Sunday, July 31, 2011

Enable Passwords On Cisco Routers Via Enable Password And Enable Secret


Security is a part of every good technical administrator’s game plan. Luckily the good folks at Cisco have made the task of securitizing a Cisco router fairly straightforward in design- with support given for up to five types of passwords. Taking advantage of these passwords is vital to a network’s internal security, and should be implemented where permitted.

Enable Password – The Most Basic Of Security Features

The two most basic of passwords a Cisco router can provide support for is the enable password and enable secret commands. Depending on the IOS version, administrators will likely only need to setup the enable secret command.
For Cisco routers running IOS versions before version 10.3, enable password is going to be used. It is the outdated version of the two, and we’ll see why it isn’t used in average applications after we enable it. You can enable this basic password following the commands seen below.
Router> enable
Router# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# enable password mypassword
In this example, mypassword is the new password that is going to be set on the router. Try typing exit and navigate to the privileged mode, as seen below.
Router> enable
Password:
You’ll notice that before we can get into privileged mode, we have to enter the password we set earlier. If you followed the above example, you should be able to input mypassword and press Enter. You are now authenticated for privileged mode!
So why don’t we use the enable password command in most cases? The answer is simple: it’s an outdated format that anyone can have ample opportunity to take advantage of. Try following the below steps and note what you see.

Router# show running-config
Building configuration…
Current configuration : 162 bytes
!
version 12.2
no service password-encryption
!
hostname Router
!
!
enable password mypassword
!
As you can see, anyone can see the password in plain view. This is because it is stored as plain text- no encryption is being used! To help cover this vast security hole, Cisco created the enable secret command. As you can probably guess, it makes use of encryption this time around.

Enable Secret – An Evolved Form Of The Previous Example

Encryption can be a tough subject to tackle. But Cisco has made the process of enabling an encrypted password just as easy as the previous example. In fact, we are only changing one word in the process!
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret mypassword
Note that many routers will alert the user at this point if they have made the enable secret and the enable password values the same in terms of the password. Although the message that results is just a warning, and administrators can indeed set both to the same thing (although this is not recommended as it will almost defeat the purpose of the enable secret command).
Now let’s go back to the very beginning, and try logging back into privileged mode once more. We’ll take a look at the running configuration in the below example.
Router# show running-config
Building configuration…
Current configuration : 209 bytes
!
version 12.2
no service password-encryption
!
hostname Router
!
!
enable secret 5 $1$mERr$7sOd0mgRuXYhHwfWsV4QZ/
enable password mypassword
!
Notice how the enable secret password is unreadable, while the outdated command enable password is being displayed in plain view! Obviously, it comes as to no surprise that Cisco decided to do away with the command in order to improve network security.

Closing Comments

We’ve discussed only two of the five different passwords that Cisco allows network administrators to take advantage of. If you’d like to take security a step further, be sure to check out the next section that discusses subjects such as Telnet passwords, console passwords, and even auxiliary passwords!

No comments:

Post a Comment