Password Management

Passwords are the primary defense against unauthorized access to networking equipment. The best way to prevent unauthorized access is to use either a TACACS+ or a RADIUS authentication server. Even if you are unable to use these services, some basic configuration issues should be addressed concerning password management.

The first issue to be addressed is choosing passwords. No matter what type of encryption is used, some general rules should be followed. When a password is being chosen, the following list will help the administrator in determining the appropriateness and the treatment of passwords:

  • Passwords should not reflect the company name.

  • Passwords should not reflect the business of the company.

  • Passwords should not reflect the equipment where they are used.

  • Passwords should not be decipherable based on any other configuration parameter. This includes model number and network address.

  • Passwords should not be any word that appears in a standard dictionary.

  • Passwords should be unique.

  • Passwords should not be sequential.

  • Passwords should include both uppercase and lowercase characters and nonalphabetic characters if possible.

  • Passwords should be as long as reasonably possible.

  • Passwords should be changed on an irregular basis.

  • Any list containing passwords should be closely guarded.

  • Critical passwords should be changed whenever any person with that level of access leaves the company. This holds especially true if a contractor is involved or if a person was terminated involuntarily.

  • As few people as possible should have access to passwords, but critical passwords should always be known by more than one person. This is an exception to the generally accepted rule that passwords should not be shared.

  • Nontechnical managers generally do not and should not know system passwords. Knowing a password without knowing how to effectively configure equipment serves no legitimate purpose.

  • Passwords should not be distributed over the Internet.

Although some of the preceding guidelines might seem overly restrictive, they are designed to reduce the severity of a security breach, as well as to prevent breaches from happening. For example, the author has seen companies that set router passwords based on the serial IP address. If a single router was penetrated, the password scheme would quickly become apparent. When you don't use a common password scheme, someone trying to break into your network will need to start over with every device.

The next sections examine how passwords are set with the enable password and enable secret commands. Then the chapter moves on to console passwords and AAA (authentication, authorization, and accounting) password management.

The enable password Command

The enable password command is an old command that is not considered secure and therefore should not be used. When enable password is combined with the service password-encryption command, the IOS encrypts the entered password using the Vigenere algorithms. These were never intended to prevent any but the most casual observer from gaining access. Any dedicated or fairly knowledgeable person can easily break this algorithm. A number of programs are also available on the Internet that allow you to break a password that is entered using the enable password command. The enable password command can be disabled with the use of the following global configuration command:

no enable password

The enable secret Command

Using the enable secret command in conjunction with the service password-encryption command provides a decent level of decryption resistance. In this case, MD5 hashing is used to encrypt the password. Although there have been no known cases of MD5 hashing being decrypted as of the time of this writing, there are other ways in which an enable secret password can be broken. The easiest way to break an enable secret password is by using a brute-strength dictionary attack, where a list of words is compiled (the dictionary) and then each word is used as the password sequentially. Dictionary attacks are the reason for the guideline against using any word that appears in a dictionary.

The enable secret command allows the administrator to specify up to 16 privilege levels through the use of numbers 0 through 15. If no level is specified, level 15 is assumed. This command, combined with the privilege level command, allows the administrator to give some administrators access to specified commands while denying access to others. The full syntax of the enable secret command is

							enable secret [level
							level] {password | encryption-type encrypted-password}

The following example shows how to enable a secret password at level 7 using “9%ad100gbellisnon” for the password. The second line starts service password-encryption.

RouterA(config-if)#enable secret level 7 9%ad100gbellisnon
RouterA(config-if)#service router-encryption

The optional encryption-type and encrypted-password are used when copying previously encrypted passwords from other router configurations. Currently, the only encryption type available is MD5, which is specified with the number 5. This allows the administrator to copy configurations with an enable secret password across multiple routers. Although having the same password on multiple routers should usually be avoided, there are some circumstances, such as during initial deployment, where it is acceptable.

The command service router-encryption is used in the preceding example to ensure that all passwords in the configuration are shown encrypted. Before this command is entered, all passwords other than the enable secret password are shown exactly as they are entered. When the service router-encryption command is used, all passwords within the configuration are encrypted. This prevents revealing the password when distributing printed copies of the configuration.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.172.132