Monday, October 26, 2009
I was at a new site for a consulting job and found so many security holes that I had the need to write down few basics for those who didn't know or already forgotten.
When you configure a new router you should decide on a security method that will keep it as secured as possible. Keep in mind that doing nothing is NOT a method.
Working for a small to mid-size shop you're the only one handling the routers, maybe 2-3 more people need access for specific tasks. You have to make sure no one else - internal or external get on the device and make any changes.
One of the most important actions these days is removing all Telnet access and switch to SSH. It is not always possible with old equipment but if you have any of the supported boxes please use it. It is a major security improvement.
Next thing to think about is your local user list. Passwords are kept on the router and show in Show Running-config. Most admins think that using type 7 encryption is good enough. Check this online tool and think again. It is able to decrypt Cisco's encrypted "type 7" passwords!
Now you think this is impressive, check this in the router IOS decryption option...
Another instant easy to implement option is AAA. Use another server for authentication to keep passwords off the router. RADIUS servers can sync with Microsoft's Active Directory and use the same password policy you apply for users on the domain, to the router. That will also make your password management an easier task. Windows 2003 & 2008 can use as RADIUS server using Internet Authentication Service.
These are basic easy tools that cost nothing and require few minutes. You should think of them as a MUST and go implement them yesterday. You do not have to know too much, these do not require being an expert so what are you waiting for?