Cisco Router Security: How To Secure Cisco Routers Explained with Examples

By | 9th November 2015

Security Password Encryption on Cisco Routers.

Password Encryption

Setting a security password on the network router should be a fundamental aim when warding off network threats or intruders. Not just password, but a strong password. This will enable an administrator to have absolute control and secure access to a router.

Good password guidelines:

i.  Do not write passwords down and leave them in obvious places such as your desk or on your monitor.

ii.  Combine the use of letters, numbers, and symbols. To make it stronger, use the combination of at least one lowercase letter, uppercase letter, digit, and special character

iii. Its advisable to avoid dictionary words, names, phone numbers, and dates. Using dictionary words makes the passwords vulnerable to dictionary attacks.

iv.  Deliberately misspell a password. For example, Simon can be spelled as Symon or can also include numbers such as 5ymOn.

v.  Use lengthy passwords. The best practice is to have a minimum of eight to ten characters (Cisco IOS routers are equipped with a feature to enable lengths of passwords).

vi.  Change your passwords as often as possible. This limits the opportunity for an intruder to try and crack a password and limits the window of exposure after a password had been compromised.




Passphrases

The use of passphrases is a very good recommendation in creating strong and more complex passwords.

A passphrase is simply a sentence or phrase that serves as a more secure password. Using a long phrase will make it difficult and hard to guess by an attacker, but easy to remember and type accurately by you.

Phrases abound, use phrases from books, songs, poems, famous saying etc. you can select a variety of passwords from your favourite songs or poems.

Passphrase Examples:

“Build it and they will come” – translates to Biatwc

“My Favourite rapper and song writer is 2pac Shakur” – translates to Mfraswi2S

Blessed are the peace makers, for they shall obtain mercy – translates to Batpmftsom

Password Encryption on Cisco Routers

By default, Cisco IOS software leaves passwords in plain text when they are entered on a router. This is not secure since anyone using the enable password command or the username

{usernamepasswordpassword }command would be able to view these passwords when looking at the running configuration.

For example:

Router1(config)# username lab password cisco1234
Router1(config)# do show run | include username
username lab password 0 cisco1234
Router1(config)#

The displayed in the running configuration, indicates that password is not hidden.




Cisco Password Encryption Schemes

Cisco IOS provides two password protection schemes:

Type 7 encryption and types 5 encryption.

Type7 encryption

This is Cisco-defined encryption algorithm, which hide the password using a simple encryption algorithm. The type 7 encryption can be used by the enable password, username, and line password commands, this includes, line console, vty and aux port. It offers very limited protection as it only hides the password using a simple encryption algorithm.

For example, use the following command on a global mode:

Router1(config)# service password-encryption
Router1(config)# do show run | include username
username Student password 7 03075218050061
Router1(config)#

The 7 displayed in the running configuration indicate that password is hidden. You can also see that the line console password is now hidden.

Type 5 Encryption

This is uses a complex encryption algorithm. It uses a more secure MD5 hash. Cisco recommends that Type 5 encryption be used instead of Type 7 whenever possible. It offers much stronger encryption method (MD5). It is configured by replacing the keyword password with secret. Using the enable secret command will help protect the privilege EXEC level.

e.g

Router>enable

Router#config t

Router(config)#enable secret cisco   

Router(config)#line con 0

Router(config-line)#password cisco

Router(config-line)#login        

Router(config-line)#line vty 0 4

Router(config-line)#password cisco

Router(config-line)#login

Router(config-line)#exit

Router(config)#hostname HQ

Using show run will display your password encryption:

HQ#sho run

Building configuration…
Current configuration : 456 bytes
!
version 12.4
service password-encryption
!
hostname HQ
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
ip ssh version 1
!

how to secure cisco router

Summary:

To encrypt all passwords in the configuration file, use the following command:

 Router1(config)# service password-encryption

To configure a type 5 (MD5 hash) passwords and disables the types 7 password, use the following command:

Router1(config)#enable secret {password here}

Router1(config)#no enable password

Router1(config)#end

To enable the router configuration file to require 10 characters length in all passwords, use the following command:

Router1(config)#security password min-length 10

Router1(config)#end

Related Topics

Enhanced Password Security




How To Secure Your Network with Windows Firewall

How To Configure Switch Security

Leave a Reply

Your email address will not be published. Required fields are marked *