I want to discuss two other items concerning setting up basic authentication to various types of access to your router. The first item deals with unencrypted passwords, and the second deals with login banners. The following two sections cover this information.
Certain password commands, such as the password line subconfiguration mode command and the username password and enable password commands, do not encrypt their passwords. Unfortunately, this means that every time you view your configuration with the show running-config command or back up your configuration to a TFTP server, these clear-text passwords are susceptible to eavesdropping attacks. You can use a few solutions to limit your exposure to eavesdropping attacks for your passwords:
Use commands that encrypt the passwords, such as username secret and enable secret.
When backing up your configuration to a remote server, use a VPN that performs encryption, or, instead of using TFTP, use SCP (secure copy). VPNs are discussed in Part VIII, and SCP is discussed in Chapter 5.
Encrypt the unencrypted passwords with the service password-encryption command.
This section focuses on the last point. The service password-encryption command is used to encrypt clear-text passwords in your configuration:
Router(config)# service password-encryption
Passwords are encrypted whenever you execute this command and any time after this when you enter a password in your router's configuration. This applies to all clear-text passwords, including authentication key passwords, line passwords, privileged EXEC passwords, and routing protocol passwords. However, the encryption process used for the encryption is very weak and can be reversed.
The main purpose of the service password-encryption command is to provide some level of protection from eavesdroppers. However, it should be pointed out that passwords encrypted with this command can be decrypted with the correct tool. At one time, you could download freely this tool if you had CCO access.
As an example, you can go to the website http://www.oldach.net/ciscocrack.shtml and enter the full username password or enable password command, and the website will decrypt the password for you. Here's an example of information that I entered and the output that it produced:
The line username richard privilege 7 password 7 0822455D0A16 decodes to username richard privilege 7 password cisco
That's pretty cool, yet scary. If you use the secret parameter, which uses MD5 to encrypt the password, this nifty utility cannot decode the password. The one limitation of this link is that it decrypts passwords only from the username password command. Boson software has a similar utility that you can download and freely use on your desktop. It can be found at http://www.boson.com/promo/utilities/getpass/getpass_utility.htm. This utility decrypts any password that was encrypted with the service password-encryption command. Actually, I have never heard of anyone breaking an MD5-protected password, so I highly recommend that you use commands that use MD5 for password protection.
Even though this is a minor thing, you always should put a login banner on your router that is displayed before the username/password prompt. This might not seem like an important measure to take when securing your router; however, if you ever need to take someone to court over damages caused by hacking into your router, you will need proof that access to the router is limited to only authorized personnel.
At a minimum, a good banner should contain the following:
What company or person owns the router
Who is authorized to use the router
A statement that unauthorized use is illegal and in violation of state and federal laws
A statement that users' activities will be monitored while on the system
A statement that actions will be prosecuted to the fullest extent of the law
From a legal standpoint, your banner should address two major issues:
Display a message that would prove that a hacker's actions were intentional, so that the hacker can't argue that his actions were inadvertent or accidental. By going past the banner to log in, the hacker should be forewarned.
Display a message regarding the law and repercussions for breaking the law. This tells any hacker that he cannot plead ignorance of the law if he breaks into your router.
Your warnings should be spelled out but general in nature as to what type of crime a hacker is committing by gaining unauthorized access, and that federal or state law-enforcement agencies will be used to prosecute the offense. What you don't want to include in your banner are words such as welcome, greeting, and other types of friendly salutations. You want to make it distinctly clear to whom the router belongs, who is allowed to use it, and the repercussions of unauthorized access.
Here is a standard banner that I commonly see on U.S. government devices:
THIS UNITED STATES GOVERNMENT COMPUTING SYSTEM IS FOR AUTHORIZED OFFICIAL USE ONLY. Unauthorized use or use for other than official U.S. Government business is a violation of Federal Law (18 USC). Individuals using this computing system are subject to having all of their activities on this system monitored and recorded without further notice. Auditing of users may include keystroke monitoring. Any individual who uses this system expressly consents to such monitoring and is advised that information about their use of the system may be provided to Federal law enforcement or other authorities if evidence of criminal or other unauthorized activity is found.
Of course, you should change this to fit your own company's policies.
Each government institution has its own laws regarding illegal access and destruction. Therefore, you first should consult your legal department about your created banner so that you have a better chance of winning in court if you must prosecute someone.
You can up a login banner on a Cisco router in a few ways:
banner motd creates a message of the day (MOTD) banner. This banner is displayed to all connected terminal users before they are prompted for the username/password information.
banner login creates a login banner. This banner is displayed after the MOTD banner but before the user is prompted for the username/password information. This sometimes is used to list contact information.
banner exec creates an EXEC banner. This banner is displayed before an EXEC process is started. This is typically after the user has authenticated but before the CLI prompt is presented to the user. This sometimes is used to display scheduled events, such as system downtime or maintenance.
banner incoming creates an incoming banner. This is used in reverse Telnet connections. This typically displays instructions on the use of reverse Telnet, such as how to suspend a session.
banner slip-ppp creates a banner for incoming SLIP and PPP dialup connections.
Of the banners listed, at a minimum, you should configure the banner motd command. Your main concern here is to ensure that no matter what method someone uses to gain access to your router?local through the console or auxiliary lines, or remote through VTY?a banner is always displayed.
I know of no way of making a banner appear on an HTTP login connection through a web browser to a Cisco IOS router. Therefore, you need to take very careful measures to prevent this kind of unauthorized access to your router.
The general syntax of the banner command is as follows:
Router(config)# banner banner_type stop_character message stop_character
The banner type can be motd, login, exec, incoming, or slip-ppp. Following this is the stop, or delimiting, character. This indicates that when you are typing in your message and this character appears, the Cisco IOS will terminate the banner. Next you type in your banner message. Note that the stop character, not the <ENTER> key, indicates the end of the banner; therefore, banners can span multiple lines. After you type in your stop character and then type in any other character, the Cisco IOS exits the banner creation.
Within the banner message, you can insert banner tokens. A banner token is basically a variable the Cisco IOS fills in with the appropriate information. Table 3-3 lists some of the banner tokens that you can insert into all but the incoming banner messages.
The name of the router configured with the hostname command
The domain name configured on the router with the ip domain-name command
The VTY or TTY line number that the user is using to access the router
To illustrate the use of a login banner, Example 3-18 shows how to create a simple MOTD banner using the canned government banner shown in the previous section.
Router(config)# banner motd $ THIS UNITED STATES GOVERNMENT COMPUTING SYSTEM IS FOR AUTHORIZED OFFICIAL USE ONLY. Unauthorized use or use for other than official U.S. Government business is a violation of Federal Law (18 USC). Individuals using this computing system are subject to having all of their activities on this system monitored and recorded without further notice. Auditing of users may include keystroke monitoring. Any individual who uses this system expressly consents to such monitoring and is advised that information about their use of the system may be provided to Federal law enforcement or other authorities if evidence of criminal or other unauthorized activity is found. $ Router(config)#
In this example, the stop character is the dollar sign ($). To test the banner, log out and back into your router.
In Cisco IOS 12.2 and earlier, there is an operational problem with Cisco routers: If a user attempts to log in and gives an invalid username, the router responds with a "% Login invalid" message instead of prompting the user for a password again. The problem with this message is that it tells the hacker that the account name that the hacker tried to use does not exist on the router. If the hacker does not get this message, he knows that he has found a valid account name. This greatly aids a hacker in gaining unauthorized access to your router. If you are concerned, upgrade to Cisco IOS 12.3.