Basic Router Security
Router passwords

Passwords are the most critical tools in controlling access to a router. There are two password protection schemes in Cisco IOS:

  1. Type 7 uses the Cisco-defined encryption algorithm, which is not as strong as Type 5 encryption.
  2. Type 5 uses an MD5 hash, which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible. Type 7 encryption is used by the enable password, username, and line password commands.

To protect the privileged EXEC level as much as possible, do not use the enable password command. Use the enable secret command. Even if the enable secret is set, do not set the enable password because it will not be used and may give away a system password .

No user account should be created above privilege level 1 since it is not possible to use Type 5 encryption on the default EXEC login or the username command. User accounts should be created for auditing purposes. The username command should be used to create individual user accounts at the EXEC level and then the higher privilege levels should be protected with the enable secret password. Users with a need to work at higher levels would be given the higher privilege level password.

If the login command is used to protect a line, then the password command is the only way to set a password on a line. But if the login local command is used to protect a line then the specified user name and password pair is used. For access and logging reasons use the login local command.

The privileged EXEC secret password should not match any other user password. Do not set any user or line password to the same value as any enable secret password.

The service password-encryption command will keep passersby from reading passwords that are displayed on the screen. Be aware that there are some secret values that service password-encryption does not protect . Never set any of these secret values to the same string as any other password.

Good password practices include the following:

  • Avoid dictionary words, names, phone numbers, and dates.
  • Include at least one lowercase letter, uppercase letter, digit, and special character.
  • Make all passwords at least eight characters long.
  • Avoid more than four digits or same-case letters in a row.

Cisco IOS Software Release 12.3(1) and greater allow administrators to set the minimum character length for all router passwords using the security passwords global configuration command, as shown in the figure. This command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets, and line passwords created after the command was executed (existing router passwords remain unaffected).

The syntax for the security passwords command is shown in Figure .

By default, Cisco IOS routers allow a break sequence during power up, forcing the router into ROMMON mode. Once the router is in ROMMON mode, anyone can choose to enter a new enable secret password using the well-known Cisco password recovery procedure. This procedure, if performed correctly, leaves the router configuration intact. This scenario presents a potential security breach in that anyone who gains physical access to the router console port can enter ROMMON, reset the enable secret password, and discover the router configuration.

This potential security breach can be mitigated using the no service password-recovery global configuration command, as shown in the Figure .

NOTE:

The no service password-recovery command is a hidden Cisco IOS command, and is not visible in the ? output.

If a router is configured with no service password-recovery, all access to the ROMMON is disabled. If the router’s flash memory does not contain a valid Cisco IOS image, you will not be able to use the ROMMON XMODEM command to load a new Flash image. In order to repair the router, you must obtain a new Cisco IOS image on a Flash SIMM, or on a PCMCIA card (3600 only). See Cisco.com for more information regarding backup Flash images.


Web Links