Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...: Cisco Router Labs

Showing posts with label Cisco Router Labs. Show all posts

Wednesday, 11 May 2011

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

This blog is created for network security review, study and understanding about network related issues only! The blog is mainly focus on Network Security Notes about Network, Network Security, Network Technology, Network Labs review related Cisco and Microsoft technology ,Network Threats, Types of Network Threats, Network Alerts, Enterprise Security Policy and Audits, Security Policy and Audits,Logical Security, Physical and Logical Security, Physical Security,Cisco Products Review, Microsoft Products review, Cisco Routers, Routers Security, Console Access, Telnet Access, Network Attack, Network Attack report, Network management, Anti-virus, Network Security with Anti-virus, and All About Network Security... Thanks for your visit!

As my previous post about Understanding EIGRP protocol, this post I would like to share you about configuring EIGRP Authentication....

EIGRP Authentication between Router A and Router B

EIGRP authentication of packets has been supported since IOS version 11.3. EIGRP route authentication is similar to RIP version 2, but EIGRP authentication supports only the MD5 version of packet encryption.

EIGRP's authentication support may at first seem limited, but plain text authentication should be configured only when neighboring routers do not support MD5. Because EIGRP is a proprietary routing protocol developed by Cisco, it can be spoken only between two Cisco devices, so the issue of another neighboring router not supporting the MD5 cryptographic checksum of packets should never arise.

The steps for configuring authentication of EIGRP updates are similar to the steps for configuring RIP version 2 authentication:

1. Define the key chain using the command key−chain < name> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key command in key chain configuration mode. You can configure multiple keys.

3. For each key, identify the key string with the key−string command.

4. Optionally, you can configure the period for which the key can be sent and received. Use the
following commands:

accept−lifetime {infinite|end−time|duration −seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of EIGRP updates with this
command:

ip authentication key−chain eigrp

7. Enable MD5 authentication of EIGRP updates using the following command:

ip authentication mode eigrp md5

With the command below shows you how Router A should be configured to authenticate updates from Router B using EIGRP MD5 authentication,

Command Listing A: Router A's configuration with MD5 authentication:

key chain router−a
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−a
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

And the next below command here shows the configuration for Router B.

Command Listing B: Router B's configuration with MD5 authentication:

key chain router−b
key 1
key−string eigrp
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip authentication mode eigrp 2 md5
ip authentication key−chain eigrp 2 router−b
clockrate 64000
!
router eigrp 2
network 10.0.0.0
network 192.168.10.0
no auto−summary
eigrp log−neighbor−changes

The Command Listing A configures Router A with a key chain value of router−a, a key value of 1, and a key−string value of eigrp. The Command Listing B configures Router B with a key chain value of router−b, a key value of 1, and a key−string value of eigrp. Notice again that the key chain need not match between routers; however, the key number and the key string associated with the key value must match between routers configured to use that key value. Although debugging of encrypted EIGRP packets is somewhat limited, a few commands can be used to verify that packet encryption is taking place correctly. Two of those commands are debug eigrp packet and show ip route. The debug eigrp packet command informs you if the router has received a packet with the correct key value and key string. The output of issuing this command can be seen here:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: received packet with MD5 authentication

Router A is receiving MD5−authenticated packets from it neighbor, Router B. However, we cannot fully determine whether or not the authentication is taking place correctly without issuing the show ip route command on Router A. This allows us to look at the route table and determine that packet authentication is taking place correctly because the routes that Router B has sent to Router A are installed into the route table. Listing 1.7 displays the output of the show ip route command.

