Chapter 13. Router Security

Before deploying a router, you should secure it: that is, you should do everything you can to prevent the router from being misused, either by people within your own organization or by intruders from the outside. This chapter describes the first simple steps you can take toward router security; however, it’s not a complete discussion by any means. I don’t do anything more than point you in the right direction.

The enable Password

The enable password grants the user access to your complete router configuration. Therefore, it should be guarded carefully. In previous chapters, I showed how to set your enable password:

enable password mypassword

The problem with setting the password this way is that mypassword is your actual password; anyone looking over your configuration files can see the password, and at that point, it’s no longer a secret. Generally speaking, the accepted wisdom for managing passwords is that they should never be written down in clear text—not even in a configuration file that you think no one has access to. Obviously, there are plenty of ways for a clear-text password to leak out: for example, you might print the configuration file so you can take it home to think through some arcane route-redistribution problem and forget that the password is clearly visible to anyone hanging around the printer.

The solution to this problem is to use some sort of encryption. The simplest way to enable encryption is to use the command service password-encryption ...

Get CISCO IOS in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.