Chapter 13. Router Security
Before deploying a router, you should secure it: that is, you should do everything you can to prevent the router from being misused, either by people within your own organization or by intruders from the outside. This chapter describes the first simple steps you can take toward router security; however, it’s not a complete discussion by any means. I don’t do anything more than point you in the right direction.
The enable Password
The
enable password grants the user access to your
complete router configuration. Therefore, it should be guarded
carefully. In previous chapters, I showed how to set your
enable password:
enable password mypassword
The problem with setting the password this way is that
mypassword is your actual password; anyone looking
over your configuration files can see the password, and at that
point, it’s no longer a secret. Generally speaking, the
accepted wisdom for managing passwords is that they should never be
written down in clear text—not even in a configuration file
that you think no one has access to. Obviously, there are plenty of
ways for a clear-text password to leak out: for example, you might
print the configuration file so you can take it home to think through
some arcane route-redistribution problem and forget that the password
is clearly visible to anyone hanging around the printer.
The solution to this problem is to use some sort of encryption. The
simplest way to enable encryption is to use the command
service
password-encryption ...
Get CISCO IOS in a Nutshell now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