Listing Command C: Route table of Router A with correct authentication configured:

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
C 10.10.10.0 is directly connected, Loopback0

C 10.10.11.0 is directly connected, Ethernet0/0
D 10.10.12.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
D 10.10.13.0 [90/409600] via 192.168.10.2, 00:18:36, Serial0/0
Router−A#

You can change Router A's key−string value for key 1 to see what kind of an effect this will have.
The following lines will change the key−string value for key 1 on Router A to ospf:

Router−A#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router−A(config)#key chain router−a
Router−A(config−keychain)#key 1
Router−A(config−keychain−key)#key−string ospf
Router−A(config−keychain−key)#end
Router−A#

Now that Router A has a different key string associated with key 1, you would assume that packet authentication is not taking place correctly. By issuing the debug eigrp packet command, you can see that there is indeed a problem with authentication:

Router−A#debug eigrp packet
EIGRP Packets debugging is on
(UPDATE, REQUEST, QUERY, REPLY, HELLO, IPXSAP, PROBE, ACK)
Router−A#
EIGRP: received packet with MD5 authentication
EIGRP: ignored packet from 192.168.10.2 opcode = 5 (invalid
authentication)

Taking a quick look at the route table confirms that the authentication is incorrectly configured. Now that the key strings are different, no routes from Router B are installed into the route table of Router A. Listing Command C: displays the routing table of Router A.
Listing Command C:: Route table of Router A with incorrect authentication configured.

Router−A#sh ip route
...
C 192.168.10.0/24 is directly connected, Ethernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, Loopback0
C 10.10.11.0 is directly connected, Loopback1
Router−A#

NOTE: You can also issue the show ip eigrp neighbor command to determine if authentication is configured correctly. If authentication is correctly configured, the neighboring router will be displayed in the output of the command. If authentication is incorrectly configured, the neighbor will not be displayed in the output.

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Monday, 25 October 2010

Network Technology: Network Security: How to Configuring RIP Authentication

As my previous post about RIP Protocol, here this post I want to show you how to configure RIP Authentication...

Generally, There are two versions of Routing Information Protocol (RIP): version 1 and version 2. RIP version 1 does not support authentication of routing updates; however, RIP version 2 supports both plain text and MD5 authentication.

The Picture Figure below shows two routers, Router A and Router B, that exchange
RIP version 2 MD5 authentication updates.

Router A and Router B configured for RIP authentication

Configuring authentication of RIP version 2 updates is fairly easy and very uniform. The basic configuration includes the following steps:

1. Define the key chain using the command key−chain <> in global configuration mode. This command transfers you to the key chain configuration mode.

2. Specify the key number with the key <> command in key chain configuration mode.You can configure multiple keys.

3. For each key, identify the key string with the key−string <> command.

4. Configure the period for which the key can be sent and received. Use the following
commands:

accept−lifetime {infinite|end−time|duration −
seconds}
send−lifetime {infinite|end−time|duration seconds}

5. Exit key chain configuration mode with the exit command.

6. Under interface configuration mode, enable the authentication of RIP updates with this command:

ip rip authentication key−chain

This command is all that is needed to use plain text authentication.

7. Optionally, under interface configuration mode, enable MD5 authentication of RIP updates using the ip rip authentication mode md5 command.

The listings that follow show how Router A and Router B in Figure 1.3 should be configured to authenticate updates from one another using RIP MD5 authentication. Listing 1.1 shows the configuration of Router A, and Listing 1.2 shows the configuration of Router B.

Listing 1.1: Router A's configuration with MD5 authentication:

key chain systems
key 1
key−string router
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.10.11.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.1 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain systems
clockrate 64000
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

Listing 1.2: Router B's configuration with MD5 authentication:

key chain cisco
key 1
key−string router
!
interface Loopback0
ip address 10.10.12.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.10.13.1 255.255.255.0
!
interface Serial0/0
ip address 192.168.10.2 255.255.255.252
ip rip authentication mode md5
ip rip authentication key−chain cisco
!
router rip
version 2
network 10.0.0.0
network 192.168.10.0
no auto−summary

The configuration in Listing 1.1 displays Router A's MD5 configuration. Router A is configured with a key chain value of systems, a key value of 1, and a key−string value of router. Listing 1.2 displays Router B's MD5 configuration. Router B is configured with a key chain value of cisco, a key value of 1, and a key−string value of router.

