Router Overview - Router Security

(Page 8 of 15 )

Routers aren’t very visible on internetworks, mainly because they usually don’t have addresses such as www.yahoo.com or www.amazon.com. Routers don’t need to have hu-man-friendly addresses, because normal internetwork users never need to know that a router is there; they just need the connectivity it provides them.

The only people who ever need to log directly into a router are members of the network team responsible for managing it. In TCP/IP networks—the protocol on which most internetworks run—routers identify themselves to internetworks only with their IP addresses. For this reason, to log into a router you must first know that it exists and then what its IP address is. The network administrators responsible for the router will, of course, know this information.

The potential for abuse by hackers still exists. As you will learn in Chapter 14, routers constantly send messages to one another in order to update and manage the internetworks on which they operate. With the proper skills and enough determination, a hacker could discover a router’s IP address and then attempt to establish a Telnet connection to it. Given that routers are the links that stitch internetworks together, it’s easy to understand why Cisco and other internetwork equipment manufacturers design many security measures into their products. As shown in Figure 4-8, security must restrict access to areas within an internetwork and to individual devices.

NOTE: Router passwords only control entry to the router devices themselves. Don’t confuse router passwords with passwords normal internetwork users must type in to enter certain Web sites or to gain admittance to intranets (private internetworks). Restrictions put on normal users are administered through firewalls and access lists, which are covered in Chapter 8.

Router Passwords

Router passwords aren’t intended only to keep out hackers. Password protection is administered on a router-by-router basis. Passwords to get into a router are stored inside the router itself in most cases. Large internetworks have dozens or even hundreds of routers— some more critical to network operations than others—so it’s a common practice for network managers to allow only select network team members access to certain routers, or even to command levels within routers. Table 4-3 lists router passwords and what they do.

In Cisco routers, passwords are used to control access to

▼ The router device itself

■ The Privileged EXEC (enable mode) portion of the IOS software environment

▲ The use of specific IOS commands

Line Passwords

Line passwords are used to control who can log into a router. They are used to set password protection on the console terminal line, the AUX (auxiliary) line, and any or all of the five virtual terminal (VTY) lines.

You must set at least one password for the router’s VTY lines. If no Line password is set, when you attempt to log into the router via Telnet, you will be stopped by the error message “password required but none set.” Remember, anyone on the Internet can conceivably Telnet into any router, so setting Line passwords will stop all but the best hackers from getting a foothold. Here, IOS is prompting for a password:

User Access Verification

Password:
Router>>

When you enter passwords into IOS, no asterisks appear to mask the letters typed— something to which most of us are accustomed. In the preceding example, at the prompt Router>> (the router’s host name in this example), the correct password was entered, the host router was successfully logged into, but no asterisks appear to the right of the password prompt. This might throw you off at first, but you’ll grow accustomed to it.

NOTE: You may have noticed that the password examples in this chapter are not made person-spe-cific with usernames. While it is possible to have usernames with Enable and Enable Secret passwords, it is rarely done. This is because Enable and Enable Secret passwords are stored in router configuration files. Network managers find it more practical to simply issue generic passwords to avoid the administrative nightmare of maintaining username/passwords across dozens or even hundreds of routers. Refer to Chapter 8 to find out how user accounts and passwords can be centrally maintained using TACACS+ and CiscoSecure.

This chapter is from Cisco: A Beginner's Guide, by Velte and Velte (McGraw-Hill/Osborne, 2004, ISBN: 0072256354). Check it out at your favorite bookstore today.  Buy this book now.

Next: Enable and Enable Secret Passwords >>
 

More Networking Hardware Articles
More By McGraw-Hill/Osborne

Comments On: Router Overview

· Very informative!!!thanks to all thoose who participated in this articlever very...   >>> Post your comment now!