Securing Administrative Access on a Cisco Router

Routers are a key component in our network. Controlling access to the router and monitoring or reporting on activity going on the router is essential in maintaining security of our network. And for Cisco routers, we have different options on securing access to the router. Below are some of our choices:

1. Do we want to use aaa new-model or not.
2. To use line passwords or use the local database.
3. Use views to control administrative access to the router.
4. Whether we want to use AAA like RADIUS or TACACS.

For most cases, local database is preferred to secure the router instead of line passwords. And views can be used if you want to give access to a junior network administrator and limit the commands you allow them to access. Note that if you want to use views, then you also need to use aaa new-model. For large enterprises, they might prefer to use AAA either with RADIUS or Cisco’s ACS for TACACS which would give them more granular control on which commands are allowed as they would normally have many different network administrators.

Here’s my approach to securing cisco routers. It may not be the best, but it works for me.

Step 1. I would set the hostname and domain name of the router and disable ip look up which could make the router unresponsive when entering wrong commands.

Router(config)#hostname Router-HK
Router-HK(config)#ip domain name my-domain.com
Router-HK(config)#no ip domain-lookup

Optionally, we can also configure the router as a DNS proxy which forwards request to a DNS server. When your computers use the router as their DNS server, the DNS queries are passed to the name server you configure as below:

Router-HK(config)#ip name-server 4.2.2.2 4.2.2.3
Router-HK(config)#ip dns server

Step 2. I would set the privileged mode secret and enable password encryption.

Router-HK(config)#enable secret My$ecretP@$$w0rd
Router-HK(config)#service password-encryption

It is also a good idea to set a minimum password length and display a warning for unauthorized access to the router as a deterrent by entering the below command:

Router-HK(config)#security passwords min-length 8
Router-HK(config)#banner motd $Unauthorized access is strictly prohibited and will be prosecuted to the full extent of the law.$

Step 3. I would create at least 2 users, one with privilege level 15 as admin and another ordinary user. Usually I set the admin secret same as enable secret as it is easier to remember. Creating the local user database before enabling the aaa new-model is important. If you forgot, you might be locked out of your router.

Router-HK(config)#username admin privilege 15 secret My$ecretP@$$w0rd
Router-HK(config)#username user01 secret MyUser$ecret
Router-HK(config)#aaa new-model

now you can login using telnet to the vty line using the local user database which is the default.

Step 4. We can further enhance the security of the router by logging synchronously with the console and set a time out if the user is idle for a certain number of minutes and seconds. We can also apply this to the aux and vty lines. Notice that since we are using aaa new-model, local user database is use and any line password or login setting we set before we issue the aaa new-model has now been removed. Below, we set the timeout for the console, aux and vty lines to be 5 minutes and 0 seconds. We also specify ssh as the secure login for the vty and telnet will not be used as it is not as secure and connect in the clear text.

Router-HK(config)#line console 0
Router-HK(config-line)#exec-timeout 5 0
Router-HK(config-line)#logging synchronous
Router-HK(config-line)#line aux 0
Router-HK(config-line)#exec-timeout 5 0
Router-HK(config-line)#line vty 0 4
Router-HK(config-line)#transport input ssh
Router-HK(config-line)#exec-timeout 5 0
Router-HK(config-line)#exit
Router-HK(config)#

Step 5. To enable ssh, we need to set a rsa crypto key on the router. Once we have generated the rsa key, we can use ssh to connect the the vty lines. Below is how to zeroize existing rsa keys.

Router-HK(config)#crypto key zeroize rsa

Note: if no key exist, you will get rhis message: % No Signature RSA Keys found in configuration

And here’s how to generate a general rsa key with modulus of 1024.

Router-HK(config)#crypto key generate rsa general-keys modulus 1024

Once the key is generated, ssh will now be enabled and you can connect to the vty lines using ssh. You can use PUTTY on your PC to connect via ssh to the router. You can gooogle PUTTY and download it from the internet. It’s free software.

