![](/user_photo/1438_p9ksI.png)
- •Table of Contents
- •Cisco Network Security Little Black Book
- •Introduction
- •Is this Book for You?
- •How to Use this Book
- •The Little Black Book Philosophy
- •Chapter 1: Securing the Infrastructure
- •In Brief
- •Enterprise Security Problems
- •Types of Threats
- •Enterprise Security Challenges
- •Enterprise Security Policy
- •Securing the Enterprise
- •Immediate Solutions
- •Configuring Console Security
- •Configuring Telnet Security
- •Configuring Enable Mode Security
- •Disabling Password Recovery
- •Configuring Privilege Levels for Users
- •Configuring Password Encryption
- •Configuring Banner Messages
- •Configuring SNMP Security
- •Configuring RIP Authentication
- •Configuring EIGRP Authentication
- •Configuring OSPF Authentication
- •Configuring Route Filters
- •Suppressing Route Advertisements
- •Chapter 2: AAA Security Technologies
- •In Brief
- •Access Control Security
- •Cisco Secure Access Control Server
- •Immediate Solutions
- •Configuring TACACS+ Globally
- •Configuring TACACS+ Individually
- •Configuring RADIUS Globally
- •Configuring RADIUS Individually
- •Configuring Authentication
- •Configuring Authorization
- •Configuring Accounting
- •Installing and Configuring Cisco Secure NT
- •Chapter 3: Perimeter Router Security
- •In Brief
- •Defining Networks
- •Cisco Express Forwarding
- •Unicast Reverse Path Forwarding
- •TCP Intercept
- •Network Address Translation
- •Committed Access Rate
- •Logging
- •Immediate Solutions
- •Configuring Cisco Express Forwarding
- •Configuring Unicast Reverse Path Forwarding
- •Configuring TCP Intercept
- •Configuring Network Address Translation (NAT)
- •Configuring Committed Access Rate (CAR)
- •Configuring Logging
- •Chapter 4: IOS Firewall Feature Set
- •In Brief
- •Port Application Mapping
- •IOS Firewall Intrusion Detection
- •Immediate Solutions
- •Configuring Port Application Mapping
- •Configuring IOS Firewall Intrusion Detection
- •Chapter 5: Cisco Encryption Technology
- •In Brief
- •Cryptography
- •Benefits of Encryption
- •Symmetric and Asymmetric Key Encryption
- •Digital Signature Standard
- •Cisco Encryption Technology Overview
- •Immediate Solutions
- •Configuring Cisco Encryption Technology
- •Chapter 6: Internet Protocol Security
- •In Brief
- •IPSec Packet Types
- •IPSec Modes of Operation
- •Key Management
- •Encryption
- •IPSec Implementations
- •Immediate Solutions
- •Configuring IPSec Using Manual Keys
- •Configuring Tunnel EndPoint Discovery
- •Chapter 7: Additional Access List Features
- •In Brief
- •Wildcard Masks
- •Standard Access Lists
- •Extended Access Lists
- •Reflexive Access Lists
- •Dynamic Access Lists
- •Additional Access List Features
- •Immediate Solutions
- •Configuring Standard IP Access Lists
- •Configuring Extended IP Access Lists
- •Configuring Extended TCP Access Lists
- •Configuring Named Access Lists
- •Configuring Commented Access Lists
- •Configuring Dynamic Access Lists
- •Configuring Reflexive Access Lists
- •Appendix A: IOS Firewall IDS Signature List
- •Appendix B: Securing Ethernet Switches
- •Configuring Management Access
- •Configuring Port Security
- •Configuring Permit Lists
- •Configuring AAA Support
- •List of Figures
- •List of Tables
- •List of Listings
SecureRouter>enable
Password: Omni−Pass01
SecureRouter#
Note After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.
You configure an enable secret password by entering the following command in global configuration mode:
SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#enable secret Long@Horn10
SecureRouter(config)#end
SecureRouter#
The preceding configuration sets the enable secret password to Long@Horn10. The result of setting the enable secret password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode, as follows:
SecureRouter>enable
Password: Long@Horn10
SecureRouter#
Note After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.
Disabling Password Recovery
The first line of defense against intruders is to set passwords on routers. Sometimes passwords are forgotten and must be recovered. There are, however, some instances in which the widely known password recovery procedures should be disabled. When physical security is not possible or in a network emergency, password recovery can be disabled.
Note Password recovery on routers and switches is outside the scope of this book. However, if you need an index of password recovery procedures for Cisco network devices, see the following Cisco Web page: http://www.cisco.com/warp/public/474.
