Cisco CCNA 200-301 – Cisco Device Security Part 2

3. Privileged Exec and Password Encryption

Okay, privileged exec security. So we covered configuring our passwords and our basic security at the console and at the terminal lines. The last one is configuring a password for the enable prompt. So when you connect over a console or a VTY line, you’ll land the user exec prompt by default, which has that very limited set of commands available. To get the super user access, you use the enable command to invoke privileged exec mode that can be secured with a password as well. So you could put a password on your console and your terminal lines and not have an enable password, or you could have an enable password but not have passwords at the console, or you can do both.

Typically you’re going to want to do both. So the command for this, with the old command, I’ll get onto the new command in a minute, is enable password and then the password you want to use, and that’s a global level command. So for Console and Vqi, that password was configured at the line level for the enable prompt password that is configured at the global level. Once we’ve done this, if we are at the user prompt and we enter the enable command, we’ll be prompted for that enable password. Now, the problem with the enable password is that if you do a show run, it shows up in plain text.

So let’s say that you’re a senior administrator and you’ve got a junior administrator with you and you’re doing some training for them and you’re showing them some things. If you do a show run command on the router, while they’re looking over your shoulder, they will see what the enable password is, and now they can go and get super user access as well.

So you don’t want that to be the case. You can see here we’ve done a show run and we can see in plain text that the enable password is flatbox three. So we don’t use the enable password command, we use the enable secret command instead. It’s got exactly the same function where once you’ve configured that if you want to get to the enable prompt, you have to enter a password. The difference is, when you use enable secret, if you do a show run, it shows up in an encrypted format. It doesn’t show the actual password in plain text.

Now, if you’ve got both an enable password and an enabled secret set, the enable password is not used. It’s the enable secret that is in effect, best practice is to configure and enable secret. Do not configure and enable password at all. It’s just an old command that’s not used anymore. So let’s say that we did have that enable password set as flatbox free, and we say enable secret flackbox free. We’ll get a warning message. If it’s the same as your enable password, please use a different secret. So we could say enable secret flackbox four. And now if I do a show run, I can see that my enabled secret is messed up letters and numbers. So I don’t know that it’s actually flatbox. Four, it’s not in plain text, but enable password does show us plain text, which is flatbox free real world.

What you would do if you got that warning message is you would say no enable password to remove it and then you would say enable secret and put your enable secret in as well as the enable password being shown in plain text. Any line level passwords that you’ve entered are shown in plain text by default as well. So if I did a show run, now I can see that my enabled secret is encrypted, my enabled password is in plain text, and also those passwords that I configured under the console and the virtual terminal lines are in plain text as well.

Again, that is bad too. I don’t want those showing up in plain text. So what I can do for that is I can use the service password encryption command. You enable this at global level when you do this. Now, whenever you do a show run, all commands will be shown in an encrypted format. So it is best practice to do this. So the example here, I’ve enabled service password encryption and now when do a show run, I see that all of my passwords are in an encrypted format, are not showing in plain text. Okay, so that was it. That was configuring basic security. Next lecture, we’ll have a look at doing this in the lab.

4. Line Level Security Lab Demo

You’ll see how to configure basic line level security on a Cisco device. And for this demo, I’m going to use the router R One that you can see in the diagram. It’s got an IP address already configured on there, ten or one. And I’ve got a couple of PCs, PC One and PC Two two which I’ve got IP connectivity to the router. PC One is also connected up with a console cable as well. So let’s have a look at R One. So I will jump on there and if I go to the enable prompt so right now you’ll see that I don’t have any security configured on here as well. Basically I’ve just configured a host name and the IP address. So when I go enable, I’m not going to be prompted for a password and I can show run. And you see I’ve got IP addresses on there and I’ve got no configuration under my console or my virtual terminal lines. So first thing to do is to secure the console access. So I’ll go to Global Configuration Line Console and I’ll do a question mark and you see that I’ve only got one line, so it’s going to be line zero.

And then I’ll put a password on here. So I’ll say password flat box one. Now you also need to put in the login command as well. So let’s see what happens when I don’t do that. So I’ll exit out of here and then hit return and you see, I get in immediately. It didn’t prompt me for a password. So to get the password prompt, I’ll go back to Global Configuration line console zero. I’ve already configured the password. I also have to say login as well. When I say login with no other keywords after that, it means use the password that I just configured at the line level. So now if I exit out of the console when I hit enter again, so this would be the same if a new user was hooking up with the physical console cable. Now we’ll see a prompt to enter the password. If I put in the wrong password, it’s going to prompt me for the password again, doesn’t let me in.