Step 6. We can protect the router from login attacks such as dictionary attacks and denial of service attacks by limiting the login. And we can also log the successful and failed login with the following commands:

Router-HK(config)#login block-for 60 attempts 2 within 30
Router-HK(config)#ip ssh time-out 90
Router-HK(config)#ip ssh authentication-retries 2
Router-HK(config)#login on-success log
Router-HK(config)#login on-failure log every 3

You can verify the login and the ssh settings as below:

Router-HK#show login
Router-HK#show ip ssh

Step 7. We also need to configure an IP address and gateway to our router’s interface if we expect it to route packets or let you ssh into the router. As most modern WAN connections comes in RJ45 10/100Mbps connection, I will assume the LAN and WAN link are both fast ethernet. say Fa0/0 is the LAN and Fa0/1 is the WAN. Here’s how we do it.

Router-HK(config)#interface FastEthernet 0/0
Router-HK(config-if)#ip address 192.168.5.1 255.255.255.0
Router-HK(config-if)#no shutdown
Router-HK(config)#interface FastEthernet 0/1
Router-HK(config-if)#ip address 200.200.200.1 255.255.255.252
Router-HK(config-if)#no shutdown
Router-HK(config-if)#exit
Router-HK(config)#ip route 0.0.0.0 0.0.0.0 200.200.200.2

Step 8. Keeping time on the network is important in loggin and tracing events. We can set the first router as NTP source and the other devices on the network can use it as their NTP server. To check the time setting on the router, we can issue this command:

Router-HK#show clock

If it is not accurate we can set the time and time zone and giving it a name such as HKT for Hong Kong Time and an offset from UTC. We set the timezone first before setting the time. This can be done in config mode as below:

Router-HK(config)#clock timezone HTK +8
Router-HK(config)#exit
Router-HK#clock set 08:30:00 Nov 11 2010

We can then make this router as the ntp master and give it stratum number. any ntp client syncing their time with this router will have their stratum set 1 higher then the stratum of this router. Let’s say this is stratum 3. Below will be the command.

Router-HK(config)#ntp master 3

For other router that will use NTP client to sync their time, we can use the below command specifying the IP of the NTP source.

Router-HK(config)#ntp server 10.1.1.1
Router-HK(config)#clock timezone HTK +8

Step 9. We create different views for different admins, if we need to grant access to other Jr admins or tech support guy. We enable the root view by using the enable secret password.

Router-HK#enable view

Once the root view is activated, we can create different view for admin2.

Router-HK(config)#parser view admin2
Router-HK(config-view)#secret @dm1n2Pa$$
Router-HK(config-view)#commands exec include all show
Router-HK(config-view)#commands exec include all config terminal
Router-HK(config-view)#commands exec include all debug
Router-HK(config-view)#end

We can create a view for a jr admin which we do not want to change the config of the router but can view only. from the root view, go to config and enter the following:

Router-HK(config)#parser view jradmin
Router-HK(config-view)#secret jr@dm1nPa$$
Router-HK(config-view)#commands exec include all show
Router-HK(config-view)#end

And if we want to limit the show command to less sensitive information on need to know basis, we can include only subset of the show command for our tech support guy as below:

Router-HK(config)#parser view techsupport
Router-HK(config-view)#secret $upp0rtPa$$
Router-HK(config-view)#commands exec include show version
Router-HK(config-view)#commands exec include show interfaces
Router-HK(config-view)#commands exec include show ip interface brief
Router-HK(config-view)#commands exec include show parser view
Router-HK(config-view)#end

Step 10. And lastly, don’t forget to save your hard work to startup-config. You can use this to save the running-config to the startup-config:

Router-HK#copy running-config startup-config

or use thedeprecated command

Router-HK#wr

or short for

Router-HK#write

Congratulation, you have now secured the router for administrative access!

Share
This entry was posted in Cisco, Security. Bookmark the permalink.

One Response to Securing Administrative Access on a Cisco Router

  1. Pingback: Stephen

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>