Keep you Cisco Equipment Secure


Security Tips: keep you router or switch somewhat secure:

Here are some tips I try to keep my router secure from all the unfriendly networks the internet has to offer.

 
1. Restrict telnet access to an ip access list:
Your router’s default configuration is not to allow telnet access by default. All of the system administrators enable some type of remote access to configure and manage the network device. Here is a way to secure telnet access to an ip access list.

configure terminal
Line vty 0 4
access-class 1 in
login
password 7 assdfsdfsdfsysdf

access-list 1 permit 208.229.144.0 0.0.0.255

OK now this is very simple configuration first you need to enter configuration mode. Next you need to enter the line vty 0 4 (this means telnet lines 0 4 (5 virtual terminals ). Now add the access-class statement restricting inbound access to the access list 1. This is fairly simple and it does help with brute force attacks deny access to router.

2. Now we need to protect SNMP (Simple Network Management Protocol) from access. I use SNMP to monitor bandwidth, uptime, temperature, interface stats of all my core network devices. It is very scary when you can query someone network device. This will show you all kinds of stats about the network and maybe if it is configured improperly access to the router to make changes. So to protect the SMNP from others eyes you need to restrict access to this tool with 2 modifications.

snmp-server community ibs-networkmagement RO 10
access-list 10 permit 208.229.144.0 0.0.0.255

Configuring the community string NOT to public or read. “Public” or “Read” is the default for most equipment, change this to something unique to your network and treat this as a password and secure it. For my password I have chosen “ibs-networkmanagemnet” the next setting RO is read only no modification. The last number refers to the access list number 10 permitting only one subnet on my network. So you can have the SNMP string but you cannot access the router because of the access list number 10.

3. Last, do not forget to enable service password-encryption. This will encrypt the passwords with a weak “type 7” encryption hash but at least your passwords will not be human readable. Note: this is a reversible type of encryption that can be CRACKED with any number of tools on the internet.