ROUTER SECURITY

Routers aren't very visible on internetworks, mainly because they usually don't have addresses, such as http://www.yahoo.com or http://www.amazon.com. Routers don't need to have human-friendly addresses, because normal internetwork users never need to know that a router is there; they just need the connectivity it provides them.

The only people who ever need to log into a router directly are members of the network team responsible for managing it. In TCP/IP networks-the protocol on which most internetworks run-routers identify themselves to internetworks only with their IP addresses. For this reason, to log into a router, you must first know that it exists and then what its IP address is. The network administrators responsible for the router will, of course, know this information.

The potential for abuse by hackers still exists. As you will learn in Chapter 13, routers constantly send messages to one another in order to update and manage the internetworks on which they operate. With the proper skills and enough determination, a hacker could discover a router's IP address and then attempt to establish a Telnet connection to it. Given that routers are the links that stitch internetworks together, it's easy to understand why Cisco and other internetwork equipment manufacturers design many security measures into their products. As shown in Figure 3-15, security must restrict access to areas within an internetwork and to individual devices.

Figure 3-15: Security control is managed separately for network traffic and administrative login

Router Passwords

Router passwords aren't intended only to keep out hackers. Frequently, password protection is administered on a router-by-router basis. While there are a variety of authentication methods that allow centralized administration of passwords, passwords to get into a router are often "local" in most smaller/mid-sized implementations. That means that the user name and passwords necessary to administratively access the router are stored inside the router itself. Large internetworks that have dozens or even hundreds of routers-some more critical to network operations than others-may deploy a centrally managed solution. Still, there may be local passwords, so it's a common practice for network managers to allow only select network team members access to certain routers, or even to command levels within routers. Table 3-3 lists router passwords and what they do.

• The router device itself

• The Privileged EXEC (enable mode) portion of the IOS software environment

• The use of specific IOS commands

Line Passwords

Line passwords are used to control who can log into a router. They are used to set password protection on the console terminal line, the AUX (auxiliary) line, and any or all of the five virtual terminal (VTY) lines.

You must set at least one password for the router's VTY lines. If no Line password is set, when you attempt to log into the router through Telnet, you will be stopped by the error message "Password required but none set." Remember, anyone on the Internet can conceivably Telnet into any router, so setting Line passwords will stop all but the best hackers from getting a foothold. Here, IOS is prompting for a password:

 User Access Verification Password: Router>> 

When you enter passwords into IOS, no asterisks appear to mask the letters typed-something to which most of us are accustomed. In the preceding example, at the prompt Router>> (the router's host name in this example), the correct password was entered, the host router was successfully logged into, but no asterisks appear to the right of the password prompt. This might throw you off at first, but you'll grow accustomed to it.

Enable and Enable Secret Passwords

Once you get past the Line password, you are logged into the router's IOS software environment. IOS is divided into two privilege levels: EXEC and Privileged EXEC (which is usually called enable mode).

The EXEC level contains only basic, nondestructive commands. Being in enable mode provides access to more commands. EXEC-level commands basically allow you to view diagnostic types of information about a router. Enable mode commands are more powerful in that they let you reconfigure the router's settings. These commands are potentially destructive commands, the erase command being a good example.

Two types of passwords can be used to restrict access to Privileged EXEC (enable mode): the Enable password and the Enable Secret password. The idea of a "secret password" seems silly at first. Of course all passwords are secret, or at least they should be. What the Cisco engineers are alluding to here is the level of encryption used to mask the password from unauthorized users.

The Privileged EXEC Level of IOS Enable and Enable Secret passwords both do the same thing: they restrict access to Privileged EXEC (enable mode). The difference between the two is in the level of encryption supported. Encryption is a technique used to scramble data, making it incomprehensible to those who don't have a key to read it. Enable Secret passwords are scrambled using an advanced encryption algorithm based on 128 bits, for which there is no known decoding technique. Encryption for the Enable password relies on a less powerful algorithm. Cisco strongly recommends using the Enable Secret instead of the Enable password.

Enable Secret was introduced in 1997, so a fair amount of hardware and software that can support only Enable passwords is still in use, and servers storing backup IOS images frequently service both old and new routers. When both are set, the Enable Secret password always takes precedence over the Enable password. IOS will only put the Enable password to use when running an old version of IOS software.

IOS passwords are stored in the configuration file for a router. Configuration files routinely cross networks as routers are updated and backed up. Having an Enable Secret password means that a hacker using a protocol analyzer (a test device that can read packets) will have a tougher time decoding your password. The following sample configuration file illustrates this:

 version 12.4 service password-encryption service udp-small-servers service tcp-small-servers ! hostname Router ! enable secret 5 $1$C/q2$ZhtujqzQIuJrRGqFwdwn71 enable password 7 0012000F 

Note that the encryption mask of the Enable password on the last line is much shorter than the encryption mask of the Enable Secret password (on the second-to-last line).

The Service Password-Encryption Command Certain types of passwords, such as Line passwords, by default, appear in clear text in the configuration file. As such, you should avoid using them. You can use the service password-encryption command to make them more secure. Once this command is entered, each password configured is automatically encrypted and thus rendered illegible inside the configuration file (much as the Enable/Enable Secret passwords are). Securing Line passwords is doubly important in networks on which TFTP servers are used, because TFTP backup entails routinely moving config files across networks-and config files, of course, contain Line passwords.