The key to recovering a password on a Cisco router is through manipulation of the configuration registers of the router. All router passwords are stored in the startup configuration, so if the configuration registers are changed properly, the startup configuration with the passwords stored within them can be bypassed. If you have disabled the password recovery mechanisms, you will not be able to perform password recovery on the router. Disabling the password recovery procedure of a Cisco router is a decision that must be thought out ahead of time because the command used to disable password recovery also disables ROMMON.
18
Warning The command discussed in this section is not recommended for use on any production router and is explained here only for the benefit of learning within a lab environment.
You can disable the Cisco password recovery procedure by issuing the no service password−recovery command in global configuration mode:
SecureRouter#config t
Enter configuration commands, one per line. End with CNTR/Z. SecureRouter(config)#no service password−recovery
WARNING:
Executing this command will disable password recovery mechanism. Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes
As you can see, the IOS reminds you of how serious disabling the password recovery procedures are with a warning message and a prompt allowing you to change your mind. To see the results of changing the password recovery feature, issue the show running−config command. The effects of issuing the command can be seen in the following configuration:
SecureRouter#show run Building configuration...
Current configuration:
!
version 12.0
service password−encryption no service password−recovery
!
hostname SecureRouter
After password recovery has been disabled and the configuration has been saved, the widely available password recovery procedure will not be available on the router. The following output verifies that password recovery is indeed disabled:
SecureRouter#reload
Proceed with reload? [confirm]
00:14:34: %SYS−5−RELOAD: Reload requested
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1) Copyright (c) 1999 by cisco Systems, Inc. TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0 C2600 platform with 49152 Kbytes of main memory
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x928024 Self decompressing the image : #######################....
Warning The use of the command discussed in this section is not recommended for a production router. It should be used only in extreme circumstances or in a lab environment!
19
![](/html/1438/356/html_izDWsvDLr7.LMPw/htmlconvd-FAuByQ24x1.jpg)
If the no service password−recovery command has been issued on a Cisco router and the passwords have been forgotten, you must contact your Cisco Technical Support Engineer to obtain help in gaining access into the router and enabling the password recovery process again.
Configuring Privilege Levels for Users
As mentioned earlier, the Cisco IOS software has two modes of operation. You can configure up to 16 levels of commands for each mode, which allows you to selectively assign authority on a per−user basis. Commands entered into the IOS can be associated with each privilege level. You configure the privilege level for a command using the global configuration command privilege <mode> level <level> <command>. The exact syntax of this command is as follows:
privilege mode level level command | reset command
Figure 1.1 displays three users, Cindy, Marsha, and Jan, connected to a local segment. Cindy is the network engineer; she has full control over Router A. Marsha and Jan are system administrators; they need only limited functionality on Router A. Here is an example of the configuration that meets this requirement:
enable secret Cindy
enable secret level 3 Marsha enable secret level 2 Jan privilege exec level 3 debug
privilege exec level 3 show running−config privilege exec level 3 telnet
privilege exec level 2 ping privilege exec level 2 sh int ser0 privilege exec level 2 sh ip route line con 0
login
Figure 1.1: Using privilege levels to create administrative levels.
This configuration provides Cindy with the default full administrative rights to the router. Marsha is given access to all features that are allowed with administrative level 3 and can perform the
20
commands that are listed with a privilege level of 3. Jan is assigned a privilege level of 2 and is given access to all features and allowed to perform the commands listed with a privilege level of 2. The key is that each user must use the enable <level> command from the user mode prompt and log in with the password assigned for that level. An example is provided here:
SecureRouter>
SecureRouter>enable 3
Password: Marsha
SecureRouter#
Configuring Password Encryption
It's relatively simple to configure password encryption on Cisco routers. When password encryption is configured, all passwords that are configured on the router are converted to an unsophisticated reversible cipher. Although the algorithm that is used to convert the passwords is somewhat unsophisticated, it still serves a very good purpose. Intruders cannot simply view the password in plain text and know what the password is. To enable the use of password encryption, use the command service password−encryption.
The following example shows a router configuration prior to enabling password encryption. An enable password, a console password, and a Telnet password is configured:
SecureRouter#show running−config
!
enable password Cisco
!
line con 0
password Networking
!
line vty 0 4 password Security
!
The following example shows the command you would use to enable password encryption on the router:
SecureRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
SecureRouter(config)#service password−encryption
SecureRouter(config)#end
SecureRouter#
The results of enabling password encryption can be seen in the following example. Notice that each password is now represented by a string of letters and numbers, which represents the encrypted format of the password:
SecureRouter#show running−config
!
enable password 7 05280F1C2243
!
21