HowTo: Secure a Cisco Router

With a normal Home / Small Office type router, once you have got it connected, you set a password to log into the web interface and that’s about it for security. But what about with a Cisco Router. This guide covers how to protect a router from unauthorised modification or access to the settings. What it does not cover is securing the connections, which is a topic for another guide. This guide assumes that you are running a fairly current router and IOS and that it supports encryption.

On my desk, I have a little Netgear router that I got from Virgin Media. To access this, I have to navigate to the IP address of the default gateway and enter a username and password. Without this I am unable to access the device without performing a factory reset which would clear the configuration. If I was attempting to break into it, this would therefore be a silly thing to do. With a Cisco router, there is a way around a locked down device.

Cisco Recovery Procedure for the 2800 Series Router
This is taken from the Cisco Guide and explains how to gain access to a router when you don’t know the password.

  • Reset the router by power cycling it
  • Send the break command within 60 seconds of restoring power to trip it into the ROMMON mode. The terminal will display rommon 1>
  • Type confreg 0x2142. This causes the router to bypass the startup config at boot time.
  • Type reset which will cause the router to reboot, ignoring the the startup config file.

At this point, an intruder can now copy the startup configuration into the running config, reenable the interfaces, make the changes they wish to achieve such as adding a second privileged user account, reset the boot register and save the config. The attacker can now log in as an administrator as they please. If the downtime isn’t noticed while the attack takes place, and the running config isn’t examined on a regular basis, then this type of attack could go unnoticed for a considerable period of time.

Physical Security is therefore important
I have a friend who runs a Cisco 2821 in his “command centre”, a very nice computer room somewhere in the East Midlands. His router sits on a desk in a locked room to which he holds the only key, and in his words someone wishing to mess with his equipment will be doing so over his dead body. In a data centre, your routers should be kept inside locked cabinets, with keys only released to authorised personnel. Remember – just because someone is allowed into the data centre, it doesn’t mean they have free reign of the place.

Locking down your routers config
The lockdown process consists of a number of steps as detailed below:

  1. service password-encryption
  2. Secets over Passwords
  3. User Accounts
  4. SSH over telnet
  5. Locking down remote access


service password-encryption
Considering that a quick search of Google (or the search engine of your choice) will turn up many a JavaScript based tool for decrypting Cisco Password 7 passwords, it is debatable whether this can be called a security measure. Adding the command service password-encryption to the config file will cause all passwords that cannot be hashed, such as the ADSL dialer password to be stored in a weakly encrypted form. In terms of a cost benefit analysis, it costs nothing to implement, and it prevents anybody from shoulder surfing passwords. Beware them getting the config file though since decrypting it once you have is trivial.

I have a secret for you… Passwords are useless
As I mentioned in the last section, the revesable encryption that Cisco uses is pathetically poor to the point of being useless. Fortunately for some applications such as user passwords, there is hashing. While Cisco use an MD5 hash which is fairly weak by todays standards, cracking it is still fairly non-trivial. In the running config you will be able to identify a secret by the section that says secret 5 such as enable secret 5 $1$hwsd$ubw2Yy/WyKsSbSDxiNrXL. As opposed to a password which uses password 7 (ppp chap password 7 13151601181B0B382F.)

At this point it is worth setting the enable password which provides an additional layer of security by requiring unauthenticated users to provided this password to enter the privileged exec mode. This can be done by typing the command enable secret <password>.

User Accounts
If you do not use user accounts then the access control to the router is as follows. Access to the non-privileged mode is controlled by a single password which is stored in the password 7 format. Access to the privileged mode is controlled by a second password which was set previously. The issue exists that where more than one person needs access, there is no way to set who may do what, or to revoke one users access without the hassle of changing the password and redistributing it to the authorised users. This is less than ideal.

To add a user you need to enter the config mode and enter the command username <username> privilege 15 secret <password>. This will create a user account with the username and password specified with full privileged access to the system. The other privilege levels allow access to various system areas to be restricted per the administrators requirements.

Telnet. Groovy man!
Right, pay attention at the back of the class. Telnet was a protocol that first appeared in the swinging sixties. It was then refined throughout the seventies and beyond. While those two decades brought us many great things such as the Jaguar E-type and prog rock, they also brought us many rubbish things such as hairstyles, fashion, the Morris Marina and a lack of security on communications protocols! As such, if you use Telnet on your network, any goon with a judiciously placed copy of WireShark will be able to intercept and make use of your otherwise secret password. Fortunately by the nineties, things had moved on and we had SSH which is now the preferred way of securely administring your router.

Before you can use SSH you need to generate your keys. This can be done using the following commands.

  • Set the domain name using the ip domain-name <domain> command where domain is the name of your domain which can be anything.
  • Generate the keys using the command crypto key generate rsa When walking through the key generation wizard, use the strongest key size allowed. At the very minimum you should use 1024, but unless it is a slow router etc etc you should aim for 2048 or 4096 bit.
  • Set the version of SSH to be used using the command ip ssh version 2. DO NOT use SSH version 1 since this is broken and insecure.

This has configured SSH.

Locking down access
To lock down access to the router, you now need to force the router to use usernames and passwords and to only accept SSH connections. To do this use the following commands:

  • line con 0: Select the console line
  • login local: Require a username and password
  • exit: Stop configuring the line
  • line vty 0 988: Select all the VTY lines
  • login local: Require a username and password
  • transport input ssh: Allow only the SSH protocol for incoming connections
  • exit: Stop configuring the line

If you have completed the commands set above and have physically secured the device, then, coupled with a strong setup of the network connections, it should be very difficult to gain unauthorised access to your router.


Leave a Comment

Your email address will not be published. Required fields are marked *