Skip to main content

About this free course

Download this course

Share this free course

Discovering computer networks: hands on in the Open Networking Lab
Discovering computer networks: hands on in the Open Networking Lab

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

15.1 Securing the console

The console port means that anyone who has physical access to the router could connect to it. In the early days of the internet, routers were found only in machine rooms behind locked doors, and this was sufficient security. Nowadays they are more likely to be found in the corner of an office, or in server rooms and datacentres where engineers from different companies may have access. So a first step in securing a router is to make sure that access to the console is always protected with a password.

Watch the video below, which is about 3 minutes long. You will see how commands can be used to set a log-in password for the router console and also to protect the console port itself.

Securing the console

Download this video clip.Video player: 80_securing_the_console.mp4
Copy this transcript to the clipboard
Print this transcript
Show transcript|Hide transcript
 
Interactive feature not available in single page view (see it in standard view).

Activity 1 Think about

5 minutes

Assume you bought a new home gateway and a new enterprise router. Out of the box, which is more secure?

Answer

A home gateway is preconfigured with a strong, unique administrator password. An enterprise router typically has no preconfigured security, and a network engineer is responsible for configuring it correctly to be secure.

Activity 2 Try it out

10 minutes

  1. Open PT Anywhere [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] in a new tab or window so you can read these instructions.

    In this activity you will configure the router in the network.

  2. Open the router’s console

  3. Enter global configuration mode.

  4. Set a secret password, for example ‘mysecret’, for the enable command

  5. Exit from the console and re-enter it to confirm that your security measures are in place.

Answer

Initially the router is not secure and you can enter privilege exec mode by simply typing enable.

To set a secret password such as ‘mysecret’ on the enable command, in privilege exec mode enter global configuration mode (by typing conf t). At the Router (config)# prompt, enter enable secret mysecret.

Now exit from the console connection (by entering exit until you return to the initial console ‘>’ prompt). When you now enter global configuration mode with the enable command, you will be prompted for the password you gave earlier.

To confirm the password isn’t stored in plain text, use the show running-config command; in the output you should spot a line such as enable secret 5 $1$mERr$QtCDSpd2k7BLWRTGnR35X1 where the string of characters is an encrypted version of the password you entered.

Activity 3 Sort it out

10 minutes

A network engineer has started to configure a router with an enable password of ‘opennetlab’. Check the configuration and improve it if necessary.

  1. Open PT Anywhere in a new tab or window so you can read these instructions.

  2. Open the router’s console.

  3. Enter global configuration mode; you may need the password ‘opennetlab’.

  4. Check to see if the password is encrypted in the running configuration.

  5. If necessary, improve the security settings.

  6. Exit from the console and reopen it to confirm that your security measures are in place.

Answer

The router has had a password ‘opennetlab’ set for the enable command, but the show running-config command shows the password in plain text.

To remove the plain-text password, enter no enable password. To set a secret password that is stored only in encrypted form, enter enable secret opennetlab.

It is also possible to use the enter service password-encryption command to encrypt all passwords in the running configuration. However, the encryption used is weaker: sufficient to make it unreadable to a human, but easily cracked by computer.