Note Notice that the key−chain command of each router can have a different value; however, the key−string command must match for each key that is configured on each neighbor.

You can use the command debug ip rip to examine how RIP receives the encrypted routing updates. Entering this command on Router A and Router B displays the output shown in Listing 1.3 and Listing 1.4, respectively.

Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP routing
updates from Router B:

Router−A#debug ip rip
RIP protocol debugging is on
Router−A#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.2 on Serial0/0
10.10.12.0/24 −> 0.0.0.0 in 1 hops
10.10.13.0/24 −> 0.0.0.0 in 1 hops

Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP routing
updates from Router A:

Router−B#debug ip rip
RIP protocol debugging is on
Router−B#
RIP: received packet with MD5 authentication
RIP: received v2 update from 192.168.10.1 on Serial0/0
10.10.10.0/24 via 0.0.0.0 in 1 hops
10.10.11.0/24 via 0.0.0.0 in 1 hops

Other sites you may want to see:

Entertainment on Flixya: http://visalittleboy.flixya.com/
WWE: http://visa-wwe.blogspot.com/
The Kingdom of Wonder: http://welcome2cambodia.blogspot.com/
Daily Blogging: http://visablogging.blogspot.com/
Love Sharing: http://visa-love.blogspot.com/
NetworkSecurity: http://networksecuritynotes.blogspot.com/
About Insurance:http://visa-insurance.blogspot.com
All about Love: http://visa-love.blogspot.com/
Learning English Online: http://visa-elb.blogspot.com/
Discovery Internet: http://visa-isp.blogspot.com/

If you like this post, please subscribe below,thanks!

Sunday, 30 May 2010

Configuring SNMP Security

There is no specific command that you use to enable SNMP. To configure SNMP support, perform the tasks described in the following steps, only the first two steps are mandatory:

1.Enable the SNMP community string to define the relationship between the network
management station and the agent with the following command:

snmp−server community {ro|rw} {number}

The number value references an optional access−list.

2.Use this command to configure the router to send traps to an NMS host:

snmp−server host host [version {1|2c}]

3.Configure the type of traps for which a notification is sent to the NMS. You do so with the following command:

snmp−server enable traps [notification type] –
[notification option]

4.Set the system contact, location, and serial number. You can set the systems contact with the snmp−server contact [text] command. You set the location with the snmp−server location [text] command, and you set the serial number with the snmp−server chassis−id [text] command.

5.Use the access−list command to specify a list of hosts that are allowed read−, read/write, or write−only access to the router.

The picture below: shows Router 1, which is configured to allow SNMP read−only access and read/write access from two separate hosts. Router 1 is also configured to send SNMP trap information to the same two hosts. The following lines show how Router 1 should be configured so SNMP access from both host 192.168.10.1 and 192.168.10.2 is allowed and SNMP trap information is sent to both hosts:

access−list 12 permit 192.168.10.1
access−list 13 permit 192.168.10.2
snmp−server contact VISA
snmp−server location Network Engineers
snmp−server chassis−id 200000444
snmp−server community observe RO 12
snmp−server community adjust RW 13
snmp−server host 192.168.10.1 observe snmp
snmp−server host 192.168.10.2 adjust snmp

Router 1 configured for SNMP

If you like this post, please subscribe below,thanks!

Monday, 22 February 2010

How to Configuring Banner Messages on Cisco Router

My Previous Post: About How to Configuring Password Encryption on Cisco Router
This post: About How to Configuring Banner Messages on Cisco Router:

There are four types of banner messages:

---> Message of the Day (MOTD): Displayed at login. Useful for sending messages that affect all network users.
---> Login: Displayed after the Message of the Day banner appears and before the login
prompts.
---> EXEC: Displayed whenever an EXEC process is initiated.
---> Incoming: Displayed on terminals connected to reverse Telnet lines.

