Lab 2.3.

5 Configure General Router Security

Estimated Time: 25 Minutes
Number of Team Members: Two teams with four students per team.

Objective
In this lab, the students will examine the following objectives:

Use basic security commands to secure management access to the router.

Use the auto secure feature within IOS

Use the Router Analysis Tool to analyze the router configuration.

Scenario
Many overlooked security features of the router come at no additional expense whatsoever. These
features are often misconfigured or overlooked, because they are not traditional security features.
Passwords are the primary defense against unauthorized access to the router.
Leaving a console unattended can cause serious problems, especially if the user is logged in as a
privileged user. The use of console timeouts can control how long the console will remain logged in
after a period of inactivity.
This lab also covers the commands used to establish password protection and configure privilege
levels. Password protection allows a network security administrator to restrict access to a network or
a network device. Privilege levels allow a security administrator to define what commands various
users can issue after they have logged in to a network device. This is very important in larger
networks where the IT staff needs access to network devices with different levels of access.
In some jurisdictions, civil or criminal prosecution of hackers who break into the systems are made
much easier if a banner message informing unauthorized users that their use is, in fact,
unauthorized.

1 - 10

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

Topology
This figure illustrates the lab network environment.

Preparation
Begin with the standard lab topology and verify the starting configuration on the pod router. Test the
connectivity between the pod routers. Access the perimeter router console port using the terminal
emulator on the Windows 2000 server. If desired, save the router configuration to a text file for later
analysis. Refer back to the Student Lab Orientation if more help is needed.
If the Cisco IOS router CIS Router Analysis Tool (RAT) version 2.1 is not installed on the student PC,
contact the instructor to get the RAT tool or download and install the RAT tool available at
http://www.cisecurity.org.

Tools and resources

In order to complete the lab, the following is required:

2 - 10

Standard IOS Firewall lab topology

Console cable

HyperTerminal

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

Additional materials
Further information regarding the objectives covered in this lab can be found at the following
websites:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_ch
apter09186a00800ca7cd.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_ch
apter09186a00800d984e.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_summary_ch
apter09186a00800eeadc.html

http://www.cisecurity.org/

Command list
In this lab exercise, the following commands will be used. Refer to this list if assistance or help is
needed during the lab exercise.

Command

3 - 10

Description

exec-timeout

Sets the interval that the EXEC command interpreter waits

until user input is detected.

enable

Enters privileged EXEC mode.

enable password password

Sets a local password to control access to various privilege

levels.

enable secret password

Specifies an additional layer of security over the enable

password command.

enable secret level level

password

Sets a password for the privilege level.

login local

Defines a login authentication mechanism for the lines. The

authentication method must utilize a username and
password.

privilege level level

Configures a new privilege level for users and associate

commands with that privilege level.
level - Privilege level associated with the specified line.

privilege mode {level level |

reset} command-string

mode - Configuration mode for the specified command.

level level - Specifies the privilege level configured for the
specified command or commands. The level argument must
be a number from 0 to 15.
reset - Resets the privilege level of the specified command or
commands to the default and removes the privilege level
configuration from the running-config file.
Note: If the no form of this command to reset the privilege
level to the default, the default form of this command will still
appear in the configuration file. To completely remove a
privilege configuration, use the reset keyword.
command-string - Command associated with the specified
privilege level. If the all keyword is used, specifies the
command and subcommands associated with the privilege
level.

service password-encryption

Encrypts all passwords in the configuration files.

show privilege

Displays the current level of privilege.

transport input

Defines which protocols to use to connect to a specific line of

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

Command

Description
the router.

auto secure

Enter into auto secure interactive setup mode.

Step 1 Setting Enable Passwords

a. Defining an enable password
Enable passwords should always be set in any production environment. Setting the enable
password will authenticate the user when they try to enter the privileged EXEC mode
(RouterP#). Defining an enable password helps prevent unauthorized access to the various
router configuration modes.
i.

To define an enable password use the enable password password command.

RouterP(config)#enable password cisco
This command sets the enable password to cisco.

b. Verifying the enable password

i.

c.

To verify the enable password, exit out of the router completely using the exit command.
After logging out, reconnect to the user level (RouterP>) and then enter the enable
command. A prompt will appear asking for a password. Enter the recently configured enable
password. If the password is entered correctly, access will be granted to the privileged
EXEC mode (RouterP#).

View the enable password

i.

To view the enable password, use the show running-config command in the privileged
EXEC mode.

a. Is the enable password in the output? If so, write the output of that line.

b. Is the password displayed in plain text or is it encrypted?

