15.1 Securing the console
The console port means that anyone who has physical access to the router could connect to it. In the early days of the internet, routers were found only in machine rooms behind locked doors, and this was sufficient security. Nowadays they are more likely to be found in the corner of an office, or in server rooms and datacentres where engineers from different companies may have access. So a first step in securing a router is to make sure that access to the console is always protected with a password.
Watch the video below, which is about 3 minutes long. You will see how commands can be used to set a log-in password for the router console and also to protect the console port itself.
Activity 1 Think about
Assume you bought a new home gateway and a new enterprise router. Out of the box, which is more secure?
A home gateway is preconfigured with a strong, unique administrator password. An enterprise router typically has no preconfigured security, and a network engineer is responsible for configuring it correctly to be secure.
Activity 2 Try it out
Openin a new tab or window so you can read these instructions.
In this activity you will configure the router in the network.
Open the router’s console
Enter global configuration mode.
Set a secret password, for example ‘mysecret’, for the enable command
Exit from the console and re-enter it to confirm that your security measures are in place.
Initially the router is not secure and you can enter privilege exec mode by simply typing enable.
To set a secret password such as ‘mysecret’ on the enable command, in privilege exec mode enter global configuration mode (by typing conf t). At the Router (config)# prompt, enter enable secret mysecret.
Now exit from the console connection (by entering exit until you return to the initial console ‘>’ prompt). When you now enter global configuration mode with the enable command, you will be prompted for the password you gave earlier.
To confirm the password isn’t stored in plain text, use the show running-config command; in the output you should spot a line such as enable secret 5 $1$mERr$QtCDSpd2k7BLWRTGnR35X1 where the string of characters is an encrypted version of the password you entered.
Activity 3 Sort it out
A network engineer has started to configure a router with an enable password of ‘opennetlab’. Check the configuration and improve it if necessary.
Open PT Anywhere in a new tab or window so you can read these instructions.
Open the router’s console.
Enter global configuration mode; you may need the password ‘opennetlab’.
Check to see if the password is encrypted in the running configuration.
If necessary, improve the security settings.
Exit from the console and reopen it to confirm that your security measures are in place.
The router has had a password ‘opennetlab’ set for the enable command, but the show running-config command shows the password in plain text.
To remove the plain-text password, enter no enable password. To set a secret password that is stored only in encrypted form, enter enable secret opennetlab.
It is also possible to use the enter service password-encryption command to encrypt all passwords in the running configuration. However, the encryption used is weaker: sufficient to make it unreadable to a human, but easily cracked by computer.