Securing our Router / Switch or any network device is very important. When we talk about security, one is physical security another is securing the operating system of device.

Cisco devices uses Internetwork Operating System (IOS) in its Router and Switches. There are two different method via which you can connect to the device.

• Console Connection – Directly connecting your laptop or desktop machine to device via Roll Over Cable.
• Remote Access – Connecting remotely via Telnet / SSH or HTTP.

Securing Operating System means you have to secure the ways person can connect to the device. So we need to secure connection via Console as well as via Remote Access.

To secure the the access via these two method, we configure authentication by setting up the passwords on these ports.

By default, the only access allowed to IOS is via Console port, telnet / ssh / http all accesses are disabled.

Securing Access via Console Port

To configure the password on Console Port, enter the following commands in your device.

Router>enable
Router#configure terminal
Router(config)#line console 0
Router(config-line)#password the-password-you-want-to-configure
Router(config-line)login

• With “enable” command you enter to Enable mode of the Router.
• As we need to make configuration changes, we have to enter the Global Configuration Mode of the Router/Switch. With “configure terminal” command we the Global Configuration Mode of Router.
• Now, we need to enter into Console port configuration. With “line console 0” we entered into console port configuration.
• To set password we use “password ” .
  

  This command will just set the password to be used with authentication, but still router will not ask for authentication, because we have not set Router to ask for authentication.

• With “login” command, we set the router to ask for authentication whenever someone tries to connect via Console Port.

Securing Remote Access (Telnet / SSH) / Enabling Telnet

As said earlier, only access via Console is allowed, rest every access method is disabled. To enable the Telnet access, all you need to do is just configure a password on telnet lines.

To configure password for remote access and enable telnet, execute the following command in your device:

Router>enable
Router#configure terminal
Router(config)#line vty 0 15
Router(config-line)#password the-password-you-want-to-configure
Router(config-line)#login

• Again, enable to enter enable mode and configure terminal to enter the global configuration mode of the router.
• In network devices, we have 16 virtual lines (0 to 15). Virtual lines are like ports or interfaces, which are used to connect remotely. Whenever we connect remotely via Telnet or SSH, we connect to one of the 16 virtual lines.
• To get to 16 virtual line configure we execute command “line vty 0 15”. It is kind of range command, we are giving range of vty(virtual terminal line) from 0 to 15 (means all 16 lines).
• Again, “password” command to set the password to be used for authentication purpose.
• “login” command to set router to ask for authentication. This will also enable the Telnet access to this device.

Securing Enable Mode

Cisco IOS has three different modes – User Mode, Enable Mode / Privilege Mode and Global Configuration Mode. When we connect via any method, we connect to enable mode (with ‘>’ prompt e.g Router>). From user mode, we execute enable command to get to Enable / Privilege mode (with ‘#’ prompt e.g. Router#).

Enable mode is very powerful mode. It is a complete management mode for the device. You can backup / delete configuration, delete / update IOS, etc. If someone has access to this mode of any device, that person can do serious damage, if wanted to.

So it is very important to secure the Enable Mode. Again to secure Enable mode, we configure password authentication for this mode.

Now there are two different kind of passwords to secure enable mode:

• Enable password – Saved as a clear text in the configuration file.
• Enable secret – Saved as a MD5 hash value in the configuration file.

It is always preferred to configure the enable secret password to secure your enable mode.

To configure both passwords, execute the following commands:

Router>enable
Router#configure terminal
Router(config)#enable password password-you-want-to-configure
Router(config)#enable secret password-you-want-to-configure

• To configure Enable password we give “enable password” command.
• To configure Enable secret password we give “enable secret” command.
• When both password are configure, router will allow access only via enable secret password, it will not allow access via enable password.

Thank You.