When it comes to protecting the switches and routers, few things are as important as enforcing security layers on them so that network breaching is maximally minimized. Typically the first thing to do on a brand new Cisco device before making it live on a production network is to protect it by setting passwords for various access privileges. IOS provides three primary authentication mechanisms for accessing the device:
- Console Password
- Telnet Password
- Enable Password
1. Console password : You guessed it. It’s the password to grant the console access of the switch or router. Given the fact that console terminal access is how all the configuration is done on a new device, it requires less explanation to emphasis the security of it. Configuring a console line password is pretty straight forward where you get into the console line sub configuration mode, set the password and enable the access verification through login command.
Switch(config)#line console 0 Switch(config-line)#password s!cr3t Switch(config-line)#login
2. Telnet password : Without the telnet password set it’s impossible to access the switch or router remotely. The reason being by default the login command is active on all the vty (virtual terminal) lines. You can verify it by running the show run. Any remote device trying to telnet the device will get “Password required, but none set” message.
Historically Cisco devices had 5 vty lines (0 through 4) allowing five remote telnet sessions simultaneously. Hence configuring a telnet password requires the password be set on all of them.
Switch(config)#line vty 0 4 Switch(config-line)#password st3@lth Switch(config-line)#login
3. Enable password : This guards the privileged mode of the Cisco device. Meaning in order to enter into the privileged mode from the user mode you need to enter this password. Note that the enable password is a global configuration command as it affects the entire device. There are two modes for enable password : clear text & encrypted.
a) Clear text password is visible in the running-config, well, in clear text.
Switch(config)#enable password d33p@k Switch#sh run | include enable enable password d33p@k
b) To overcome the clear text vulnerability we have the enable secret password which shows up in encrypted format in the running-config file.
Switch(config)#enable secret cisco Switch#sh run | include enable enable secret 5 $1$h67R$vJvczQ00AKn4JhpIRd/ZG. enable password d33p@k
Note the enable secret password in the running-config is an MD5 hash. The enable secret password has higher precedence than the cleartext enable password, meaning that I need to enter cisco (the enable secret password) to inter into the privileged mode from the user mode.
Cisco recommends to use the enable secret. The clear text enable password is there only because older Cisco devices and IOS versions didn’t have the enable secret back then. And to allow the older devices get the enable password should you copy the running-config onto it from a newer device.
There you have it — Console, Telnet & Enable passwords to tighten the security of your Cisco switch or router. One last suggestion… if you run show run, you can see that all the console and telnet passwords are in clear text. Make sure you encrypt them too by enabling the service password-encryption in the global configuration mode.
Password-encryption thus enabled is a Type 7 hash and is perfectly decrypt-able. We’re enabling it only to reduce the possibility of someone who (accidentally or intentionally) sneaks around when you’re working with the device and observes the password.
Note: Make sure you set different console, telnet and enable passwords in order not to get your networking device comprised if one password is found out by some means. Take all the necessary attention and care on choosing the passwords as you would to your Windows/Linux user account.