Professional Documents
Culture Documents
The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8) T, allows an
administrator to configure MD5 hashing of passwords for the username command. In order to encrypt a user
password with MD5 hashing, issue the username secret global configuration command.
The enable password command uses a weak encryption algorithm & should not be used. The enable secret
command and the Enhanced Password Security feature use Message Digest 5 (MD5) for password hashing.
The enable secret command is used in order to set the password that grants privileged administrative access to the
Cisco IOS system. The enable secret command must be used, rather than the older enable password command.
The enable password command uses a weak encryption algorithm. The enable secret command and the Enhanced
Password Security feature use Message Digest 5 (MD5) for password hashing.
The service password-encryption global configuration command directs the Cisco IOS software to encrypt the
passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its
configuration file.
Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the
screen over the muster of an administrator. However, the algorithm used by the service password-encryption
command is a simple Vigenère cipher.
In the event of a dictionary attack, introducing a delay between login attempts slows down the attack,
increasing the time required for the attack to succeed and the timeframe available for the anomaly to be identified
and addressed.
In Cisco IOS, the introduction of a delay between successive login attempts can be achieved using the global
configuration login delay command. The default is a 1 second delay.
Number of seconds between each login attempt. Valid values range from 1 to 10 seconds.
Cisco IOS offers the ability to enforce a minimum password length for user passwords, enable passwords,
enable secrets, and line passwords. This feature is enabled with the global configuration command:
In order to set the interval that the EXEC command interpreter waits for user input before it terminates a session,
issue the exec-timeout line configuration command. The exec-timeout command must be used in order to logout
sessions on Console Port & VTY or TTY lines that are left idle.
If a remote system crashes while a management session is in progress, the session may remain open and vulnerable
to attack. Consequently, hung sessions should be detected and closed in order to preserve the availability of terminal
and management ports and reduce the exposure to session hijacking.
A-9. SECURE SHELL (SSH) & A-11. TELNET & OTHER MODE OF ACCESS.
SSH is a protocol that provides secure remote access, remote command execution, and file transfer. SSH implements
strong authentication and encryption, making it a better option over insecure protocols such as rlogin and Telnet.
The following steps are required to enable SSH support on an IOS device:
Step 3 Optionally, configure time-out and number of authentication retries. By default, the authentication timeout
is set to 120 seconds and authentication retries to three attempts.
Step 4 Limit VTYs to SSH only & disabled other mode of access (Highly recommended).
In some legal jurisdictions it can be impossible to prosecute and illegal to monitor malicious users unless
they have been notified that they are not permitted to use the system. One method to provide this notification is to
place this information into a banner message that is configured with the Cisco IOS software banner login command.
Notice that the system is to be logged into or used only by specifically authorized personnel and perhaps
information about who can authorize use.
Notice that any unauthorized use of the system is unlawful and can be subject to civil and criminal
penalties.
Notice that any use of the system can be logged or monitored without further notice and that the resulting
logs can be used as evidence in court.
Specific notices required by local laws.
Should not contain any specific information about the router name, model, software, or ownership.
From a security point of view, rather than legal, a login banner should not contain any specific information about the
router name, model, software, or ownership. This information can be abused by malicious users.
A-14. RESTRICT NUMBER OF LOGIN FAILURES PERMITTED WITHIN SPECIFIED TIME PERIOD
In the event of a dictionary attack, restricting the maximum number of failed access attempts within a specified
period can slow down the attack, increasing the time required to succeed and the timeframe available for the
anomaly to be identified and addressed.
Cisco IOS software provides an implementation of UDP and TCP small servers that enables echo, chargen,
daytime, and discard services. Unless strictly necessary, these services should be disabled because they can be used
by a potential attacker to gather information, or to directly attack the Cisco IOS software device.
Finger is a protocol that can be used to obtain information about users logged into a remote host or network
device. It is recommended that you disable this service.
OR
Router (config) # no ip finger
Dynamic trunk negotiation is a feature that facilitates the deployment of switches by an interface automatically
configuring itself as a trunk according to the interface type of its neighboring. Dynamic trunking should be disabled
on all ports connecting to end users.
Router (config) # interface type slot/port
Router (config-if) # switchport mode access
The configuration makes the port a non-trunking, non-tagged single VLAN Layer 2 interface.
VLAN hopping is an attack vector which provides a client with unauthorized access to other VLANs on a switch.
This type of attack can be easily mitigated by applying the following best common practices:
Always use a dedicated VLAN ID for all trunk ports
Disable all unused ports and put them in an unused VLAN
Do not use VLAN 1 for anything
Configure all user-facing ports as non-trunking (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the native VLAN on trunks and drop untagged frames
Set the default port status to "disable".