Securing Enable Mode Access

One of the basic security items you need to protect is access to the enable mode, which allows a user access to the router's configuration and boot information. You want to protect this mode as much as possible and give access only to people who really need it and who know what they are doing. For this section, we'll look at setting the enable password , the enable secret command (which provides additional security), and enable privilege levels.

15.1.1. Setting the Enable Password

The enable password grants the user access to your complete router configuration. It's much like the superuser or root password on a Unix system or like the Administrator password on Windows. It must be guarded carefully. In Chapter 3, I showed how to set the enable password:

 Router(config)#enable password mypassword

The problem with setting the password this way is that mypassword is your actual password; anyone looking over your configuration files can see the password, and at that point, it's no longer a secret. Generally speaking, the accepted wisdom for managing passwords is that they should never be written down in clear textnot even in a configuration file that you think no one has access to. Obviously, there are plenty of ways for a clear-text password to leak out: for example, you might print the configuration file so you can take it home to think through some arcane route-redistribution problem and forget that the password is clearly visible to anyone hanging around the printer.

The solution to this problem is to use some sort of encryption. The simplest way to activate encryption is to use the command service password-encryption:

 service password-encryption
 enable password some-password

Now when you do a show configuration, your password is no longer visible in clear text:

 Router#show configuration
 version 11.3
 service password-encryption
 !
 hostname Router1
 !
 enable password 7 095F41041C480713181F13253920

Now your password isn't clearly visible to anyone casually looking over your shoulder. However, you haven't accomplished as much as you might have hoped. The 7 in the enable password command, as it appears in the configuration file, indicates that the password has been encrypted with type 7 encryption , which is very weak. Type 7 encryption uses a simple exclusive-OR algorithm that protects the password from casual observers but does nothing to stop a determined attacker. O'Reilly's Cisco Cookbook includes a Perl script that easily decrypts passwords of this type, which demonstrates how easy this encryption is to defeat.

15.1.2. The More Secure enable secret Command

The problem with the enable password is that the encryption is so weak. Cisco soon realized that people were expecting too much from type 7 encryption and that people would post or email their configurations with the passwords intact. And as we said, the original purpose of type 7 encryption was just to keep people from glancing over your shoulder and reading the password. Today, several web sites offer password-decoding utilities that quickly decrypt type 7 encoding.

Cisco responded to this need with the enable secret command:

 enable secret some-password

This command sets an enable password with a much stronger form of encryption.

What if you've already set the enable password? In this case, when you enter the enable secret command, the router forces you to set a different password. This new password overrides the existing enable password.

Now, when we look at the configuration, we see a slightly different take on our enable password:

 enable secret 5 $1$TbpU$nvC0m4OInOhvguatfNq5m0

The encrypted form of the password looks equally inscrutable. But this time, the password is encrypted using an MD5 hash (indicated by the number 5 in the configuration). This algorithm should be resistant even to determined intruders. However, don't relax. It's possible to crack the encryption used here with a brute-force dictionary attack. It's still a good idea to prevent others from seeing the encrypted password. So, for example, if you're trying to solve a problem by asking a question in a newsgroup or mailing list and you want to include your configuration, it's a good idea to remove the hashed password.

As you can see from the output of show tech-support, Cisco heeds its own advice by removing passwords from the output before you send them out:

 hostname router1
 !
 enable secret 5 
 !
 username admin password 0 
 memory-size iomem 10

 

15.1.3. Privilege Levels for enable access

Privilege levels allow certain users to have access to certain exec commands. Allowing users to have access to certain commands, without giving them access to everything, is often useful: for example, you can allow some users to clear a line that is hung without giving them the ability to delete the entire router configuration.

To get a better understanding of privilege levels , consider that normal user exec commands are level 1 while privileged exec mode commands (enable commands) are level 15.

To set up a privilege level, first create an enable password with a privilege level assigned to it:

 enable secret password level 10 ourpassword

This command assigns the password ourpassword to privilege level 10. Next, assign commands for this level with the privilege command:

 privilege exec level 10 clear line
 privilege exec level 10 show running
 privilege exec level 1 show

Now users can enter privilege level 10 by giving the following command, followed by the correct password when they are prompted:

 Router>enable 10

After entering the password, a user can give the commands clear line and show running, but not other privileged mode commands.