Cisco Network Device Access Security Basics

To protect their Cisco networks, many administrators are busy with what traffic can be allowed to pass through network devices, and how to restrict the unique information exchanged between mail route upgrades and other routers. The access control list (ACLs) usually solves these problems quite simply. The security of network devices is important to any networked environment. To solve this problem, Cisco provides many alternatives.

In this article, I will introduce the basic configuration of Logon security. This article also describes how to use user-based login configurations to make basic configurations more secure and how to monitor configuration activities and connect to your vro. Once you understand these basic configurations, you can build more advanced Cisco features on it.

Basic logon Security Configuration

The most basic security considerations provided by Cisco are the use of a local password during Device Access and configuration. Different passwords can be applied to different rows or access pointers. The typical access pointers in Cisco devices are terminal lines (also known as virtual terminal lines, or VTYs), Console ports, and Auxiliary ports (AUX ).

In addition, different authentication methods can be established for different ports. The following is an example of a simple authentication configuration.

The following example assumes that a standard class of IOS 12. x is used to access the Cisco router. Router (config) # line con 0 Router (config-line) # password conpword1 Router (config-line) # login Router (config-line) # exit Router (config) # enable password 12345

Here, I have set a Console port password and generate the password I need When configuring the router. First, I enter the row configuration mode of the Console port, set the password and use login. Then I create a password for the access permission configured for the vro. To protect access to the vro on the local console, start from here.

Password Encryption

Note that the password is plain text during the configuration process. This is not a good idea from the security perspective. However, you can encrypt these passwords so that others accessing the vro will not be able to see them. Run the following command: Router (config) # service password-encryption

The password encryption service encrypts all existing and future passwords. I strongly recommend using this service in your Cisco network device configuration.

Password type

Valid passwords include standard valid passwords and enable secret ). Because strong encryption is used, a valid password is safer than a valid password.

After a valid password is configured, it replaces the valid password. The following example shows how to set a valid Password: Router (config) # enable secret abc123

If you check the vro configuration after performing this step, you will see that the valid password is automatically encrypted, whether or not the password encryption service is enabled.

Set call timeout

Another thing about access is to consider timeout. As a higher level of security, you can set to disconnect a conversation after a static state. If you leave the terminal for a while, you need to close a configuration dialog, which is a convenient tool. The default timeout value is 10 minutes. To set the call timeout, run the following command: Router (config) # line console 0 Router (config-line) # exec-timeout 6 30.

If no input is made within 6 minutes 30 seconds, the console dialog will be closed.

Terminal line protection

While protecting the Console port, you also want to protect the terminal lines used for Telnet access in the network. Consider the following example of Telnet security: Router (config) # line vty 0 4 Router (config-line) # password termpword1 Router (config-line) # login

Note that this is very similar to the console configuration. One difference is that there are more than one VTY line for vro access, so there are two numbers after the VTY keyword. The default number of lines on many Cisco routers is five. Here, we set a password for all terminal (VTY) lines. I can specify the actual terminal or VTY line number in a certain range. The syntax you often see is vty 0 4, which can include all five terminal access lines. Theoretically, you can create different passwords for different VTY lines or ranges. If needed, you can expand the number of available VTY lines to accommodate more users. However, this method also has restrictions. First, we recommend that you restrict the simultaneous access to a typical network device. In this example, it is not a good choice to extend the number of input lines of VTY. If you only want to restrict access to VTY through Telnet, run the following command: Router (config) # line vty 0 4 Router (config-line) # transport input telnet.

Here, I have specified that all terminal lines can use Telnet. To further restrict access from the vro of the source address, I can use an access list in line configuration mode with class access commands.

There are still many things to do to protect virtual terminal lines that can be accessed by routers in the network.

SSH vs.. Telnet SSH vs. Telnet if you prefer to use Telnet to log on to your vro, you can use SSH. To enable your Router to use SSH, run the following command: Router (config) # line vty 0 3 Router (config-line) # transport input ssh

In addition, we have a fairly reliable foundation for logging on to basic network devices. The next safe login form we will consider is user-based login.

