Securing your Network
Results 1 to 6 of 6

Thread: Securing your Network

  1. #1
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840

    Securing your Network

    Having a secure network has become a top priority these days making sure there is no intruders going where they're not supposed to. At least it has become a top priority at my job to recheck our routers and make sure everything is running smooth and that we dont have any employees posting their password on a sticky note on the monitor. Here's a few things that will help secure your network:


    Passwords

    Do you want just anybody to access your router? Perhaps you want only a handful of people to be able to log onto the router and a few others to be able to remotely connect to the router and administer it in cases of emergency. Logical router access needs to be protected from internal staff and external intruders.

    Enable Password

    Protecting privileged mode (or enable mode) on your router is a very important thing to do and very straight forward. When any person attempts to enter privileged mode from user exec mode they will be prompted for a password.

    Router>
    Router>enable
    Router#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#enable password $%kk12ER
    Router(config)#disable
    Router>
    Password:
    Router#

    By default, the enable password can be seen when any user looks at the running configuration of the router. You probably do not want this to happen.

    Router#sh run
    01:34:42: %SYS-5-CONFIG_I: Configured from console by console
    Building configuration...

    Current configuration : 813 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Router
    !
    enable password $%kk12ER

    You can take off the enable password by entering a ‘no’ in front of the command again.



    Enable Secret Password

    Router#conf t <- Short for configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#no enable password <- Take off the enable password
    Router(config)#
    Router(config)#
    Router(config)#enable secret l?cCas£%
    Router(config)#exit
    Router#disable
    01:32:39: %SYS-5-CONFIG_I: Configured from console by console
    Router>enable
    Password:
    Router#

    You can see that when a ‘show running-configuration’ command is issued the enable secret password is encrypted. Only the relevant part of the configuration is shown.

    Router#show run <- Short for show running-configuration
    Building configuration...

    Current configuration : 838 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname Router
    !
    enable secret 5 $1$F3Dy$w0mwxVmJ79Ug9pK/snpRe/ <- MD5 algorithm

    The number 5 after the enable secret stands for level 5 encryption which uses something called the MD5 algorithm. This is harder to crack than level 7.



    You can actually encrypt all of the passwords on the router with the ‘service password-encryption’ command.

    Router(config)#
    Router(config)#
    Router(config)#enable password @&%ghFR
    Router(config)#service pas
    Router(config)#service password-encryption
    Router(config)#exi
    Router#show run
    Building configuration...

    Current configuration : 819 bytes
    !
    version 12.2
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router
    !
    enable password 7 070724404206 <-Weaker ‘reversible’ algorithm

    Auxiliary Password

    In order to protect connections through your aux port you will need to assign a password to it. Note that when you configure a port the router drops into something called ‘config-line’.

    Router#
    Router#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)#line aux ?
    <0-0> First Line number

    Router(config)#line aux 0
    Router(config-line)#login <- Config-line mode
    Router(config-line)#password l#2$mMw23
    Router(config-line)#^Z
    Router#

    The ‘login’ command is very important, it tells the router to ask the user for a password. The command ‘login local’ tells the router to check a username and password you have configured on the router itself. You can put a server on the network which does the job of authenticating all the users.

    Telnet Password

    In order to connect to your router over the internet or remotely you may want to telnet to it. In order to allow telnet sessions you need to have a password set on the telnet port. Telnet ports are not physically there, you will normally telnet via the serial port and a virtual terminal (known as vty) will be opened. The number of available ports depends upon your model of router.

    RouterA#
    RouterA#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    RouterA(config)#line vty ?
    <0-4> First Line number

    RouterA(config)#line vty 0 4 <- There are 5 vty ports on this router 0-4 inclusive
    RouterA(config-line)#login
    RouterA(config-line)#password Uu&%p@#
    RouterA(config-line)#^Z

    Now I can telnet to Router A from Router B:

    RouterB#
    RouterB#telnet 192.168.1.1
    Trying 192.168.1.1 ... Open
    User Access Verification

    Password:
    RouterA>
    RouterA>
    RouterA>enable
    Password:
    RouterA# <- I am now connected to Router A from Router B
    RouterA#exit

    [Connection to 192.168.1.1 closed by foreign host]
    RouterB#

    Console Password

    It is very important to protect your console port on the router. If not, any person who can get physical access to the router will be able to reconfigure it and reboot it.

    RouterA#
    RouterA#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    RouterA(config)#line console ?
    <0-0> First Line number

    RouterA(config)#line console 0
    RouterA(config-line)#login
    RouterA(config-line)#password hello
    RouterA(config-line)#
    RouterA(config-line)#exit
    RouterA(config)#exit
    RouterA#
    02:15:43:

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    looks good and all.. and I hate to rain on your parade ..but did you write this ?
    do you work for Networks Incorporated ?

    Securing the Router
    Powered By Beginners.co.uk
    Category : Cisco
    Submitted By : Networks Incorporated

    Published Date : 15th July 2003
    Viewed : 1247 times

    From Course : CCNA Module 7 - Security and Access Lists


    http://tutorials.beginners.co.uk/rea.../recent/id/455

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Good find sumdumguy, I thought it looked a lot like a CCNA document.

    Cybr1d: The tutorials forum is only for original tutorials. Plagiarism is highly frowned upon here.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    sorry bout that....actually forgot to post the link this time. The article came from: http://tutorials.beginners.co.uk/
    As a matter of fact it has hundreds of nice tuts. Mite wanna bookmark that site. If there's any moderators around can you please move this post from tutorials to newbie security questions?


    I'm very sorry bout this.

  5. #5
    Junior Member
    Join Date
    Aug 2003
    Posts
    1
    Thnx for the info
    I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.
    Albert Einstein

  6. #6
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    *Moved from Tutorials*

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •