Cisco Router Fortification

This is a tutorial on how to harden the security of you Cisco Routers.

Image for post
Image for post
image from concetpdraw.com
  1. Default Privilege
Image for post
Image for post
By default, the privilege is 15.

2. Setting Enable Password. Take note that we should only use Enable Secret in a production network because the Enable Password is in clear text, while the Enable Secret is encrypted.

Image for post
Image for post
Creating secret with privilege level 15.
Image for post
Image for post
Creating secret privilege level 5.

3. To enter Enable privilege 15, just enter the command enable on user exec mode. But if you wish to enter privilege 4, you must specify the privilege number. Example. “R1>enable 4"

Image for post
Image for post
SInce no specific authorization to access global config mode to privilege 4, the user is unable to access Configure Terminal.

4. Securing VTY Lines and AUX Port

Image for post
Image for post
Securing the Router using it’s local database.

5. AAA Framework (Authentication, Authorization, and Accounting)

Image for post
Image for post
This is a sample topology on packet tracer. Please take note that some command here does not work as the real cisco appliances.

6. Default Authentication Method List

Image for post
Image for post
The privilege 4 was given access to use “ping” command.
Image for post
Image for post
Before proceeding with your AAA configuration, the first step is to input “aaa new-model” command, or else it won’t work.
Image for post
Image for post
This command specifies which server will provide authentication method as well as the Secret key.
Image for post
Image for post
This is a good way to test if your authentication works. Although here we used telnet, the best practice is to use ssh.

7. Custom Method List

Image for post
Image for post
In this command, we use tacacs+ as the authentication method and “enable” password as a fallback in case the tacacs+ server fails.

8. Additional Security commands

Image for post
Image for post
This commands can mitigate brute-forcing of password.

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store