Securing a Router

Security is like Onion. We need to specify different layers of security. We can force each user to enter password to go to a specific level in a building but for convenience, we can issue swipe cards to users with privilege to access up to certain levels in the building (without entering password), once they are in the building.

Privilege levels [router is a building of 15 levels]

  • # is privilege level 15
  • > is privilege level 1
  • All the commands in lower level are available to the upper level

Move ping command to privilege level 4

  • (config)#privilege exec level 4 ping

Enter into privilege level 4

  • > enable 4

Check which privilege level are u in?

  • > show privilege

Enable Secret[can set password for each level]

It can be used to lock down each level (think for 2 and above). by default, enable secret applied to level 15 (this as 15th[topmost] floor of a building).

The following commands have same effect (setting password ‘cisco123’ at level 15) :

  • R1(config)#enable secret
  • R1(config)#enable secret level 15 0 pwd -e.g. cisco123>
  • R1(config)#enable secret level 15 5 <MD5 hash of the password>
  • R1(config)#enable secret 5

Username and password [card issued to user specifying max privilege]

Use username and password both when connecting to router (con, vty or aux). So, set them first. Need to define the user’s privilege level (15 means[highest position] can access everything)

R1(config)# username admin privilege 15 secret 0 cisco123

  • This username is entered into local database of device

Secure entry point

  • need to show card [specify username and password both]rather than just password
    • in technical terms, use local database during login (login local)
  • there are 3 entry points (password is not required but good practice):
    • line console 0
      • password <pwd>
      • login local
    • line aux 0
      • password <pwd>
      • login local
    • linevty 0 15
      • password <pwd>
      • login local

Lock down access methods to router :Using AAA

SO far:

  • We are looking down each entry point individually

AAA stands for

  •  Authentication: proof your identity. e.g. you are a legitimate user
  • Authorization: What are you authorized to do? e.g. you can’t go to level 15 as you are user with privilege level 4
  • Accounting : Keep a record. e.g. user1 went to level 5 at 5pm yesterday is a record.

Turn on AAA in router

  • (config)# aaa new_model

AAA will define some rules, which will be followed by router across all entry points (console, vty, aux)

  • Method list is used to specify rules
  • There is a  default method list.
    • Default method list is automatically applied everywhere until a more specific method list is applied.
  • we can define custom method list but we need to specify where to apply them

Specify default method list to use local database for authentication

  • (config)# aaa authentication login default local (assume a user exist in local database)

Specify default method list to use local database for authorization [optional]

  • (config)# aaa authorisation exec default local
    • before passing exec shell, check privilege level of user in local database
    • This command is not applied to console port
      • If local database is empty then we are stuck
  • MAKE SURE a user exist in local database and then (config)# aaa authorisation console

TEST AAA

  • #debug aaa authentication
  • #debug aaa autherisation
  • R1#telnet r1
  • #undebug all

Define custom method list to access router :Using AAA

  • Define a custom list ‘CON-AUTHEN’ for authentication: first check with groupoftacacs servers and if unavailable then use ‘enable secret’ (assume enablesecretis set)
    • (config)# aaa authentication login CON-AUTHEN group tacacs+ enable
  • Define a custom list ‘CON-AUTHUR’ for authorization: Provide no authorization
    • (config)# aaa authorisation exec CON-AUTHUR none

APPLY this rule (custom method list) at console 0

  • line console 0
  • login authentication CON-AUTHEN
  • authorisation exec CON-AUTHUR

Cool Tips

1. R1(config)# security passwords min-length 8

2. If login attempt is made 10 times with in 60 seconds then block fro 300 seconds

  • R1(config)# login block-for 300 attempts 10 with 60

3. This is alternative to previous point but point 2 is better

  • R1(config)# aaa local authentication attempts max fail 3
    • Once 3 files login attempts are made the user is locked down
  • show aaa local user lockout
  • clear aaa local user lockout all

4. Use SSH and HTTPS

HTTPS (CCP will use https):

  • ip http secure-server
  • ip http authentication local

SSH

 

FUN

1. who is connected to device

  • #who  OR #show users
  • #show ssh

2. Create alias c for configuration terminal

  • alias exec c config t
  • show alias

Leave a comment