|
Protecting routers - passwords for modes
Introduction to this web pageThis web page is about protecting the routers themselves from attack, rather than protecting networks and hosts behind the router. This page focuses on setting passwords for the different modes available in IOS.
Passwords for modes - 1We can set a password to secure the privileged mode. In versions of IOS before 10.3 - router> enable router# config t router(config)# enable password password router(config)# exit router# disable router> This password is relatively insecure, as it appears in config scripts in clear text form. There are two options associated with the "enable password" command. The first one specifies that the password is the password for a particular privilege level between 0 and 15 . router(config)# enable password level 0 - 15 password The second one allows the use of a password which has already been encrypted elsewhere. The variable encryption-type can only be the number 7. The string put in place of encrypted-password-string is the actual previously obtained encrypted password string. router(config)# enable password encryption-type encrypted-password-string It is permissable to combine these options in one command line - router(config)# enable password level 0 - 15 encryption-type encrypted-password-string
Passwords for modes - 2Depending on which document you read, from either version 10.3 or version 11 onwards, a more secure password was introduced, which is encrypted by default using the MD5 algorithm. The MD5 algorithm is very much more secure than the type 7 encryption. router> enable router# config t router(config)# enable secret password router(config)# exit router# disable router> Using the "enable secret" password means that the "enable password" password is not required. If both are specified, the "enable password" is ignored. If both are specified, they must be different, or else neither will work. The "enable secret" command supports the same options as above - again, the first one specifies that the password is the password for a particular privilege level between 0 and 15. router(config)# enable secret level 0 - 15 password And again, the second one allows the use of a password which has already been encrypted elsewhere. The variable encryption-type can only be the number 5. The string put in place of encrypted-password-string is the actual previously obtained encrypted password string. router(config)# enable secret encryption-type encrypted-password-string Again, it is permissable to combine these options in one command line - router(config)# enable secret level 0 - 15 encryption-type encrypted-password-string
Encrypting clear text passwordsWe can make IOS show clear text passwords in config scripts in an encrypted form by using the command router(config)# service password-encryption However this encryption is easily cracked. It will keep out a casual observer, but a determined cracker will get through it. It is permissible to combine this form of encryption and the use of encrypted passwords, as passwords that are already encrypted are not processed by this command. Note that this command will encrypt all passwords shown in config scripts. Also note that this command does not encrypt passwords as they are sent over a wire connection. They are still in clear text, so are vulnerable to snatching by a packet sniffer.
© 2005 Ron Turner Return to the Cisco index page
|
|