This module focuses on securing administrative access to network devices through proper authentication, password security, and encrypted communication protocols. Students will learn to implement secure access controls, configure enhanced login security features, and establish SSH for encrypted remote management.
π Overview
π Key Terms
Edge Router
The last router between the internal network and an untrusted network like the internet.
DMZ
Demilitarized Zone - an intermediate area between trusted and untrusted networks.
SSH
Secure Shell - encrypted protocol for secure remote device access and management.
Login Enhancement
Cisco IOS features that provide additional security for virtual login connections.
Quiet Mode
Security state where login attempts are blocked after exceeding failure thresholds.
Type 9 Encryption
SCRYPT-based password hashing algorithm providing stronger security than MD5.
Secure the Edge Router
Routers are primary targets for attacks as they direct traffic between networks. The edge router requires special attention as the boundary between trusted and untrusted networks.
Security Approaches
Single Router Approach
All security configured on one router. Common for smaller sites like SOHO environments. Simple but provides limited protection.
Defense-in-Depth Approach
Multiple layers of security with three primary layers:
- Edge router (first line of defense)
- Firewall (stateful inspection)
- Internal router (connects to protected LAN)
DMZ Approach
Includes intermediate area (DMZ) between networks. Can be implemented:
- Between two routers (internal and external)
- As additional port on single router
- Firewall provides primary DMZ protection
Three Areas of Router Security
| Security Area | Description |
|---|---|
| Physical Security | Controlling physical access to devices and infrastructure |
| Operating System Security | Securing the router's OS through updates and hardening |
| Router Hardening | Configuring security features and disabling unnecessary services |
Administrative Access Security
Six Key Requirements
- Restricting device accessibility
- Logging and accounting for all access
- Authenticating access attempts
- Authorizing user actions
- Presenting legal notification
- Ensuring data confidentiality
Configure Secure Administrative Access
Strong Password Guidelines
- Use longer passwords (10 or more characters)
- Include complex character combinations
- Avoid common dictionary words
- Change passwords regularly
- Keep passwords confidential
Password Encryption
Service Password-Encryption
Use service password-encryption to encrypt all plaintext passwords in the configuration. This prevents unauthorized viewing of passwords in config files.
Password Encryption Types
| Type | Algorithm | Security Level | Recommendation |
|---|---|---|---|
| Type 5 | MD5 | Weak | Not recommended (default) |
| Type 7 | Vigenère cipher | Very weak | Avoid completely |
| Type 8 | PBKDF2 with SHA-256 | Strong | Recommended |
| Type 9 | SCRYPT | Strongest | Preferred choice |
Security Alert
MD5 Vulnerability
MD5 hashes are no longer secure as attackers can reconstruct valid certificates. Always use Type 8 or Type 9 encryption for secret passwords.
Configuration Examples
# Configure Type 9 (SCRYPT) encryption
Router(config)# enable algorithm-type scrypt secret cisco12345
# Configure username with Type 9 encryption
Router(config)# username Bob algorithm-type scrypt secret cisco54321
# Encrypt all plaintext passwords
Router(config)# service password-encryptionπ Enhanced Security for Virtual Logins
Cisco IOS login enhancements provide additional security by slowing down dictionary attacks and DoS attacks through detection profiles and login blocking.
Login Enhancement Commands
| Command | Purpose |
|---|---|
login block-for |
Block logins after specified failed attempts |
login quiet-mode access-class |
Allow specific hosts during quiet mode |
login delay |
Add delay between login attempts |
login on-success log |
Log successful login attempts |
login on-failure log |
Log failed login attempts |
Login Enhancement Modes
Normal Mode (Watch Mode)
Router monitors and counts failed login attempts within specified time period. Operates normally while tracking failures.
Quiet Mode (Quiet Period)
When failure threshold exceeded, all login attempts via Telnet, SSH, and HTTP are denied for specified duration.
