Tuesday, 7 January 2014

Secure Your Cisco: Custom Privilege Levels

Custom Privelige levels

When you log into your Cisco, you are logging in at privilege level 1. You can  this by typing "show privilege":

 Router>show privilege   
 Current privilege level is 1  
 Router>  

When you log in to the privileged exec shell, you by default log in on privilege level 15:

 Router>enable  
 Router#show privilege   
 Current privilege level is 15  
 Router#  

At privilege level 15 we have all of the most important commands, those that we don't necessarily want users logged in on a lower privilege level to have access to. We can also move commands from priliege level 1 up, perhaps we want to be able to have a networks assistant to have access to commands that we don't want other techs to be able to access. This is where the levels between 1 and 15 come in.

We might want to prevent a user at level 1 from using the ping command, for whatever reason. We'll test first of all that we currently have access to the command:

 Router>show privilege   
 Current privilege level is 1  
 Router>ping 192.168.1.2  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/14 ms  

If we want to take the ability away from users at pivilege level 1, we first need to create the new prvilege level:

 Router#config t  
 Enter configuration commands, one per line. End with CNTL/Z.  
 Router(config)#enable secret level 5 0 topsecret  

If you check now in your running config you will see a new entry for pivilege level 5. Next, we need to move the command away from privilege level 1 and up to our newly created level 5:

 Router#conf t  
 Enter configuration commands, one per line. End with CNTL/Z.  
 Router(config)#privilege exec level 5 ping  

Lets test this by seeing if we can still use ping in level 1:

 Router>ping  
 Translating "ping"...domain server (255.255.255.255)  
  (255.255.255.255)  
 Translating "ping"...domain server (255.255.255.255)  
 % Unknown command or computer name, or unable to find computer address  
 Router>  

The ping command no longer even shows up in the interactive help:

 Router>pin?  
 % Unrecognized command  

As a sidenote, I found that this didn't work in Packet Tracer, but it does work in GNS3. There are a few commands that I found don't work in Packet Tracer so I'm now trying to get my labs set up in GNS3 as I continue my studies.

Monday, 6 January 2014

Secure Your Cisco: Local Users

I've covered how to add an enable secret to your router/switch but if you want to further improve your security posture you should consider adding local user accounts so that you are able to track who is logging in.

Adding a user is easy stuff, but first we need to make sure we've got passwords set in our console, auxillary and VTY lines:


 Router#conf t   
 Router(config-line)#line console 0  
 Router(config-line)#password cisco123  
 Router(config-line)#login  
 Router(config-line)#line vty 0 4  
 Router(config-line)#password cisco123  
 Router(config-line)#login  
 Router(config-line)#line aux 0  
 Router(config-line)#password cisco123  
 Router(config-line)#login  
 Router(config-line)#  

Try to choose different passwords for each of the lines, not like on my example here! These will be saved in plain text in the running config, so let's make them a little less vulnerable:

 Router(config)#service password-encryption   

This won't make them difficult to crack should somebody be so inclined, but it will prevent those looking over your shoulder at your running-config from seeing what your passwords are.

Let's now set up the local users so that logins will check the local database when somebody tries to connnect. Set up a couple of sample users, staying in configuration mode to do so:

 Router(config)#username root privilege 15 secret 0 cisco123  
 Router(config)#username user privilege 5 secret 0 userpass  

We can take a look in our running config and see that using "secret" has scrambled the passwords that were entered as plain text:

 Router(config)#do show run | inc username  
 username user privilege 5 secret 5 $1$HdVg$.GMFfsfjIrtdNIQ75IZfZ/  
 username root privilege 15 secret 5 $1$/OAi$uSE6rzk.3gN026rQTulKv.  

Next step is to enforce the use of the local database for all logins:

 Router(config)#line console 0   
 Router(config-line)#login local   
 Router(config-line)#line aux 0  
 Router(config-line)#login local  
 Router(config-line)#line vty 0 4   
 Router(config-line)#login local  

We're all set now, anybody who tries to connect either via ssh or telnet, via the console port or the auxillary port will now be prompted for a username as well as a password. Furthermore we've got a privilege level 15 user and a privilege level 5 user so that we can give the level 5 password and username to a user who we want to issue a set of restricted commands to.



Friday, 3 January 2014

Secure Your Cisco: Enable Secret

Enable Secret


This is the most basic step for securing the management plane on your Cisco router and possibly the most simple. Out of the box, you can type "enable" at an exec prompt and you will be elevated to the all powerful priveliged exec shell. Unfortunately, so will anybody else who logs in. What you need to do is put a password on there. It's not a great idea to use the "enable password" command, because it doesn't encrypt it for you. Using "enable secret" uses MD5, which isn't the most secure but it's better than plain test in your running config.

To put the enable secret, you'll need to type "enable" to enter privileged exec mode, and type "config t" (short for configure terminal). Then type "enable secret 15 0 yourpassword" as below:

 Router>enable   
 Router#config t  
 Enter configuration commands, one per line. End with CNTL/Z.  
 Router(config)#enable secret level 15 0 Cisco2014  
 Router(config)#  

The 15 means you are entering an enable secret for privilege level 15 while the 0 means you are typing in plain text. Should you already have an MD5 hashed password that you want to enter, in case somebody is looking over your shoulder perhaps, you would type "enable secret 15 5 yourpassword".

We can see in the running config that it is encrypted:

 enable secret level 15 5 $1$mERr$p2OmsMs3HNDyiBPyIT0m20  

We could type the above as mentioned should you not want to type the unencrypted password on your screen, we are doing this with security in mind after all!