Securing Administrative Access
A network is only as secure as its weakest link. So far, this book has examined how to create secure paths for user data as it traverses the network. Chapter 18, “Cisco Device Hardening,” looked at how to minimize vulnerabilities on an IOS device by eliminating unnecessary services and features; however, it is also important to consider securing permitted access to the router itself. A compromised router can yield a treasure chest of information to an attacker. The knowledge of internal networks and subnets can be used to create targeted attacks. Privileged-mode access to a router gives the attacker the ability to disable security features that keep the network and the users safe. It is extremely important that only authorized administrators have access to network infrastructure devices. Additionally, there might be different levels of administrative access and configuration responsibilities. Cisco IOS software has a number of tools that permit very granular control of both access to and configuration of an IOS device. This chapter explores many of these features. “Do I Know This Already?” Quiz The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 19-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you to determine how to spend your limited study time. Table 19-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics.
Router Access
Most network users probably cannot accurately describe the function or purpose of a router; however, if the network is inaccessible for any reason, the router is often blamed. The router, like any computing device, is only as good as its programming. Left alone, the router should continue to operate as well as it has in the past. But routers often receive incremental configuration updates to activate a new feature, correct an existing problem, or plan for an upcoming event. Access to a router can be both physical and logical. You can configure a Cisco IOS router using these three basic methods: ■ CLI—The CLI is accessed physically via the console or auxiliary ports, or logically via a Telnet or SSH connection. ■ Web interface—SDM is used to access and configure the router via HTTP or HTTPS. ■ SNMP—The router can be polled and configured from an SNMP workstation. Every Cisco router has a console port. Many also have auxiliary ports. Both offer direct physical connectivity and asynchronous connectivity to the router. The auxiliary port is often used to connect a modem to the router for remote access during times of network instability. But both the console and auxiliary ports can be accessed from a directly connected PC with some terminalemulation software. The user has access to the CLI with either of these connections. The IP network also offers a variety of means for any user to access any router. Both Telnet and SSH can be used to access the router CLI. Any user can access the router if the network is functional and either Telnet or SSH is permitted. Any web browser can also access the router via SDM. As with Telnet or SSH, network reachability and permission are the only limiting factors. SNMP is another access method delivered across an IP network. As of 2004, SNMPv3 is the current standard. SNMPv3 adds message integrity, authentication, and encryption to SNMP packets that traverse the network. These features are great enhancements over previous versions of SNMP. Protection against all these access methods is a combination of proper passwords and access restrictions. Password integrity ensures that passwords are both challenging (to guess) and change often. Access restrictions limit the devices or users that are permitted to log into and configure the router
Password Considerations
The ability to access a router and activate a new feature, correct an existing problem, or plan for an upcoming event is, in most cases, protected by one or more passwords. The use of passwords is typically how all network resources are sheltered. There are a number of best practices for passwords that should be enforced for all network devices, including: ■ Minimum length—The more characters in a password, the longer it takes to guess it. ■ Mix of characters—Passwords should contain a mix of upper- and lowercase letters, numbers, and meta-characters (symbols and spaces). More characters translates to a greater number of combinations that an attacker must try. ■ Do not use dictionary words—Avoid the use of words found in a dictionary to make a dictionary attack less likely to succeed. ■ Change passwords frequently—A frequently changed password limits the usefulness of a compromised password, and thus reduces overall exposure. There are actually a number of access points into a router that should be protected by passwords. Figure 19-1 shows how a router can be accessed.