However, the router software allows you to change the default port that the HTTP server is running on. You can also configure an access list of specific hosts that are allowed Web access to the router and apply the access list to the HTTP server. Authentication of each user provides better security if you elect to use the router's HTTP server functions. Authentication can take place by one of four different methods:
∙AAA—Indicates that the AAA function is used for authentication.
∙Enable—Indicates that the configured enable password is used for authentication. This is the default authentication method.
∙Local—Indicates that the locally configured security database is used for authentication.
∙TACACS+—Indicates that the Terminal Access Controller Access system is used for authentication.
Immediate Solutions
Configuring Console Security
The console port is used to attach a terminal directly into the router. By default, no security is applied to the console port and the setup utility does not prompt you to configure security for console access. Cisco routers have many different modes of operation, one of which is user mode. When you first access the router via the console port, the router will prompt you for a password, if one has been configured. After successfully supplying the password, you are logged into user mode on the router. When a Cisco router is in user mode, the router will display its hostname followed by the greater than symbol. Here is an example of user mode access:
SecureRouter>
User mode has limited functionality. Enable mode, also called privileged mode, can be accessed by typing the enable command. If passwords have been configured to access this level of the IOS, the router prompts you for the correct password. When a Cisco router is in enable mode, the router will display its hostname followed by the pound sign. Here is an example of enable mode access:
SecureRouter#
Cisco passwords are case sensitive. The simplest and most direct way to connect to the network device is to use a direct connection to the console port of a router or switch. You can configure a console password to authenticate users for user mode access by entering the following commands:
SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#line con 0
SecureRouter(config−line)#password Coriolis
SecureRouter(config−line)#login
SecureRouter(config−line)#end
14
The preceding configuration sets the user mode password to Coriolis. Cisco routers also maintain a local user authentication database, which can be used to authenticate users who connect directly to the console port of a router. Here's an example of configuring the router to use the local user database for authentication of users who attempt to access the router via the console:
!
username Fred privilege 15 password 0 Flintstone username Elroy privilege 12 password 0 Jetson username Captain privilege 8 password 0 Kirk
!
line con 0 login local
transport input none
!
The preceding configuration defines three users: Fred, Elroy, and Captain. Each user has an associated privilege level defined for their respective login credentials and has a password that is associated with their username. This allows Fred to log into the router with a username of Fred and a password of Flintstone. Because Fred's privilege level defines the maximum privilege level that can be configured on the router, Fred is considered to be the super−user. Elroy has a privilege level of 12 and the password Jetson.
Note Assignment of privilege levels is discussed in detail later in this chapter.
By assigning Elroy a privilege of 12, the administrator can limit the functionality that Elroy may have on the router. That's also the case for Captain. When a user plugs into the console port of a router configured with local authentication, they are first prompted for their username; after successfully passing the correct username to the router, they are then prompted for the password that is associated with that username. The following example details these steps:
User Access Verification
Username: Fred
Password: Flintstone
SecureRouter#
Now, what do you think would happen if you were to attempt to log in with the username of Fred and the password that is associated with Elroy? You would suspect that the router would deny you access. This example details this attempt:
User Access Verification
Username: Fred Password: Jetson % Login invalid
Username:
15
From this, you can see that you must supply the password that is associated with the username with which you are attempting to gain access.
Warning When using local authentication and assigning privilege levels, you must be careful to associate the correct username with the correct privilege level. Anyone who logs in with a privilege level that is equal to 2 or above is logged directly into privileged mode.
Configuring Telnet Security
Directly connecting to the console of a router is generally a relatively easy method for gaining access to the device; however, this method is inconvenient and not abundantly scalable. If console access is the only method available to gain access into the device, an administrator must always walk, drive, or fly to the physical location of the router and plug into the device's console port. Fortunately, there are methods for gaining access into the router from a remote location. The most common method of remote administration for a Cisco router is to use a Telnet session. Unlike with console access, there are four configuration requirements that must be met before you can use this method of access:
∙An enable password must be supplied. This is discussed in the next section.
∙The router must have an IP address assigned to a routable interface.
∙The routing table of the router must contain a route for the source of the Telnet packet.
∙Under line configuration mode, a vty password must be supplied.
The steps involved in defining Telnet security are similar to the steps used to configure console security. An example of configuring the fourth requirement (after the first three have been met) can be seen here:
SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#line vty 0 4
SecureRouter(config−line)#login
SecureRouter(config−line)#password letmein
SecureRouter(config−line)#end
SecureRouter#
As mentioned in the preceding section, "Configuring Console Security," Cisco routers also maintain a local user authentication database, which can be used to authenticate users who directly connect to the console port of a router. Here is an example of configuring the router to use the local user database for authentication of users who attempt to access the router via the console:
!
username Fred privilege 15 password 0 Flintstone username Elroy privilege 12 password 0 Jetson username Captain privilege 8 password 0 Kirk
!
line vty 0 4 login local
The result is that, when a user telnets to the router with this configuration, they will be prompted to enter a username and password before being allowed to gain access into the router.
16
Routers can also restrict Telnet access to authorized users with the use of an access list. The access list is then applied to the virtual terminal ports of the router with the access−class command. This allows you to restrict Telnet access from a particular IP address or a subnet of IP addresses. Use the following steps to this method of security:
1.Use the access−list global configuration command to configure an access list that permits the specific hosts that are allowed Telnet access.
2.Use the access−class access−list−number {in|out} command to apply the access list to the virtual terminal ports.
In the following example, the router is configured to allow only three hosts Telnet access on each of the available virtual terminal ports:
Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#access−list 10 permit 10.10.10.19
Router−A(config)#access−list 10 permit 10.10.11.20
Router−A(config)#access−list 10 permit 10.10.12.130
Router−A(config)#line vty 0 4
Router−A(config−line)#access−class 10 in
Router−A(config−line)#end
Router−A#
Note Remember, console and Telnet security is not preconfigured for you by default. One of your first configuration steps when you initially set up your router should be to configure each of these interfaces.
Configuring Enable Mode Security
To configure enable mode access, you can use one of two commands: enable password or enable secret. Both commands accomplish the same thing, allowing access to enable mode. However, the enable secret command is considered to be more secure because it uses a one−way encryption scheme based on the MD5 hashing function. Only use the enable password command with older IOS images and/or boot ROMs that have no knowledge of the newer enable secret command.
Note The MD5 encryption algorithm will be discussed in detail in Chapter 6. For now, just remember that this method is considered more secure.
You configure an enable password by entering the enable password <password> command in global configuration mode:
SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#enable password Omni−Pass01
SecureRouter(config)#end
SecureRouter#
The preceding configuration sets the enable password to Omni−Pass01. The result of setting the enable password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode:
17