Step 2 Enable Secret Password

As seen in the first task, the enable password is displayed in plain text in the running configuration
file.
Note: The enable password is also displayed in the startup configuration file if the copy
running-config startup-config command is used.
However, defining the enable password using the enable password command can be a security
risk.
Why would setting the enable password using the enable password command be a possible
security risk?

a. Setting the enable secret password

4 - 10

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

i.

In the global configuration mode, use the enable secret password command to set an enable
secret password. Set the password to class using the following command:
RouterP(config)#enable secret class

View the encrypted password.

b. To view the encrypted enable password, view the running configuration.
RouterP#show run

*(abbreviated show running-config command)

Is the enable password encrypted? Is the enable secret password encrypted? How is the enable
secret password displayed?

Note: After setting a password using the enable secret command, a password set using the
enable password command works only if the enable secret is disabled or an older version
of Cisco IOS software is being used, such as when running an older rxboot image.

Step 3 Service Password Encryption

In the previous tasks, both an enable password and an enable secret command were set.
Remember that the enable password command is unencrypted and the enable secret
command generates encrypted output in the configuration file. The service passwordencryption command will encrypt all passwords in the configuration files.
i.

View the running configuration again and look for the line no service password-encryption.
This means the password encryption service is disabled and indicates that this is the default
setting.

ii.

Enable the password encryption service by entering the service passwordencryption command:
RouterP(config)#service password-encryption

b. View the running configuration file.

RouterP#show run

Are both the enable password and enable secret passwords encrypted?

What encryption level is used to encrypt the enable password? Is this secure?

Step 4 Configuring vty for Telnet

a. Protect the vty connections that are made through the router. These connections are commonly
established through Telnet, but can use other protocols as well. To control the protocols that will
be accepted on the vty, use the transport input <protocol> command in line
configuration mode. Check to see what transport protocols are available.
c.

5 - 10

What command displays the available transport protocols?

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

d. What are the protocols?

b. Now allow Telnet on the vty using the transport input Telnet command to enable it.
What is the configuration mode required to configure this feature?

Step 5 Controlling Telnet Access

The access-class <ACL number> command can be used to direct the router to accept virtual
connections from only certain IP addresses. In order to use this command, the host(s) or network(s)
must be defined to accept virtual connections. A standard or extended access control list (ACL) is
used to define this list.
a. Define a standard ACL that directs the router to accept virtual connections from the inside host.
Remember that the command to create a standard access list for a single host is access-list
<number> permit host <host-ip>.
b. Use this access list to define the access-class for the vty connections. Set the access-class to
the vty lines (0 4) for inbound connections.
c.

Try to Telnet to the router from the inside host.

Is the connection successful?

d. Try to Telnet to the peer router from the inside host.

Is the connection successful to the peer router? Why or why not?
e. Further restrict Telnet access based on local username and password pairs. The vty lines should
be configured to use local authentication with the login local command at the line
configuration mode.
f.

A username and password pair must be configured in global configuration mode. Configure the
username bob to be used with password cisco4me.

g. Try to Telnet to the router.

Did the router prompt for a username and password?

i.

Use the correct username and password.

Was it successful?

ii.

Exit Telnet and connect again. Try to access the router by using another username or
another password.

What was the error message?

6 - 10

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

Step 6 Control Console Timeout

a. Change the console timeout to logout after a period of inactivity of 2 minutes, 30 seconds.
Remember to use the exec-timeout <mm> <ss> command in the line configuration mode to
change the default value.
What is the maximum amount in minutes? What command will display the new changes?

Step 7 Setting Privilege Levels

By default, the Cisco IOS software has two modes of password security: user mode (EXEC) and
privilege mode (enable). There are 16 hierarchical levels of commands for each mode that can be
defined. By configuring multiple passwords, different sets of users are allowed access to specified
commands.
The command to assign allowed commands to a privilege mode is privilege exec level
level. In this task, assign an enable secret password for privilege level 10 for system operators,
and make specific debug commands available to anyone with that privilege level enabled.
a. Begin by entering the global configuration mode, RouterP(config)#, and complete the following
steps:
i.

Assign privilege level passwords

ii.

It is recommended to assign a password to each privilege level that is defined. To set a

privilege level password use the enable secret level level password command.

iii. Define an enable secret of pswd10 for level 10 by entering the following command:
RouterP(config)#enable secret level 10 pswd10
What are the available arguments for the enable secret level 10 command?
Displaying current privilege level
d. To verify the current privilege level, enter the show privilege command.
What privilege level is shown?

e. Login to privilege level 10

i.

To enter into a specific privilege level, use the enable level command. Exit out of the
router and then reconnect. Enter the following commands to enter privilege level 10:
RouterP>enable 10
Password: pswd10
RouterP#

How can current privilege level be displayed? What is the current privilege level?
Using the debug ? command, what debug options are available at level 10?

