ppp Start IETF Point-to-Point Protocol (PPP) resume Resume an active network connection rlogin Open an rlogin connection slip Start Serial-Line IP (SLIP) systat Display information about terminal lines telnet Open a Telnet connection terminal Set terminal line parameters traceroute Trace the route to destination tunnel Open a tunnel connection where List active connections x3 Set X.3 parameters on PAD Table 8-2: Cisco IOS Privileged Access Commands Command Description Router#? <1-99> Session number to resume access-enable Create a temporary access list entry access-template Create a temporary access list entry template bfe For manual emergency mode settings clear Reset functions Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (5 of 47) [02/02/2001 17.32.58] clock Manage the system clock configure Enter configuration mode connect Open a terminal connection copy Copy configuration or image data debug Debugging functions (see also undebug) disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands erase Erase flash or configuration memory exit Exit from the EXEC help Description of the interactive help system lock Lock the terminal login Log in as a particular user logout Exit from the EXEC mbranch Trace multicast route down tree branch mrbranch Trace reverse multicast route up tree branch mrinfo Request neighbor and version information from a multicast router mstat Show statistics after multiple multicast traceroutes mtrace Trace reverse multicast path from destination to source name-connection Name an existing network connection Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (6 of 47) [02/02/2001 17.32.58] no Disable debugging functions pad Open an X.29 PAD connection ping Send echo messages ppp Start IETF Point-to-Point Protocol (PPP) reload Halt and perform a cold restart resume Resume an active network connection rlogin Open an rlogin connection rsh Execute a remote command send Send a message to other tty lines setup Run the SETUP command facility show Show running system information slip Start Serial-Line IP (SLIP) start-chat Start a chat-script on a line systat Display information about terminal lines telnet Open a Telnet connection terminal Set terminal line parameters test Test subsystems, memory, and interfaces traceroute Trace the route to destination tunnel Open a tunnel connection Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (7 of 47) [02/02/2001 17.32.58] undebug Disable debugging functions verify Verify checksum of a flash file where List active connections write Write running configuration to memory, network, or terminal The authentication of enable mode in Cisco IOS devices can take one of three forms: A password ● A secret● TACACS+● The following example is taken from a router in configuration mode to see the options for configuring authentication for enable mode: Router(config)#enable ? last-resort Define enable action if no TACACS+ servers respond password Assign the privileged level password secret Assign the privileged level secret use-tacacs Use TACACS+ to check enable passwords Both the enable password and enable secret commands allow you to establish an encrypted password that users must enter to access the privileged enable mode. The difference between the enable password and the enable secret command lies in the encryption algorithm used to encrypt the password or secret. The enable password command uses a reversible encryption algorithm (denoted by the number 7 in the configuration option). This reversible algorithm is necessary to support certain authentication protocols (notably CHAP), where the system needs access to the cleartext of user passwords. However, enable secrets is encrypted using the MD5 algorithm (denoted by the number 5 in the configuration option). This algorithm is not reversible and is more secure. The strength of the encryption used is the only significant difference between the two commands. Tips It is recommended that you use the enable secret command because it has an improved encryption algorithm over the enable password command. The following example shows the configuration options for enable password and enable secret: Router(config)#enable password ? Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (8 of 47) [02/02/2001 17.32.58] 0 Specifies that an unencrypted password will follow 7 Specifies that a hidden password will follow LINE The unencrypted (cleartext) enable password level Set exec level password Router(config)#enable secret ? 0 Specifies that an unencrypted password will follow 5 Specifies that an encrypted secret will follow LINE The unencrypted (cleartext) enable secret level Set exec level password You can enter enable password or enable secret in unencrypted form, as in this example: Router(config)#enable secret 0 thisisasecret Should you do so, however, enable password or enable secret is shown in the configuration file as follows: enable secret 5 $1$dLOD$QR.onv68q3326pzM.Zexj1 You can also enter the secret in encrypted form, as in this example: Router(config)#enable secret 5 $1$dLOD$QR.onv68q3326pzM.Zexj1 To do so, however, the encrypted secret would have to be copied from a previously encrypted secret. For this example, the (unencrypted) secret the user would type is thisisasecret. You cannot recover a lost encrypted password. You must clear nonvolatile random-access memory (NVRAM) and set a new password. Entering enable password or enable secret in encrypted form should be done with caution. The following example shows the configuration file after both enable secret and enable password have been configured: hostname Tallinn ! enable secret 5 $1$dLOD$QR.onv68q3326pzM.Zexj1 enable password 7 047E050200335C465817 TIP If you configure both the enable secret and the enable password commands, the enable secret command takes precedence. It is recommended that you use enable secret instead of enable password because the former command Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (9 of 47) [02/02/2001 17.32.58] provides a