ITSY 2301 Firewalls and Network Security Fall 2009
Lab 3General Router Security
Purpose:
Use basic security commands to secure management access to the router.
Topology:
See the ITSY2301 standard router configuration diagram.
Confirm the cabling of the routers and switches.
Directions:
***** Configure the 2 routers with appropriate starting IP addresses and routing protocol.
Test the connectivity between the routers and the workstations.
Step 1 Set an “Enable”password
“Enable” passwords should always be set in any production environment. Setting the enable password will authenticate the user when they try to enter the privileged EXEC mode. Defining an enable password helps prevent unauthorized access to the various router configuration modes. (Cisco curriculum)
At Router> prompt, type Enable. Then key in the following boldcommands:
Config term
enable password cisco
Verify the enable password by exiting out of the router completely with Exit.
Login into the router with Enable and enter the password cisco.
View the running configuration to confirm the “enable” password: show run
Note: is the password encrypted? ______
Step 2 Set an“enable secret” password
Config term
enable secret class
Verify the enable password by exiting out of the router completely with Exit.
Login into the router with Enable and enter the password cisco.
View the running configuration to confirm the “enable secret” password: show run
Note: is the password encrypted? ______
Step 3 Set Service Password Encryption
View the current configuration again with show run.
Notice the line “no service password-encryption”
Turn on the password encryption service:
Config t
service password-encryption
View the running configuration to confirm the change: show run
Note: what is the change in the password information?
Step 4 Configuring vty for Telnet
There are several ways to limit access through the VTY interfaces. The Boston router has a simple password set to limit access to all functions at the VTY interfaces.
Allow only Telnet on the VTYinterfaces with:
Config term
Line VTY 0 4
transport input telnet
password cisco
login
Step 5 Setting a Banner Message
Warning messages or banners are a critical security warning that users see when logging into the router.
Config term
banner motd @ Access limited to authorized users only! @
UseExit to drop out of access to the router and log back using class as the password.
Note: Is the warning displayed? ______
Now try to telnet to the router from your workstation command prompt. (The workstation needs to have a valid IP address for the lab network.)
telnet 10.0.1.1 (Austin) or telnet 11.013.1 (Boston)
password: ciscopassword: cisco
Note: Is a warning banner displayed? ______
Exit out of the telnet connection
Step 6 Setting Privilege Levels
According to the Cisco curriculum, “By default, the Cisco IOS software has two modes of password security: user mode (EXEC) and privilege mode (enable). There are 16 hierarchical levels of commands for each mode that can be defined, from 0 to 15. By configuring multiple passwords, different sets of users are allowed access to specified commands.”
We will be creating privilege levels for several users and assigning specific commands to those users to learn how privilege levels work.
Before we configure limited access, let’s see what some of the fully authorized administrator debug commands are:
Debug ?
Note: About how many debug commands do you see? ______
Now create a privileged user and limit his/her debug commands:
Config term
enable secret level 5 pass5
privilege exec level 5 debug ppp auth
privilege exec level 5 debug ppp error
privilege exec level 5 debug ppp negotiation
Next login to privilege level 5
Exit all the way out of the router
enable 5
Password: pass5
Look at the available debug commands:
Debug?
Note: How many debug commands are available? ______
Exit out of the router and login as a full administrator, at privilege level 15:
Enable
Password: class
Check out the current configuration:
Show run
Save your configurations to the desktop. You will want to print them for your lab report.
Reflection Questions:
Which password is more secure, the enable password or the enable secret password and why?
Why does it matter what the (highly recommended) banner says?
Would it be better to enable the VTY telnet access and give it a password, or just leave it inaccessible by not configuring it?
Why would you configure the VTY interface?
Why would an administrator want to configure several privilege levels for router configuration access?
Page 1