Protecting routers - passwords for modes


 

 

 

 

 

Introduction to this web page

This web page is about protecting the routers themselves from attack, rather than protecting networks and hosts behind the router.

This page focuses on setting passwords for the different modes available in IOS.

 

Passwords for modes - 1

We can set a password to secure the privileged mode. In versions of IOS before 10.3 -


router>                      enable
router#                      config t
router(config)#              enable password password
router(config)#              exit
router#                      disable
router>

This password is relatively insecure, as it appears in config scripts in clear text form.

There are two options associated with the "enable password" command. The first one specifies that the password is the password for a particular privilege level between 0 and 15 .


router(config)#              enable password level 0 - 15 password

The second one allows the use of a password which has already been encrypted elsewhere. The variable encryption-type can only be the number 7. The string put in place of encrypted-password-string is the actual previously obtained encrypted password string.


router(config)#              enable password encryption-type encrypted-password-string

It is permissable to combine these options in one command line -


router(config)#              enable password level 0 - 15 encryption-type encrypted-password-string

 

Passwords for modes - 2

Depending on which document you read, from either version 10.3 or version 11 onwards, a more secure password was introduced, which is encrypted by default using the MD5 algorithm.

The MD5 algorithm is very much more secure than the type 7 encryption.


router>                      enable
router#                      config t
router(config)#              enable secret password
router(config)#              exit
router#                      disable
router>

Using the "enable secret" password means that the "enable password" password is not required.

If both are specified, the "enable password" is ignored.

If both are specified, they must be different, or else neither will work.

The "enable secret" command supports the same options as above - again, the first one specifies that the password is the password for a particular privilege level between 0 and 15.


router(config)#              enable secret level 0 - 15 password

And again, the second one allows the use of a password which has already been encrypted elsewhere. The variable encryption-type can only be the number 5. The string put in place of encrypted-password-string is the actual previously obtained encrypted password string.


router(config)#              enable secret encryption-type encrypted-password-string

Again, it is permissable to combine these options in one command line -


router(config)#              enable secret level 0 - 15 encryption-type encrypted-password-string

 

Encrypting clear text passwords

We can make IOS show clear text passwords in config scripts in an encrypted form by using the command


router(config)#              service password-encryption

However this encryption is easily cracked. It will keep out a casual observer, but a determined cracker will get through it.

It is permissible to combine this form of encryption and the use of encrypted passwords, as passwords that are already encrypted are not processed by this command.

Note that this command will encrypt all passwords shown in config scripts.

Also note that this command does not encrypt passwords as they are sent over a wire connection. They are still in clear text, so are vulnerable to snatching by a packet sniffer.

 


© 2005 Ron Turner


Return to the Cisco index page