User-based Logon

A logon process based on specific user trust relationships helps to ensure the responsibility for configuration changes, which is particularly important in large network environments with many vrouters and switches that require manual operation. Once you perform this type of authentication, the router records who accessed the router and modified the configuration. As a network administrator, you will truly appreciate the benefits of recording vro configuration changes. To make it work, you can use the authentication, authorization, and record (AAA) Features to set Local User Name authentication. The commands in the following example are required to activate the logon with the local User name: Router (config) # aaa new-model Router (config) # aaa authentication login default local Router (config) # line vty 0 3 Router (config-line) # login authentication default Router (config-line) # exit Router (config) # username rmcintire password rmcinpword1 Router (config) # username rhumphrey password rhpword1 Router (config) # username jberry password jbpword1

Although the comprehensive discussion of AAA settings is beyond the scope of this article, I still want to introduce more advanced techniques to illustrate their useful performance. Here, I created three different user names and passwords for logon and applied this logon method in lines 1 to 3 of VTY. In addition, if the encryption service is started, the password will be encrypted in the actual vro configuration file.

Authorization

The problem with access is access level, or authorization level. This problem refers to how much permission you have to access your users. Cisco allows you to set different access levels. The range of permission levels is from 0 to 15; 15 has the highest level of access permissions. The default levels are 0 and 15. Level 15 provides full access permissions, while level 0 has limited commands and configurations. You can set the permission level and assign them certain features through commands or types. For example, you can create a level that allows access to the interface and command line configuration mode. The other level only allows access to some common command configuration modes. To specify the permission level, you can use the following general configuration commands: Router (config) # Privilege configure level 5 ntp

You can assign multiple command access methods by changing the configuration level. Here, I create level 5 and allow the use of NTP commands in general configuration mode.

As a network administrator, you are responsible for maintaining the access level of each user. To make these access settings more effective, you must limit the ability of all users to use access commands, because this will allow them to change their permission levels. In the following example, I set my level to 5: Router (config) # username rmcintire privilege 5 Another option to consider is assigning privilege by terminal line. to restrict privilege level by input line, enter config mode on that line and set the level as follows: Router (config) # line console 0 Router (config-line) # privilege level 7 Router (config) # line vty 0 4 Router (config-line) # privilege level 4

This achieves a lower permission level than the console in the VTY (terminal) line. This may be more suitable for environments that require users to make high-level changes on the network through virtual terminal conversations. The main reason is that when a major modification is required, the maintenance department that has higher access permissions on the Console port will send someone to manually change the switch.

Monitor access security

You can not only track vro configuration activities, but also know who is connected to a specific vro in real time. Use the show USER command as follows: Router # show users

This command outputs a table, including the row entries that show each terminal line, user name, location (address), and so on in use. This location or IP address can be used to find the actual system from the terminal conversation location. If the user name is logged on and started, you can easily see which users have logged on to the vro. This is why I recommend using user-based access in a network environment where more than one person maintains the network. You can also use the following command to disconnect a suspected or unauthorized user conversation: Router # disconnect ip-address

To view the permission information at any time, run the following command: Router # show privilege

Conclusion

In a simple environment where few people need to access network devices, you can only implement basic security functions, use VTY and console password to control users' access to the router entry line. Adding a valid password and user access to the configured network is quite secure. If you have a larger network, more people need to access the network, or you only have higher requirements for responsibility, please refer to the user-based access skills.

Although the security settings and supplements in this Daily Drill Down are far from over, considering comprehensive security measures is almost always the first thing I do to protect my Cisco router. Because there is a more advanced and richer performance set, you will enjoy the benefits of AAA. In my next article, "using AAA to improve access control skills" will provide more information on this topic.

Article entry: csh responsible editor: csh