The process for configuring banner messages is fairly simple. Enter the following command in global configuration mode:

banner {exec|motd|login|incoming} [delimited character] –
[delimited character]

Here is a sample MOTD banner:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#banner motd #
Enter TEXT message. End with the character '#'.
*****************************************************
* WARNING...WARNING...WARNING...WARNING
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
*****************************************************
#
CiscoRouter(config)#end
CiscoRouter#

The results of setting the MOTD banner message can be seen by using the show running−config command or by logging into the router. The following is an example of logging into the router from the console port:

CiscoRouter con0 is now available
......
Press RETURN to get started.
......
******************************************************
* WARNING...WARNING...WARNING...WARNING
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
******************************************************
CiscoRouter>

EXEC banner messages, as mentioned earlier, are invoked when a user attempts to gain access into privileged mode. Industry−standard best practices recommend configuring a MOTD banner message as well as an EXEC banner message. Working still on the same router, here's how to configure an EXEC banner to complement the MOTD banner. This can be accomplished using the following configuration:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#banner exec #
Enter TEXT message. End with the character '#'.
*******************************************************
* WARNING...WARNING...WARNING...WARNING
* THIS IS A REMINDER...THIS IS A REMINDER
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
*******************************************************
#
CiscoRouter(config)#end
CiscoRouter#

The results of setting the EXEC message can be seen by using the show running−config
command or by using the telnet command to remotely connect to a router with the EXEC banner enabled. The results of configuring both the MOTD banner and the EXEC banner can be seen here:

R1#telnet 192.168.10.1
Trying 192.168.10.1 ... Open
*******************************************************
* WARNING...WARNING...WARNING...WARNING
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
23
*******************************************************
User Access Verification
Username: Visa
Password:
*******************************************************
* WARNING...WARNING...WARNING...WARNING
* THIS IS A REMINDER...THIS IS A REMINDER
* YOU HAVE ACCESSED A RESTRICTED DEVICE
* USE OF THIS DEVICE WITHOUT PRIOR AUTHORIZATION
* OR FOR PURPOSES WHICH AUTHORIZATION HAS NOT BEEN
* GRANTED IS STRICTLY PROHIBITED!!!
*******************************************************
CiscoRouter>en
Password:
CiscoRouter#

Notice that the EXEC banner is displayed after the user has passed the local authentication phase on the router.

If you like this post, please subscribe below,thanks!

Monday, 8 February 2010

How to Configuring Password Encryption

As my previous post about How to Configure Privilege Levels for Users on Cisco Router.
Today this post I'd like to show you how to configure Password Encryption on Cisco Router.

Well, It's relatively simple to configure password encryption on Cisco routers. When password encryption is configured, all passwords that are configured on the router are converted to an unsophisticated reversible cipher. Although the algorithm that is used to convert the passwords is somewhat unsophisticated, it still serves a very good purpose. Intruders cannot simply view the password in plain text and know what the password is. To enable the use of password encryption, use the command service password−encryption.

The following example shows a router configuration prior to enabling password encryption. An enable password, a console password, and a Telnet password is configured:

CiscoRouter#show running−config
!
enable password Cisco
!
line con 0
password NetVisa
!
line vty 0 4
password Security
!

The following example shows the command you would use to enable password encryption on the router:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#service password−encryption
CiscoRouter(config)#end
CiscoRouter#

The results of enabling password encryption can be seen in the following example. Notice that each
password is now represented by a string of letters and numbers, which represents the encrypted format of the password:

CiscoRouter#show running−config
!
enable password 7 05280F1C2243
!
line con 0
password 7 04750E12182E5E45001702
!
line vty 0 4
password 7 122A00140719051033
!

Note: Password encryption does not provide a very high level of security. There are widely available passwords crackers that can reverse the encryption. I do, however, recommend using the password encryption command on all routers. I also recommend that you take additional security measures to protect your passwords.

If you like this post, please subscribe below,thanks!

Monday, 25 January 2010

How to Configure Privilege Levels for Users on Cisco Router

As my previous post about Disabling Password Recovery on Cisco Router. Today, with this post, I'd love to show you the way to Configure Privilege Levels for Users on Cisco Router.

