Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Amin Shaikh
Amin Shaikh
Community Member
‎09-19-2008 10:49 AM
‎09-19-2008 10:49 AM

Hardening of Router

What steps are required to harden the Router from Internet Attacks..

Is there a way to avoid recovery of password for a router..

0 Helpful
Reply
4 REPLIES
Mark Yeates
Mark Yeates Gold
Gold
‎09-19-2008 10:54 AM
‎09-19-2008 10:54 AM

Re: Hardening of Router

Amin,

Here is a guide to help you harden your router by disabling some unneeded services and lock down access. You can prevent password recovery by issuing the "no service password-recovery" command. You can also use SDM or the auto secure feature with IOS to assist with device hardening.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

HTH,

Mark

0 Helpful
Reply
Istvan_Rabai
Istvan_Rabai Gold
Gold
‎09-20-2008 12:18 AM
‎09-20-2008 12:18 AM

Re: Hardening of Router

Hi Mark,

Though what you are suggesting may be right, generally (and hopefully) no unauthorized personnel can get physical access to the routers, so there is no way for them to get into ROMMON mode and recover the password.

The "no service password-recovery" command effectively disables access to ROMMON mode.

The drawback of this is that if you really forgot the router password, there is no way for you to recover it. In addition, you will not have the possibility to recover corrupted IOS images on flash without access to ROMMON mode.

So I would suggest to take exceptional care of using this command.

I suppose Amin is asking for a way to avoid password recovery by unauthorized persons.

Another solution for this may be using "service password-encryption" and "enable secret" commands.

"enable secret" creates an MD5 hash of the secret in which case the original secret is deemed unrecoverable.

Though the "service password-encryption" command creates a Viginere-cypher for the other passwords which is not very hard to break, it protects against reading a password over your shoulder.

To have access to these passwords encrypted by the "service password-encryption" command, first someone must have the appropriate privileged level access to the router. And that can be hardened very well.

So I would recommend this solution prior to using the "no service password-recovery" command.

Cheers:

Istvan

0 Helpful
Reply
Danilo Dy
Danilo Dy Blue
Blue
‎09-20-2008 04:23 AM
‎09-20-2008 04:23 AM

Re: Hardening of Router

I agree with Isvan regarding "no password recovery". We can hardened Cisco IOS as much as we can but we have to assess the impact, some of the commands could be dangerous :)

For user account and enable password, I recommend the following commands.

!

service password-encryption

!

username secret

!

no enable password

enable secret

!

service tcp-keepalives-in

service tcp-keepalives-out

The above user and enable passwords will be hard to decrypt (or not at all) as they use MD5. One of the IOS improvement is the use of MD5 to encrypt the user password which traditionally use Viginere-cypher that is easy to decrypt

Access to router should be limited from few source ip address from internal network. Also use SSH.

Reply
paul.matthews
paul.matthews Silver
Silver
‎09-20-2008 06:51 AM
‎09-20-2008 06:51 AM

Re: Hardening of Router

They have a point. I would avoid the no passwird revovery command if I could. If someone has physical access to your network kit so that they could perform a password recovery, I would rather expect that instead of doing that, they may well just eBay it!

SSH should be the norm on newly installed kit rather than Telnet, and SSH and SNMP should be protected by access lists.

Anything that can be passworded should be - HSRP, GLBP, VTP, OSPF etc.

I like the use of TACACS/RADIUS to secure access. It centralised passwords, so regular password changes are simpler than having to log into (or script) every device to change that passwords. Either also make it easier to enforce stronger passwords.

Shoot anyone that types:

line con 0

exec-timeout 0 0

into a router - that means no timeout on the console, and thus the risk of console being left in enable mode.

If you have multiple levels of support, consider adjusting he priv levels of commands, that way first line can shut/no shut an interface for example, but not configure OSPF.

0 Helpful
Reply
Latest Documents
cisco packet tracer
Created by Gentsmafia on 04-25-2018 05:14 PM
0
0
0
0
 
PFRv3 channel state questions
Created by Vasilii Mikhailovskii on 04-23-2018 05:06 AM
0
0
0
0
This document gives several answers on frequently asked questions for PFRv3 channel state behavior. Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st... view more
VPN and static NAT problem
Created by Jacopo Belcredi on 04-23-2018 04:07 AM
0
0
0
0
Symptoms The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921). The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN. I couldn't connect to the hos... view more
All Documents
433
Views
4
Helpful
4
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
Glimpse of "EIGRP name mode configuration"
Created by ashirkar on 10-01-2013 02:06 AM
7
79
7
79
What happens, when router receives packet?
Created by ashirkar on 10-18-2012 03:19 AM
31
49
31
49
BLOG (No Title)
Created by Akula Jyoti Lakshmi on 08-09-2011 09:13 PM
15
43
15
43
All Blogs