more secure encryption algorithm for the secret in the configuration. The enable secret command provides more security for your configuration files should they be stored remotely on a TFTP server. Passwords should never be seen in cleartext when you view any configuration files. If TACACS+ authentication is chosen for enable mode, you can specify a back-up authentication mechanism in the event that connection to the TACACS+ server is not available. If you use the enable use-tacacs command, you must also specify tacacs-server authentication enable or you will be locked out of the privileged enable mode. The Cisco IOS software has incorporated additional user controls through which privilege levels can be assigned to various commands to further limit administrative access. Many times, you may want to assign particular members of the staff only a subset of the privileged enable commands. Cisco IOS allows 16 privilege levels, numbered 0 through 15. Level 1 is the current basic mode, and level 15 is the current privileged mode accessible through the enable command. Note There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure TACACS+ authorization for a privilege level greater than 0, these five commands are not included. Both enable password and enable secret can be configured to provide for the privilege level authentication. The following examples show how to configure either enable password or enable secret to gain access to a specific privilege level: Router(config)#enable password level 10 ? 0 Specifies that an unencrypted password will follow 7 Specifies that a hidden password will follow LINE The unencrypted (cleartext) enable password Router(config)# enable secret level 10 ? 0 Specifies that an unencrypted password will follow 5 Specifies that an encrypted secret will follow LINE The unencrypted (cleartext) enable secret Here is a specific example of the privilege level command used in conjunction with enable secret to assign different commands to different privilege levels. In this case, network operators can log in with a secret configured for level 9 privilege access; once properly authenticated, these operators are allowed to reload the routers and look at statistics using the show command. Such a configuration would look like this: Hostname Tallinn ! privilege exec level 9 show Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (10 of 47) [02/02/2001 17.32.58] privilege exec level 9 reload enable secret level 9 5 $1$dLOD$QR.onv68q3326pzM.Zexj1 The network operators are given the secret; then, they can access the appropriate commands using the following command at the router prompt: router> enable 9 password: <secret for level 9> NOTE The write terminal/show running-config command displays all the commands the current user can modify (that is, all the commands at or below the user's current privilege level). The command does not display commands above the user's current privilege level because of security considerations. The show config/show startup-config command does not really show the configuration. It simply prints out the contents of NVRAM, which just happens to be the configuration of the router at the time the user does a write memory. To enable a privileged user to view the entire configuration in memory, the user must modify the privileges for all commands configured on the router. This approach is not recommended because it is quite cumbersome. Instead, the following alternative configuration is suggested: username showconfig password foo username showconfig priv 15 autocommand write terminal With this approach, anyone who knows the foo password can show the configuration by doing an extra login on a spare vty. Using TACACS+ Authorization to Control Access to Specific Commands on IOS Routers Instead of using privilege levels to define varying command privileges, you can achieve the same result using TACACS+ authorization. On the router, you would use this command: aaa authorization command 15 tacacs+ none On the TACACS+ server, you have group=partner_company { default service = permit cmd = crypto { deny .* } cmd = aaa { Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (11 of 47) [02/02/2001 17.32.58] deny .* } cmd = tacacs-server { deny .* } cmd = no { deny crypto.* deny aaa.* deny tacacs.* } } user = luser { login = des slslkdfjse member=partner_company } The first portion of the cmd = crypto statement denies any crypto, aaa, and tacacs configuration commands. The second portion of the statement does not allow the group to remove the crypto, aaa, or tacacs commands. Cisco Switches For Cisco switches, basic access mode is denoted by the > prompt after the system prompt; privileged access is indicated by the word (enable) in the system prompt. Table 8-3 displays the basic mode commands; Table 8-4 shows the privileged mode commands (both tables list the commands available when your system is equipped with a Supervisor Engine I or II module). Table 8-3: Cisco Switch Basic Access Commands Command Description Switch> ? enable Enable privileged mode help Show this message Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (12 of 47) [02/02/2001 17.32.58] history Show contents of history substitution buffer ping Send echo packets to hosts quit Exit from the administration session session Tunnel to ATM or router module set Set, use set help for more information show Show, use show help for more information wait Wait for x seconds Table 8-4: Cisco Switch Privilege Access Commands Command Description Switch> (enable) ? clear Clear, use clear help for more information configure Configure system from terminal/network disable Disable privileged mode disconnect Disconnect user session download Download code to a processor enable Enable privileged mode help Show this message history Show contents of history substitution buffer ping Send echo packets to hosts Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (13 of 47) [02/02/2001 17.32.58] quit Exit from the administration session reconfirm Reconfirm