Commands entered into the IOS can be associated with each privilege level. You
configure the privilege level for a command using the global configuration command privilege
level . The exact syntax of this command is as follows:

privilege mode level level command | reset command

The Image.1 below displays three users, Googla, Visa, and Yaha, connected to a local segment. Googla is the network engineer; he has full control over Cisco Router. Visa and Yaha are system administrators; they need only limited functionality on Cisco Router. Here is an example of the configuration that meets this requirement:

enable secret Googla
enable secret level 3 Visa
enable secret level 2 Yaha
privilege exec level 3 debug
privilege exec level 3 show running−config
privilege exec level 3 telnet
privilege exec level 2 ping
privilege exec level 2 sh int ser0
privilege exec level 2 sh ip route
line con 0
login
Figure

Image.1: Using privilege levels to create administrative levels.

This configuration provides Googla with the default full administrative rights to the router. Visa is given access to all features that are allowed with administrative level 3 and can perform the commands that are listed with a privilege level of 3. Yaha is assigned a privilege level of 2 and is given access to all features and allowed to perform the commands listed with a privilege level of 2.

The key is that each user must use the enable command from the user mode prompt and log in with the password assigned for that level. An example is provided here:

CiscoRouter>
CiscoRouter>enable 3
Password: Visa
CiscoRouter#

If you like this post, please subscribe below,thanks!

Monday, 28 December 2009

How to Disabling Password Recovery

Why you need to set passwords on routers?

--> To defense against intruders

Why the passwords must be recovered?

>>> Sometimes passwords are forgotten. There are, however, some instances in which the widely known password recovery procedures should be disabled. When physical security is not possible or in a network emergency, password recovery can be disabled.

What is the key to recovering a password on a Cisco router?

>>> The key to recovering a password on a Cisco router is through manipulation of the configuration registers of the router. All router passwords are stored in the startup configuration, so if the configuration registers are changed properly, the startup configuration with the passwords stored within them can be bypassed.

What happens if you disable the password recovery?

>>> If you have disabled the password recovery mechanisms, you will not
be able to perform password recovery on the router. Disabling the password recovery procedure of a Cisco router is a decision that must be thought out ahead of time because the command used to disable password recovery also disables ROMMON.

How you can disable the password recovery?

>>> You can disable the Cisco password recovery procedure by issuing the no service
password−recovery command in global configuration mode:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTR/Z.
SecureRouter(config)#no service password−recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.
Are you sure you want to continue? [yes/no]: yes

As you can see, the IOS reminds you of how serious disabling the password recovery procedures are with a warning message and a prompt allowing you to change your mind. To see the results of changing the password recovery feature, issue the show running−config command. The effects of issuing the command can be seen in the following configuration:

CiscoRouter#show run
Building configuration...
Current configuration:
!
version 12.0
service password−encryption
no service password−recovery
!
hostname CiscoRouter

After password recovery has been disabled and the configuration has been saved, the widely available password recovery procedure will not be available on the router. The following output verifies that password recovery is indeed disabled:

CiscoRouter#reload
Proceed with reload? [confirm]
00:14:34: %SYS−5−RELOAD: Reload requested
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
C2600 platform with 49152 Kbytes of main memory
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x928024
Self decompressing the image : #######################....

If the no service password−recovery command has been issued on a Cisco router and the
passwords have been forgotten, you must contact your Cisco Technical Support Engineer to obtain help in gaining access into the router and enabling the password recovery process again.

http://networksecuritynotes.blogspot.com/2009/12/how-to-disabling-password-recovery.html

If you like this post, please subscribe below,thanks!

Friday, 17 July 2009

Learn to Configure Enable Mode Security on Cisco Router

To configure enable mode access, you can use one of two commands: enable password or enable secret. Both commands accomplish the same thing, allowing access to enable mode. However, the enable secret command is considered to be more secure because it uses a one−way encryption scheme based on the MD5 hashing function. Only use the enable password command with older IOS images and/or boot ROMs that have no knowledge of the newer enable secret command.