7 - 10

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

d. Exit out of privilege level 10 and return to level 15.

Next, assign specific commands to be used in privilege level 10. To configure a new privilege
level for users and associate commands to that privilege level, use the privilege command.
The syntax for the privilege command is privilege mode {level level | reset}
command-string. Enter the following commands to assign specific commands to the privilege
level 10:
RouterP(config)# privilege exec level 10 debug ppp auth
RouterP(config)# privilege exec level 10 debug ppp error
RouterP(config)# privilege exec level 10 debug ppp negotiation

In the above commands, specific debug commands were allowed for anyone logging in with
privilege level 10.
f.

Verify privilege level commands

i.

Exit the router and return to privilege level 10. After the current privilege level of 10 is
confirmed, verify the previously configured privilege level 10 commands. Enter the following
commands to verify the defined privileges enter the following commands:
RouterP#debug ?
RouterP#debug ppp ?

What are the available parameters for the debug ? command?

What are the available parameters for the debug ppp ? command?

g. Compare privilege levels

i.

Log back into the router with privilege level 15. Then compare the debug ? and debug ppp ?
command output to that of privilege level 10.
What is the difference, if any?

By default, what is the privilege level when logging in with the enable command without
specifying a level?

Step 8 Setting a Banner Message

Another security feature that is useful to configure on the router is a warning message that each user
sees when logging into the router. This message is configured using the banner motd command.
a. Create a warning message that says, This router is not to be used by unauthorized personnel!
The command syntax to create this banner is banner motd <delimiting character>
<message> <delimiting character>.
b. Exit the router and log back in.
e. Is the warning displayed?

8 - 10

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

c.

Telnet to the router from the allowed workstation.

f.

Is the warning displayed?

Step 9 Securing the Router with Auto Secure

Now that some basic CLI security configurations have been completed manually, there is an easier
method to implement stronger security.
a. Initiate the auto secure interactive mode
RouterP#auto secure

b. Answer the interactive questions.

i. Is this router connected to internet? [no]: Yes
ii. Enter the number of interfaces facing internet [1]: 1
iii. Enter the interface name that is facing internet: FastEthernet0/1
iv.
v.
vi. Enter the new enable password: cisco1
vii. Confirm the new enable password: cisco1
viii. Blocking Period when Login Attack detected: 1 (minute)
ix. Maximum Login failures with the device: 3
x. Maximum time period for crossing the failed login attempts: 1
xi. Configure SSH server? [yes]: yes
xii. Enter the domain-name: cisco.com
xiii. Configure Ingress filtering on edge interfaces? [yes]: yes
xiv. Enter your selection [3]: 3
Note

(apply bogon list)

Bogons are prefixes that should never appear in the Internet routing table
or as a source address in any packets that are received. For more
information, refer to FNS Module 3 or http://www.cymru.com/Bogons/index.html

xv. Configure CBAC Firewall feature? [yes/no]: no

xvi. Enable tcp intercept feature? [yes/no]: no
xvii. Apply this configuration to running-config? [yes]: yes
c.

Verify the running configuration.

Step 10 Analyze the Router Configuration Using the Router Analysis Tool
a. Export the running config on the pod router using ftp or tftp
b. Open the file with Notepad to verify the configuration.
c.

Open the C:\>CIS\RAT\bin folder.

d. Save the .txt file in the C:\>CIS\RAT\bin directory as fns.txt

e. Open up a command prompt and navigate to the C:\>CIS\RAT\bin path.
f.
9 - 10

Enter the command to analyze the fns.txt config file previously saved.

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.

C:\CIS\RAT\bin>rat fns.txt
auditing fns.txt...
Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/
Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/
Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/
Checking: fns.txt
done checking fns.txt.
Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/common.conf/
Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-1.conf/
Parsing: /C:\CIS\RAT/etc/configs/cisco-ios/cis-level-2.conf/
ncat_report: writing fns.txt.ncat_fix.txt.
ncat_report: writing fns.txt.ncat_report.txt.
ncat_report: writing fns.txt.html.
ncat_report: writing rules.html (cisco-ios-benchmark.html).
ncat_report: writing all.ncat_fix.txt.
ncat_report: writing all.ncat_report.txt.
ncat_report: writing all.html.
C:\CIS\RAT\bin>

g. Open the C:\>CIS\RAT\bin folder.

h. Navigate to the fns.txt.html document and open.
i.

10 - 10

Analyze the results.

Fundamentals of Network Security v 1.2 - Lab 2.3.5

Copyright 2004, Cisco Systems, Inc.