So I’ll put in the correct password and you’ll see I’ve now got in at the user level. At this stage I still haven’t enabled and enable password, so I can get to the privileged exec mode with no password prompt there. Now, you saw earlier that I hadn’t configured anything under the console line. I just did that I hadn’t configured anything under those VTY, the virtual terminal lines either. So if I go onto one of the PCs, I’ll go on to PC One and if I try to tell net to the router at 100 one, it’s going to tell me that the connection was closed because I can’t tell it in because you cannot use telnet unless you explicitly allow it on the router. So let’s do that. Next I’ll go back onto R one again, I’ll go to global config and now I want to go. Align VT y the first available one is zero, and if I do a space and a question mark, you can see the highest number there is 15. So I’ve got 16 available lines on here, zero and then one to 15. I want to enable security and enable administrators to log in and all of them.

So I’m going to configure zero to 15. I’ll configure a password on here. Let’s use the same password, so I could use the same password on a different password than I used on the console and remember to say log in again and that is Telnet access enabled on the router. Now, SSH uses the VTi lines as well, but I would need to do some additional configuration to allow SSH access. You’ll see how you do that in a later lecture. So if I try on PC One again to tell net in, you see that telnet is enabled now. It prompts me for the password. So I will enter the password and again I get in at the user prompt. And because there was no enable password set, I’m going to get an error message here now. So it’s really important that when you want to allow telnet, don’t just enable telnet access, you need to configure the enable secret as well. We didn’t need to do that at the console, but for telnet you’re going to need to do both.

So we’ll get on to that in a few minutes. So you can see right now that telnet access is enabled. If I try on PC Two as well, it’s also got connectivity to the router. So if I telnet to it from PC Two as well, I’m going to get prompted for the password. And I can also log in from PC Two if I know the password here. Next up, let’s say that I want to secure this a bit more. So if I look back at the diagram, let’s say that my administrator uses PC One. PC Two is just another normal user but should not have any access to the router. So I’m going to configure an ACL on R One that restricts telnet access just to that administrator workstation at ten o ten. So I will go on to R One and go to Global Config. And this is just a standard access list. I say Access list one and I’m going to permit 10010, which is PC One.

Then I’ll go back to line VTY 15 and say Access class one in, which means only IP addresses specified in the ACL are going to be allowed to telnet in. So I’ll go back to PC One again and I will exit out of the session. I’ll try to telnet in again, I get prompted for the password and if I enter the correct password, I can log in from PC One. But if I go to PC two, notice that it didn’t kick out existing sessions. It’s only going to be for new sessions. So if I exit here and then try to telnet in again, I get connection refused by remote host because this IP address was not allowed in the ACL. Okay, so that was my telnet access secured, but still I can’t get to the enable prompt here. So I need to set an enable password. So I will go back onto our one and I’ll say enable password flackbox two.

Now, the problem with this is if I do a show run, you can see that the enable password is shown in plain text there. So if I ever do a show run and somebody is looking over my shoulder, we’re going to see what the enable password is. I don’t want that to happen.

So do not configure and enable password. So I’m going to remove that. I’ll say no enable password and instead I’ll say enable secret and I’ll use the same password again, which was flackbox two. And now if I do a show run, the enabled secret is not shown in plain text, it’s encrypted. Okay? So that was my enable secret set, and if I go back to telnet in again. So let’s go back onto PC one. Now, if I try to get to enable, it’s going to ask me for the password. I can enter the password here and again, I’ll try to do it without a typo. And there you see, I got to the enable prompt. Okay, last thing to show you here, if we go back onto R one and in my show run again, even though I’ve set enabled secrets of them, I enable password is encrypted. My passwords on my VTi lines and on the console are still shown in plain text.

I don’t want that to happen either. So I will go to global config and the command I want to enter is service password encryption. What this does is it will encrypt all passwords in the running config. So if I do, I do show run and scroll down to the bottom. You can see that those line level passwords are encrypted now as well. Okay, so that’s how to configure basic line level password security. See you in the next lecture where we’re going to get into some more security details.

• Category: Uncategorized