In CCNA land, security is an increasing concern. CCNA will not make you a security expert, but you will learn the very basics of good networking security and a little about how to apply them.
Initially, your router or switch will have no passwords at all; pressing Enter will grant you first User EXEC, then Privileged EXEC access by using the enable command. The Telnet lines are secured by default—they will refuse connections until they are configured with a password.
The minimum security configuration would be to require a password to log in to your devices. Passwords can be applied to the console port, to the VTY lines (controlling Telnet/SSH access), and to the Privileged EXEC prompt.
The following commands illustrate how to apply basic password security to your router or switch, for the console port (User EXEC), VTY lines (for remote User EXEC administration using Telnet), and the Privileged EXEC prompt. Lines that begin with an exclamation point are informational remarks and do not configure the device:
Router(config)#line con 0
! The console port is always con 0
Router(config-line)#login
! Requires a password to access User Exec over the console port
Router(config-line)#password TelecomCCNA
! Specifies the password - Note: passwords are case-sensitive.
Router(config)#line vty 0 4
! There are 5 VTY lines, numbered 0 through 4
Router(config-line)#login
Router(config-line)#password 23StanleyCups !
Router(config)#enable password cisco
! sets the Privileged Exec password to 'cisco'
Note
A word about VTY lines: A VTY line is used by both Telnet and SSH connections. The "V" in VTY stands for Virtual, because there is no associated hardware as there would be with the Console port or asynchronous serial (TTY) ports for modems. For our purposes, there are five VTY lines, numbered 0, 1, 2, 3 and 4. The command line vty 0 4 shown previously allows you to configure all of them at once by specifying the range of "0 [through] 4". Some newer switches and routers will show 16 lines, numbered 0 through 15; it's unlikely that this feature will be a factor on your test, however.
Why have so many VTY lines, when only one is used by a Telnet session? For that same reason, actually: One Telnet/SSH session uses one VTY line. If you Telnet in, then Telnet out to some other device, you use 2 VTY lines. It's common to Telnet to multiple devices concurrently when you are working on a network; it's also possible that multiple admins could be working on or from the same device at the same time, each admin needing at least one VTY line.
By the way, there is no easy way to determine or predict which VTY line you are going to connect to.
They are used in a round-robin fashion, so setting a different password for each one is probably more of a hassle than a security benefit; you can't be sure which line you just connected to and therefore which password to enter!
These passwords will all appear in your configuration file in plain text; anyone with access to that file could read them. To encrypt your Privileged EXEC password with an MD5 hash, use the enable secret command:
Router(config)#enable secret squirrel42
You can also apply encryption to the other passwords for the console, Privileged Exec VTY and TTY lines (but not the enable secret password [this Privileged EXEC password is already encrypted]) using the service password-encryption command:
Router(config)#service password-encryption
Exam Alert
Know the password configuration commands cold.
Configuring SSH Access to Your Router
Telnet is a simple and effective way to remotely administer your router or switch, but it has one significant disadvantage: it is completely unencrypted, which means that everything you send across the network via Telnet could be read easily if intercepted. That's not a good thing.
Secure Shell, or SSH, is a good alternative. It is slightly more complicated (but not difficult) to set up and
provides a secured remote command-line interface using public key exchange and decent encryption. Cisco
recommends (and we do, too!) that SSH always be used instead of Telnet for security reasons. Your IOS version must include support for DES or 3DES crypto features, or this will not work.
The following are the basic steps to set up a router for SSH support:
1. Define a username and password. SSH can't use the line password we created for Telnet access, so we must create a username/password pair for SSH to use. You might choose to make more than one, for different admins.
Router(config)#username Admin007 password ExamCram2
2. Configure the router to use the username/password. (We could use AAA instead of the command shown, but that is quite a large topic that we don't need to get into here).
Router(config-line)#login local
3. Set the router's domain name. This does not necessarily have to be the actual domain name of the company, but it makes sense if it is the domain that the router actually operates in. If there is not a defined domain in use, make one up. I used ExamCramLab.local in this example.
Router(config)#ip domain-name ExamCramLab.local
Router(config)#crypto key generate rsa
5. (Optional) Restrict VTY line connections to SSH only, instead of both Telnet and SSH. It makes sense to do
this, although it is not strictly required for SSH to work.
Router(config)#line vty 0 4
Router(config-line)#transport input ssh
There's one other catch to using SSH instead of Telnet: You must have an SSH client application. Windows XP and Vista include a command-line SSH capability; I prefer to use terminal applications such as SecureCRT because they are feature rich and easier to use, in my opinion.
To connect to your router using SSH, launch your SSH client of choice, give it the IP address of the device you want to SSH to, and when prompted, supply the username and password you configured.
Tip
If you have access to the Web, you can find tons of good references about SSH configuration on cisco.com. If you don't have access to the Web, you need to get it!
Exam Alert
SSH is an important component of network security. You may be asked to identify why SSH is preferred over Telnet and what the required steps are to configure it. Although we have not seen it yet, we think it would be a great simulator question topic. You should know how to configure it.
No comments:
Post a Comment