Basic access security for Cisco network devices

Network admins who employ Cisco routers for security might be overlooking the most obvious security threat: access to the router itself. Robert McIntire shows you how to protect the devices on your Cisco network.

To secure their Cisco networks, many administrators first address what traffic will be allowed to pass through networking devices and how to restrict routing protocol updates and other identifying information that routers exchange. Access control lists (ACLs) can generally take care of these issues quite simply. Security for network devices is just as important in any networked environment, and Cisco provides a range of methods to set it up. In this Daily Drill Down, I’ll introduce a basic configuration for login security. I’ll show you how to make that basic configuration even more secure with user-based login configurations and demonstrate how to monitor configuration activity and connections to your router. Once you understand these basic configurations, you’ll be able to build on them with Cisco’s more advanced features.

Basic login security configuration
The most basic security Cisco provides is through the use of local passwords for device access and configuration. Different passwords can be applied to different lines or access points. Typical access points on a Cisco device are the terminal lines (also known as VTYs or virtual terminal lines), the console port, and the auxiliary port (AUX).

Also, different ports can be set up for different methods of authentication. The following is an example of a very simple authentication configuration.

IOS version
The examples that follow assume a standard, access-class Cisco router running IOS version 12.x.
Router (config)# line con 0
Router (config-line)# password conpword1
Router (config-line)# login
Router (config-line)# exit
Router (config)# enable password 12345

Here I’ve configured a console port password and an enable password that I would need to configure the router. In the first statement, I enter line config mode for the console port, create the password, and finish with the login statement. Then I create an enable password for privileged access to router configuration. This is a good place to start when securing local console access to the router.

Password encryption
Notice that in this running configuration, the passwords are plain text. This is not a good idea in terms of security. However, you can encrypt the passwords so that they’re not readable by anyone with router access. To do so, execute the following command.
Router (config)# service password-encryption

The password encryption service will encrypt any existing passwords as well as any configured in the future. I highly recommend this in your Cisco network device configurations.

Password flavors
The enable password comes in two flavors: the standard enable password and the enable secret. The enable secret is more secure than the enable password because of the stronger encryption used.

When the enable secret is configured, it supersedes the enable password. The following example demonstrates the enable secret setup.
Router (config)# enable secret abc123

If you view the router configuration after executing this statement, you’ll see that the enable secret password is encrypted automatically whether or not the password-encryption service is enabled.

Setting the session timeout
Another thing to consider in terms of access is the session timeout. As an added level of security, you can configure a session to disconnect after a certain period of inactivity. This is a very handy tool in the event that you walk away from the terminal forgetting a live configuration session. The default timeout is 10 minutes. To configure the session timeout, try the following command.
Router (config)# line console 0
Router (config-line)# exec-timeout 6 30

This will cause a console session to drop after six minutes and 30 seconds have elapsed with no input.

Securing the terminal lines
Along with securing the console port, you’ll also want to secure the terminal lines used for Telnet access across the network. Consider the following example for Telnet security.
Router (config)# line vty 0 4
Router (config-line)# password termpword1
Router (config-line)# login

Notice that this is very similar to the console configuration. One difference is that two numbers follow the keyword VTY because there is more than one VTY line for router access. The default number of lines is five on many Cisco routers. Here, I’m configuring one password for all terminal (VTY) lines. I can specify the actual terminal or VTY line numbers as a range. The syntax that you’ll see most often, vty 0 4, covers all five terminal access lines. You do have options here. Theoretically, you could set up different passwords on different VTY lines or ranges. If necessary, you could expand the number of VTY lines available to accommodate more users. But this method has limitations. First of all, it’s generally advisable to somewhat limit concurrent access to a typical network device. So expanding the number of VTY input lines is not the best option in this case. To the contrary, generally accepted security practices involve limiting virtual terminal access in terms of the protocols that can be used and from which addresses one can access a router, as well. To restrict VTY access to the Telnet protocol only, you can use the following command.
Router (config) # line vty 0 4
Router (config-line) # transport input telnet

Here I’ve designated that all terminal lines can use Telnet. To further restrict router access by source address, I can use an access list in conjunction with the access-class command in line config mode.

This goes a long way toward securing the virtual terminal lines that can be used across the network for router access.