VMPS reset Reset system or module session Tunnel to ATM or router module set Set, use set help for more information show Show, use show help for more information slip Attach/detach Serial Line IP (SLIP) interface switch Switch to standby <clock|supervisor> telnet Telnet to a remote host test Test, use test help for more information upload Upload code from a processor wait Wait for x seconds write Write system configuration to terminal/network To authenticate a user for privileged access on Cisco switches, two forms of authentication are possible: Using a TACACS+ server ● Using a locally defined password● The command to specify the authentication is as follows: set authentication enable {tacacs | local} {enable | disable} The locally defined enable password is configured using the set enablepass command. The command prompts you for the old password. If the password you enter is valid, you are prompted to enter a new password and to verify the new password. A zero-length password is allowed. Console> (enable) set enablepass Enter old password: <old_password> Securing the Corporate Network Infrastructure http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch08.htm (14 of 47) [02/02/2001 17.32.58] [...]... Ethernet1 ip address 144. 254 .1.1 255 . 255 . 255 .0 no ip redirects standby priority 200 http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (32 of 47) [02/02/2001 17.32 .59 ] Securing the Corporate Network Infrastructure standby preempt standby ip 144. 254 .1.3 The configuration of a standby router is as follows: hostname Standby ! interface Ethernet1 ip address 144. 254 .1.2 255 . 255 . 255 .0 no ip redirects... allows IP addresses from network 144. 254 .5. 0 and the hosts 144. 254 .7.10 and 144. 254 .7.20 to have either Telnet or SNMP access to the switch: ip permit 144. 254 .5. 0 0.0.0. 255 ip permit 144. 254 .7.10 ip permit 144. 254 .7.20 ip permit enable http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (20 of 47) [02/02/2001 17.32 .58 ] Securing the Corporate Network Infrastructure Cisco PIX Firewall The PIX... 144. 254 .4.3 255 . 255 . 255 .0 ip authentication mode eigrp 109 md5 ip authentication key-chain eigrp 109 toBuilding2 ! router eigrp 109 network 144. 254 .0.0 Note Router clocks should be synchronized with Network Time Protocol (NTP) if route authentication is to work properly Figure 8-4: Route Authentication http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (27 of 47) [02/02/2001 17.32 .58 ] Securing... 08:30:00 June 6 1998 infinite ! interface FE 1 ip address 144. 254 .4.2 255 . 255 . 255 .0 ip authentication mode eigrp 109 md5 ip authentication key-chain eigrp 109 toBuilding1 ! http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (26 of 47) [02/02/2001 17.32 .58 ] Securing the Corporate Network Infrastructure router eigrp 109 network 144. 254 .0.0 Hostname Building2 ! key chain To-Bldg1 key 1 key-string... only valid network addresses are permitted past the routers All corporate infrastructure routers should have filters in place to disallow any obviously bogus traffic For example, any edge router should deny traffic whose source address is one of the RFC reserved addresses shown in Table 8-7 Table 8-7: RFC Reserved Addresses Network IP Address Mask 127.0.0.0 0. 255 . 255 . 255 10.0.0.0 0. 255 . 255 . 255 172.16.0.0... default route to the backbone Figure 8 -5: Controlling Routing Information Note If you are using DHCP on the LAN, the hosts on the LAN have a default router configured and there is no need to use RIP router eigrp 109 network 144. 254 .0.0 distance 255 distance 100 144. 254 .5. 0 0.0.0. 255 ! router rip network 144. 254 .0.0 passive interface FE 1/0 distribute list 11 out distance 255 ! access-list 11 permit 0.0.0.0... a local database of users is shown here: username staff password 7 082C495C0012001E010F02 username admin password 7 057 4837212001E010F0296 ! line con 0 password 7 047E 050 200335C4 658 17 line aux 0 login local http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (18 of 47) [02/02/2001 17.32 .58 ] Securing the Corporate Network Infrastructure line vty 0 4 login local ! You can limit the access... to 255 (The values 0 to 9 are reserved for internal use.) Used alone, the weight argument specifies a default administrative distance that the Cisco IOS software uses when no other specification exists for a routing information source Routes with a distance of 255 are not installed in the routing table http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (28 of 47) [02/02/2001 17.32 .59 ]... lists (that is, filters) that only permit or deny access from or to specified networks or hosts A thorough explanation of Cisco IOS access lists is given in Chapter 9, "Securing Internet Access." The following example allows only incoming Telnet access from hosts on network 144. 254 .5. 0: access-list 3 permit 144. 254 .5. 0 0.0.0. 255 ! line vty 0 4 access-class 3 in Interactive access can be completely prevented... Addresses Network IP Address Mask 127.0.0.0 0. 255 . 255 . 255 10.0.0.0 0. 255 . 255 . 255 172.16.0.0 0.240. 255 . 255 192.168.0.0 0.0. 255 . 255 These IP addresses are specified for special use and are therefore designated as nonroutable in the Internet infrastructure (That is, no Internet Service Provider will route these networks; therefore, no edge routers connecting to the Internet should receive packets with these . from network 144. 254 .5. 0 and the hosts 144. 254 .7.10 and 144. 254 .7.20 to have either Telnet or SNMP access to the switch: ip permit 144. 254 .5. 0 0.0.0. 255 ip permit 144. 254 .7.10 ip permit 144. 254 .7.20 ip. users: access-list 6 permit 144. 254 .5. 0 0.0.0. 255 ! ip http server ip http access-class 6 Securing the Corporate Network Infrastructure http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm. Corporate Network Infrastructure http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch08.htm (22 of 47) [02/02/2001 17.32 .58 ] Note Before Cisco IOS Release 11.3, only users with privilege level 15