15.1 Securing the console
The console port means that anyone who has physical access to the router could connect to it. In the early days of the internet, routers were found only in machine rooms behind locked doors, and this was sufficient security. Nowadays they are more likely to be found in the corner of an office, or in server rooms and datacentres where engineers from different companies may have access. So a first step in securing a router is to make sure that access to the console is always protected with a password.
Watch the video below, which is about 3 minutes long. You will see how commands can be used to set a log-in password for the router console and also to protect the console port itself.
Securing the console
So what can we do to secure our router? Well, whether we connect directly through the console port or over the internet, we will end up at the console so let’s make sure the user needs to log in by giving a password.
For a Cisco router, the first level of access isn’t secure – but you can’t do much except check the status of the router. To do anything useful – or dangerous – we need to enter privilege exec mode using the enablecommand, and this is the step that we can protect with a password.
There are actually two ways of doing this. I’ll show you the better way [at this point the speaker types conf t to enter global configuration mode],which is to enter the command enable secret and then the new password opennetlab. I’ll exit from privilege exec mode [at this point the speaker exits from global configuration mode, and then exits from privilege exec mode], and then re-enter it. You can see I am being asked for a password, which I can give, and now I’m successfully in.
I mentioned that there was another way of doing this, but that has a fairly basic flaw because the password is simply stored in the running configuration and could be easily read over my shoulder! But if I display the running configuration, you can see that the enable secret command stored the password in an encrypted form, which can’t easily be used.
We can go a bit further and prevent access to the console port itself, so anyone trying to plug in directly will have to give another password [at this point the speaker enters global configuration mode from privilege exec mode]. To do this we enter line configuration mode, type line console 0, and now we set a password using password onlcon. We also need to tell the router to check for a password using the command login.
I’m going to test this by exiting and then reopening the console. Remember that this simulates me plugging in my laptop through a cable to the console port of the router. You can see now that the router is prompting me for a password, which I need to give, and then I am back into the router.
Let’s show the running configuration again – you can see that the console port password has been stored in plain text! I’ll need to do something to prevent someone seeing the password over my shoulder. This time I have to go back to global configuration mode, enter service password-encryption, and this will encrypt the password. Now if we look at the running configuration, we can see it’s unreadable.
A word of warning: don’t believe your passwords are safe now! It is very simple to reverse this type of encryption using online tools such as this website. You can see all I need to do is paste the cipher text in and it immediately tells me the password. You can use much stronger encryption methods, but this is beyond the scope of this course.
Also, anyone with this password can log in: there is only one password for the device and everyone who needs access will have the same password. And given that an engineer may need to access many routers, they will either need a very good memory, or they will need to write down the passwords – hopefully in some secure manner and not in a list on their wall!
Activity 1 Think about
Assume you bought a new home gateway and a new enterprise router. Out of the box, which is more secure?
A home gateway is preconfigured with a strong, unique administrator password. An enterprise router typically has no preconfigured security, and a network engineer is responsible for configuring it correctly to be secure.
Activity 2 Try it out
Open PT Anywhere [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] in a new tab or window so you can read these instructions.
In this activity you will configure the router in the network.
Open the router’s console
Enter global configuration mode.
Set a secret password, for example ‘mysecret’, for the enable command
Exit from the console and re-enter it to confirm that your security measures are in place.
Initially the router is not secure and you can enter privilege exec mode by simply typing enable.
To set a secret password such as ‘mysecret’ on the enable command, in privilege exec mode enter global configuration mode (by typing conf t). At the Router (config)# prompt, enter enable secret mysecret.
Now exit from the console connection (by entering exit until you return to the initial console ‘>’ prompt). When you now enter global configuration mode with the enable command, you will be prompted for the password you gave earlier.
To confirm the password isn’t stored in plain text, use the show running-config command; in the output you should spot a line such as enable secret 5 $1$mERr$QtCDSpd2k7BLWRTGnR35X1 where the string of characters is an encrypted version of the password you entered.
Activity 3 Sort it out
A network engineer has started to configure a router with an enable password of ‘opennetlab’. Check the configuration and improve it if necessary.
Open PT Anywhere in a new tab or window so you can read these instructions.
Open the router’s console.
Enter global configuration mode; you may need the password ‘opennetlab’.
Check to see if the password is encrypted in the running configuration.
If necessary, improve the security settings.
Exit from the console and reopen it to confirm that your security measures are in place.
The router has had a password ‘opennetlab’ set for the enable command, but the show running-config command shows the password in plain text.
To remove the plain-text password, enter no enable password. To set a secret password that is stored only in encrypted form, enter enable secret opennetlab.
It is also possible to use the enter service password-encryption command to encrypt all passwords in the running configuration. However, the encryption used is weaker: sufficient to make it unreadable to a human, but easily cracked by computer.