SSH vs. Telnet
If you are paranoid about using Telnet to log in to your router, you can opt to use SSH. To enable your router to use SSH, run the following commands: Router (config) # line vty 0 3
Router (config-line) # transport input ssh

So far, we have a fairly solid foundation of basic network device login. Now let’s take it up a notch. The next form of login security we’re going to look at is user-based authentication.

User-based login
A login process based on user-specific credentials can help to ensure accountability for configuration changes, which can be especially important in large network environments with many hands touching the routers and switches. Once you implement this type of authentication, the router tracks who last accessed the router or modified the config and when. As a network admin, you can appreciate the benefit of logging router configuration changes. To make it work, you can use the AAA (Authentication, Authorization, and Accounting) features to configure local username authentication. The following is an example of the commands necessary to activate local user name login.
Router (config) # aaa new-model
Router (config) # aaa authentication login default local
Router (config) # line vty 0 3
Router (config-line) # login authentication default
Router (config-line) # exit
Router (config)# username rmcintire password rmcinpword1
Router (config)# username rhumphrey password rhpword1
Router (config)# username jberry password jbpword1

Although a comprehensive discussion of AAA configuration is beyond the scope of this Daily Drill Down, I’ve introduced it now to illustrate the capabilities available with more advanced methods. Here I’ve configured three different usernames with passwords for login and applied this login method to VTY lines 0-3. Again, the passwords will be encrypted in the actual router configuration file if the encryption service is active.

Along with access comes the issue of access level, or authorization. The question is how much access you want a user to have. Cisco’s implementation makes it possible to grant different levels of access, known as privilege levels. Privilege levels range from 0 to 15; 15 is the highest access level. The default levels are 0 and 15. Level 15 offers complete access, while level 0 offers very limited command and config access. You can create privilege levels and assign certain functions to those levels by command or type. For instance, you could create one level that allows access to interface and line configuration mode commands and another that allows access only to some select global config mode commands. To assign privilege levels, you can use the privilege global config command.
Router (config) # Privilege configure level 5 ntp

You can configure access to multiple commands at varying configuration levels. Here, I’ve created level 5 and granted access to the NTP command in global config mode.

As the network administrator, you’ll be charged with the responsibility of maintaining the access levels available to each user. To make this access scheme effective, remember to restrict all users’ ability to access commands that would allow them to change privilege levels, as well as their own privilege. In the following example, I’m assigning myself to level 5, which I created in the last example.
Router (config) # username rmcintire privilege 5

Another option to consider is assigning privilege by terminal line. To restrict privilege level by input line, enter config mode on that line and set the level as follows:
Router (config) # line console 0
Router (config-line) # privilege level 7
Router (config) # line vty 0 4
Router (config-line) # privilege level 4

This implements a lower privilege level on the VTY (terminal) lines than on the console. This might be appropriate in an environment where users are restricted from making more advanced changes over the network via virtual terminal session. Basically, this would force support staff with higher-level access to the console port to physically visit the switch when significant configuration changes were necessary.

Monitoring access security
Not only can you track router configuration activity, but you can also tell in real time who is connected to a specific router. Use the show users command, as in the following example.
Router # show users

The output of this command is a table with a line item displaying each terminal line in use, the user name (if available), location (address), etc. The location or IP address can be used to find the actual system from which the terminal session was launched. If username logins are in use, you can easily see which user is logged in to the router. This is why I recommend some form of user-based access in network environments where more than one network support person is involved in network maintenance. You can also disconnect user sessions that are in question or unauthorized using the following command.
Router # disconnect ip-address

To view privilege information at any time, use the following command.
Router # show privilege

In simple environments with few personnel requiring access to network devices, you can usually implement very basic security in the form of VTY and console passwords to control user access to the input lines of a router. Add an enable secret password, and user access to configure the network is fairly secure. If you have a larger network, a larger staff requiring access, or simply have a greater need for accountability, look into user-based access techniques.

Although the security configurations and tweaks in this Daily Drill Down aren’t end-all, stand-alone security measures, they’re nearly always the first steps I take in securing my Cisco routers. For a more advanced, richer feature set, you’ll want to take advantage of AAA. My next article, “Centralize your access control method with AAA,” will provide more information on this topic.

Editor's Picks