You configure an enable password by entering the enable password command in global configuration mode:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#enable password VisaGoogla
CiscoRouter(config)#end
CiscoRouter#

The preceding configuration sets the enable password to VisaGoogla. The result of setting the enable password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode:

CiscoRouter>enable
Password: VisaGoogla
CiscoRouter#

Note: After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

You configure an enable secret password by entering the following command in global configuration mode:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#enable secret VisaGooglaSec
CiscoRouter(config)#end
CiscoRouter#

The preceding configuration sets the enable secret password to VisaGooglaSec. The result of setting the enable secret password can be seen in the following output. From the user mode prompt, you must enter the enable command to gain access into privileged mode, as follows:

CiscoRouter>enable
Password: VisaGooglaSec
CiscoRouter#

Note: After you enter the enable command, the password you type at the password prompt will not be displayed. Be sure to type the password exactly as it is configured in the enable password command.

Note: For security reason, we recommend you to use "enable secret password", because the secret password uses MD5 hashing function to encrypt your password, so it is more secure than "enable password"!!!

If you like this post, please subscribe below,thanks!

Friday, 3 July 2009

Learn to configure Telnet Security on Cisco Router

As you know, directly connecting to the console of a router is generally a relatively easy method for gaining access to the device; however, this method is inconvenient and not abundantly scalable. If console access is the only method available to gain access into the device, an administrator must always walk, drive, or fly to the physical location of the router and plug into the device's console port. Fortunately, there are methods for gaining access into the router from a remote location. The most common method of remote administration for a Cisco router is to use a Telnet session. Unlike with console access, there are four configuration requirements that must be met before you can use this method of access:

1. An enable password must be supplied.
2. The router must have an IP address assigned to a routable interface.
3. The routing table of the router must contain a route for the source of the Telnet packet.
4. Under line configuration mode, a vty password must be supplied.

The steps involved in defining Telnet security are similar to the steps used to configure console security. An example of configuring the fourth requirement (after the first three have been met) can be seen here:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#line vty 0 4
CiscoRouter(config−line)#password CisViSa
CiscoRouter(config−line)#login
CiscoRouter(config−line)#end
CiscoRouter#

As mentioned in my previous post about learning to configure Console Security, Cisco routers also maintain a local user authentication database, which can be used to authenticate users who directly connect to the console port of a router. Here is an example of configuring the router to use the local user database for uthentication of users who attempt to access the router via the console:

!
username Visa privilege 15 password 0 Vipsw
username Googla privilege 12 password 0 Goopsw
username Yaha privilege 8 password 0 Yapsw
!
line vty 0 4
login local

The result is that, when a user telnets to the router with this configuration, they will be prompted to enter a username and password before being allowed to gain access into the router.

Routers can also restrict Telnet access to authorized users with the use of an access list. The access list is then applied to the virtual terminal ports of the router with the access−class command. This allows you to restrict Telnet access from a particular IP address or a subnet of IP addresses. Use the following steps to this method of security:
Use the access−list global configuration command to configure an access list that permits the specific hosts that are allowed Telnet access.

1. Use the access−class access−list−number {in|out} command to apply the access list to the virtual terminal ports.
2. In the following example, the router is configured to allow only three hosts Telnet access on each of the available virtual terminal ports:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#access−list 20 permit 192.168.0.10
CiscoRouter(config)#access−list 20 permit 192.168.0.11
CiscoRouter(config)#access−list 20 permit 192.168.0.12
CiscoRouter(config)#line vty 0 4
CiscoRouter(config−line)#access−class 20 in
CiscoRouter(config−line)#end
CiscoRouter#

Note: Console and Telnet security is not preconfigured for you by default. One of your first configuration steps when you initially set up your router should be to configure each of these interfaces. To see more access-list commands visit here!

If you like this post, please subscribe below,thanks!

