Protect the Cisco device via Console, Telnet and Enable Passwords

When it comes to protecting the switches and routers, few things are as important as enforcing security layers on them so that network breaching is maximally minimized. Typically the first thing to do on a brand new Cisco device before making it live on a production network is to protect it by setting passwords for various access privileges. IOS provides three primary authentication mechanisms for accessing the device:

  1. Console Password
  2. Telnet Password
  3. Enable Password

1. Console password : You guessed it. It’s the password to grant the console access of the switch or router. Given the fact that console terminal access is how all the configuration is done on a new device, it requires less explanation to emphasis the security of it. Configuring a console line password is pretty straight forward where you get into the console line sub configuration mode, set the password and enable the access verification through login command.

Switch(config)#line console 0
Switch(config-line)#password s!cr3t

Console password

2. Telnet password : Without the telnet password set it’s impossible to access the switch or router remotely. The reason being by default the login command is active on all the vty (virtual terminal) lines. You can verify it by running the show run. Any remote device trying to telnet the device will get “Password required, but none set” message.

Telnet password - vty line

Historically Cisco devices had 5 vty lines (0 through 4) allowing five remote telnet sessions simultaneously. Hence configuring a telnet password requires the password be set on all of them.

Switch(config)#line vty 0 4
Switch(config-line)#password st3@lth

3. Enable password : This guards the privileged mode of the Cisco device. Meaning in order to enter into the privileged mode from the user mode you need to enter this password. Note that the enable password is a global configuration command as it affects the entire device. There are two modes for enable password : clear text & encrypted.

a) Clear text password is visible in the running-config, well, in clear text.

Switch(config)#enable password d33p@k
Switch#sh run | include enable
enable password d33p@k

b) To overcome the clear text vulnerability we have the enable secret password which shows up in encrypted format in the running-config file.

Switch(config)#enable secret cisco
Switch#sh run | include enable
enable secret 5 $1$h67R$vJvczQ00AKn4JhpIRd/ZG.
enable password d33p@k

Note the enable secret password in the running-config is an MD5 hash. The enable secret password has higher precedence than the cleartext enable password, meaning that I need to enter cisco (the enable secret password) to inter into the privileged mode from the user mode.

Enable password

Cisco recommends to use the enable secret. The clear text enable password is there only because older Cisco devices and IOS versions didn’t have the enable secret back then. And to allow the older devices get the enable password should you copy the running-config onto it from a newer device.

There you have it — Console, Telnet & Enable passwords to tighten the security of your Cisco switch or router. One last suggestion… if you run show run, you can see that all the console and telnet passwords are in clear text. Make sure you encrypt them too by enabling the service password-encryption in the global configuration mode.

Switch(config)#service password-encryption

service password-encryption

Password-encryption thus enabled is a Type 7 hash and is perfectly decrypt-able. We’re enabling it only to reduce the possibility of someone who (accidentally or intentionally) sneaks around when you’re working with the device and observes the password.

Note: Make sure you set different console, telnet and enable passwords in order not to get your networking device comprised if one password is found out by some means. Take all the necessary attention and care on choosing the passwords as you would to your Windows/Linux user account.

About Deepak Devanand

Seeker of knowledge
This entry was posted in IOS and tagged , , , , , . Bookmark the permalink.

One Response to Protect the Cisco device via Console, Telnet and Enable Passwords

  1. Pingback: How to recover the Cisco Router’s Password | Deepak's Kaleidoscope

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s