15.4 Summary of Session 15
In this session you’ve seen a variety of ways in which security for a router can be improved.
You have seen that enterprise routers allow a network engineer to connect in two ways: with a direct connection to a special console port, or over the network. Passwords can be set to control access to both of these. When a remote connection is made over the internet, a secure communication protocol such as SSH should be used to prevent an eavesdropper from reading passwords.
A message can be configured to warn that only authorised users can connect. Separate passwords can be applied to protect access to the console port and to network access through virtual teletypes.
The command-line interface on Cisco routers can be password protected, requiring the user to enter the correct password to enter further configuration commands. This applies whichever method is used to connect to the router.
You have also seen that security is difficult to get right. Possible weaknesses are storing passwords as plain text in configuration files, or using unencrypted Telnet for remote access. A network engineer should be alert to problems such as these and know ways to avoid them – for example, by adding encryption to passwords and by requiring SSH instead of Telnet for remote access.
In this session you have used the following commands.
|enable secret <password>||Global configuration||Router(config)||To set a password for privileged execution mode|
|banner motd <sep><banner><sep>||Global configuration||Router(config)||To set a message of the day|
|service password-encryption||Global configuration||Router(config)||To encrypt passwords stored in the running configuration|
|username <name> secret <password>||Global configuration||Router(config)||To create a user account|
|line console 0||Global configuration||Router(config)||To configure the console connection|
|password <password>||Line configuration||Router(config-line)||To set a password for the console connection|
|login||Line configuration||Router(config-line)||To require login with a password to the console connection|
|line vty 0 <max>||Global configuration||Router(config)||To configure a set of virtual teletype lines|
|login local||Line configuration||Router(config-line)||To require login with a user account name and password|
|transport input ssh||Line configuration||Router(config-line)||To only accept SSH connections|
In this session you have met the following terms.
A protocol used for unencrypted remote terminal connections.
Secure Shell (SSH)
A protocol used for encrypted remote terminal connections.