Friday, 19 June 2009

Learn to configure Console Security on Cisco Router

The console port is used to attach a terminal directly into the router. By default, no security is applied to the console port and the setup utility does not prompt you to configure security for console access. Cisco routers have many different modes of operation, one of which is user mode. When you first access the router via the console port, the router will prompt you for a password, if one has been configured. After successfully supplying the password, you are logged into user mode on the router. When a Cisco router is in user mode, the router will display its hostname followed by the greater than symbol. Here is an example of user mode access:

CiscoRouter>

User mode has limited functionality. Enable mode, also called privileged mode, can be accessed by typing the enable command. If passwords have been configured to access this level of the IOS, the router prompts you for the correct password. When a Cisco router is in enable mode, the router will display its hostname followed by the pound sign. Here is an example of enable mode access:

CiscoRouter#

Cisco passwords are case sensitive. The simplest and most direct way to connect to the network device is to use a direct connection to the console port of a router or switch. You can configure a console password to authenticate users for user mode access by entering the following commands:

CiscoRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
CiscoRouter(config)#line con 0
CiscoRouter(config−line)#password CisRoutPsw
CiscoRouter(config−line)#login
CiscoRouter(config−line)#end

The preceding configuration sets the user mode password to CisRoutPsw. Cisco routers also maintain a local user authentication database, which can be used to authenticate users who connect directly to the console port of a router. Here's an example of configuring the router to use the local user database for authentication of users who attempt to access the router via the console:

!
username Visa privilege 15 password 0 Vipsw
username Googla privilege 12 password 0 Goopsw
username Yaha privilege 8 password 0 Yapsw
!
line con 0
login local
transport input none
!

The preceding configuration defines three users: Visa, Googla, and Yaha. Each user has an associated privilege level defined for their respective login credentials and has a password that is associated with their username. This allows Visa to log into the router with a username of Visa and a password of Vipsw. Because Visa's privilege level defines the maximum privilege level that can be configured on the router, Visa is considered to be the super−user. Googla has a privilege
level of 12 and the password Goopsw.

Assignment of privilege levels is discussed in detail later in next post!

By assigning Googla a privilege of 12, the administrator can limit the functionality that Googla may have on the router. That's also the case for Yaha. When a user plugs into the console port of a router configured with local authentication, they are first prompted for their username; after successfully passing the correct username to the router, they are then prompted for the password that is associated with that username. The following example details these steps:

User Access Verification
Username: Visa
Password: Vipsw
CiscoRouter#

Now, what do you think would happen if you were to attempt to log in with the username of Visa and the password that is associated with Googla? You would suspect that the router would deny you access. This example details this attempt:

User Access Verification
Username: Visa
Password: Goopsw
% Login invalid
Username:

From this, you can see that you must supply the password that is associated with the username with which you are attempting to gain access.

Warning: When using local authentication and assigning privilege levels, you must be careful to associate the correct username with the correct privilege level.
Anyone who logs in with a privilege level that is equal to 2 or above is logged directly into privileged mode.

If you like this post, please subscribe below,thanks!

Network Security Notes::About Network Security, Network Labs, Cisco, Microsoft...

Link Promotion

Categories

My Community

Counter

Popular Posts

Wednesday, 11 May 2011

Network Security Notes: Network Protocols: Configuring EIGRP Authentication Protocol

Monday, 25 October 2010

Network Technology: Network Security: How to Configuring RIP Authentication

Sunday, 30 May 2010

Configuring SNMP Security

Monday, 22 February 2010

How to Configuring Banner Messages on Cisco Router

Monday, 8 February 2010

How to Configuring Password Encryption

Monday, 25 January 2010

How to Configure Privilege Levels for Users on Cisco Router

Monday, 28 December 2009

How to Disabling Password Recovery

Friday, 17 July 2009

Learn to Configure Enable Mode Security on Cisco Router

Friday, 3 July 2009

Learn to configure Telnet Security on Cisco Router

Friday, 19 June 2009

Learn to configure Console Security on Cisco Router

Subscribe posts

Recent Posts

Site Links

Blog Archive

My Blog List

Live Traffic Feed