Configuration Example
Complete Login Enhancement Setup
# Block for 15 seconds after 5 attempts in 60 seconds
Router(config)# login block-for 15 attempts 5 within 60
# Create ACL for administrative hosts
Router(config)# ip access-list standard PERMIT-ADMIN
Router(config-std-nacl)# permit 192.168.10.10
Router(config-std-nacl)# permit 192.168.11.10
Router(config-std-nacl)# exit
# Apply ACL to quiet mode
Router(config)# login quiet-mode access-class PERMIT-ADMIN
# Add 10-second delay between attempts
Router(config)# login delay 10
# Enable logging
Router(config)# login on-success log
Router(config)# login on-failure logBanner Messages
Legal Protection
Configure appropriate banner messages for legal protection. Never use welcoming language. Example: "This equipment is privately owned and access is logged. Disconnect immediately if you are not an authorized user."
Monitoring Commands
show login- Display current login enhancement statusshow login failures- Show detailed failure informationsecurity authentication failure rate- Alternative logging method
Configure SSH
Security Risk
Telnet Vulnerability
Telnet transmits data unencrypted, making it vulnerable to packet sniffing attacks. SSH provides encrypted communication for secure remote access.
SSH Configuration Steps
Step 1: Configure Hostname
Device must have unique hostname other than default.
Router(config)# hostname R1
Step 2: Configure Domain Name
Set IP domain name for key generation.
R1(config)# ip domain name span.com
Step 3: Generate RSA Keys
Create encryption keys (minimum 1024 bits recommended).
R1(config)# crypto key generate rsa general-keys modulus 1024
Step 4: Create Local User
Establish local database entry with encrypted password.
R1(config)# username Bob secret cisco
Step 5: Configure VTY Authentication
Set VTY lines to authenticate against local database.
R1(config-line)# login local
Step 6: Enable SSH Transport
Allow SSH connections on VTY lines.
R1(config-line)# transport input ssh
SSH Security Enhancements
| Command | Default | Purpose |
|---|---|---|
ip ssh time-out |
120 seconds | Authentication timeout period |
ip ssh authentication-retries |
3 attempts | Number of login attempts allowed |
SSH Connection Methods
Router-to-Router SSH
Cisco router acting as SSH client connecting to another SSH-enabled router.
R2# ssh -l Bob 192.168.2.101
Host-to-Router SSH
SSH client applications like PuTTY, OpenSSH, or TeraTerm connecting to router SSH server.
Key Management
RSA Key Operations
show crypto key mypubkey rsa- Display generated keyscrypto key zeroize rsa- Remove existing keysshow ssh- Display current SSH connectionsshow ip ssh- Show SSH configuration settings
β Quick Checks
- What are the three approaches to securing edge routers?
Single router approach, defense-in-depth approach, and DMZ approach. - Which password encryption types are recommended for modern security?
Type 8 (PBKDF2 with SHA-256) and Type 9 (SCRYPT), with Type 9 being preferred. - What are the two modes of operation for login block-for command?
Normal mode (watch mode) and Quiet mode (quiet period). - What are the six steps to configure SSH on a Cisco device?
Configure hostname, set domain name, generate RSA keys, create local user, configure VTY authentication, enable SSH transport. - Why is Telnet considered insecure compared to SSH?
Telnet transmits data unencrypted, while SSH provides encrypted communication.
π Summary
- Edge routers are primary attack targets requiring comprehensive security approaches
- Defense-in-depth provides multiple security layers for better protection
- Strong passwords should be 10+ characters with complexity and regular changes
- Type 9 (SCRYPT) encryption is preferred over MD5 for password security
- Login enhancements protect against dictionary and DoS attacks
- Quiet mode blocks login attempts while allowing administrative access via ACLs
- SSH provides encrypted remote access replacing insecure Telnet
- RSA key generation requires minimum 1024-bit modulus for security
- Banner messages provide legal protection and user notification
- Logging and monitoring help detect unauthorized access attempts
References
- Module 4: Secure Device Access - Introduction (Ch. 4.0)
- Secure the Edge Router (Ch. 4.1)
- Configure Secure Administrative Access (Ch. 4.2)
- Configure Enhanced Security for Virtual Logins (Ch. 4.3)
- Configure SSH (Ch. 4.4)
- Cisco IOS Security Configuration Guide
- SSH Protocol Specifications (RFC 4251-4254)