protection against attack.
Another important step when hardening network devices is to configure a banner that is displayed whenever a connection is established as part of the login process. In addition to removing important information that may identify the type and operating system on the device, it is good practice to display a warning message regarding unauthorized use of the device. This ensures that an individual cannot argue that they didn’t know that their use was unauthorized. Cisco login banners can be configured with this command:
banner login
By using information obtained from banners, such as the operating system version, attackers may identify relevant attacks against the device.
Remote Command Line
An overall weakness of Telnet is that it cannot protect communications while they are in transit over the network. As a more secure alternative, Cisco routers running version 12.1 or later of the Cisco Internetwork Operating System (IOS) support the Secure Shell Protocol version 1. SSH provides the same interface and access as Telnet, but it will encrypt all communications. Failure to encrypt administrative connections to network routers may allow an attacker to capture sensitive information, such as passwords and configuration parameters, while they are in transit over the network.
To enable SSH, it is necessary to configure host and domain names on the router, generate an encryption key, configure accounts, and set required SSH parameters. The commands to complete the configuration on a Cisco router are as follows:
Router (config)# hostname hostname
Router (config)# ip domain-name domainname
Router (config)# crypto key generate rsa
Router (config)# aaa new-model
Router (config)# username username password password
Router (config)# ip ssh timeout seconds
Router (config)# ip ssh authentication-retries integer
The following command output can be used to verify that SSH has been configured and is running on the router:
Router# show ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs;
Authentication retries: 3
By default, Cisco devices maintain one password to access the device and a second password to access configuration commands, commonly called enable access. However, to provide accountability, individual user accounts can and should be created. Individual accounts are created with the username command. Even if individual accounts will be used, be sure to change the passwords for any default accounts from their default values.
Locally stored account information will be stored in clear text unless otherwise configured. Cisco routers use two methods of encryption: Level 7 and Secret encryption. Level 7 encryption is really just a simple obfuscation technique, and it can be decrypted with a simple utility available at: www.atstake.com/research/tools/password_auditing/cisco.zip.
The Secret level of encryption uses a reliable MD5 hash function to obfuscate the password. Secret protection can be enabled through the enable secret command. Unfortunately, not all stored passwords can be protected with enable secret. For example, passwords used for TTY connections (such as Telnet and SSH) can only be protected with Level 7 encryption.
To determine the type of encryption used, examine the router configuration file. For example, passwords obfuscated with Level 7 encryption will contain a line like this:
username jdoe password 7 7453F590E1B1C041B1E124C0A2F2E206832752E1B12245E
Passwords encrypted with the stronger Secret level of encryption will look like this:
enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP
 This chapter is from Network Security: The Complete Reference, by Mark Rhodes-Ousley, Roberta Bragg, and Keith Strassberg (McGraw-Hill/Osborne, 2003, ISBN: 0072226978). Check it out at your favorite bookstore today. Buy this book now. |
Next: Centralizing Account Management >>
More Administration Articles
More By McGraw-Hill/Osborne
