Section 12.2: Managing Network Devices

The policy to control access to network devices should be one of the first components of the access policy. All devices at every layer in the campus network should have a plan to provide for physical security; passwords; privilege levels, which allow limited access to a network device; and limiting virtual terminal or Telnet access.

12.2.1: Physical Access

Virtually all devices provide a way of gaining control of a given device, if you have physical access to the device. For this reason defining a physical access policy is important. If the physical device is not secured, your network would not be secure either. You can physically secure your network by: establish a configuration, control, and change management policy for all devices at each of the respective layers; establish a security plan for all physical locations, including details on physical and link security; providing the proper physical environment with provisions for locking the room, proper ventilation and temperature controls, and backup power; controlling direct access to the device; and securing access to network links.

12.2.2: Passwords

There are several ways to access every Cisco device; each should have a password applied to prevent unauthorized access.

• Out-of-band management options include the console port and the auxiliary port.

• In-band management options include Trivial File Transfer Protocol (TFTP) servers and Simple Network Management Protocol (SNMP)-based network management systems, such as CiscoWorks 2000.

• Virtual terminal ports that are used for terminal access and are referred to as vty ports. There are five vty ports by default on each Cisco device. You can create more vty ports if you need to.

By default, passwords are stored in clear text format in the router's configuration. The only exception to this is the enable secret password, which is automatically encrypted. Password encryption can be compromised so it should be used in combination with other methods of security.

12.2.3: Privilege Levels

There are two default levels of access: user and privileged. The user level allows the user to perform certain commands but does not give them the ability to modify the configuration or perform a debug. The privileged level allows the user to issue all commands, including configuration and debug commands.

Cisco IOS provides different levels of privileges for users with the use of the privilege level command. This command allows network administrators to provide a more granular set of rights to Cisco network devices. There are 16 different levels of privilege that can be set, ranging from 0 to 15. Level 1 is the default user exec privilege while the highest level, 15, allows the user to have all rights to the device. Level 0 can be used to specify a more limited subset of commands for specific users or lines. For all other privilege levels (2 to 14) you must specify the commands that the privilege level should be able to complete.

Use the privilege command to define the commands that can be entered at that privilege level:

Use the enable secret level level password command to set the password for the privilege level.

12.2.4: Virtual Terminal Access

By default, there are five vtys on each Cisco device but you can create as many as you need. The vtys that you received is based on the number of vtys that are currently in use. Because you will never know exactly which vty line you are using, you should set identical restrictions on all lines.

The line vty_number vty_range command takes you into the selected configuration mode of the vtys. The most common use of this command is line vty 0 4. This command indicates that you are modifying the vty 0 (the first vty) to vty 4.

The access-class command applies the access list to the interface. The access list is a standard access list that indicates the source addresses that are either permitted or denied. The in | out condition must be specified at the access-class statement indicates whether the source address should be allowed to establish a Telnet session with this device or allowed to Telnet out of this device.

Use caution with the access-class command. Starting in release 11.0 (6) and later, Cisco allows web browser access to configure your Cisco network device. This access is provided via HTTP and, while easier, it does create some potential security issues. If you turn on HTTP server, no security is default for this command. To enable HTTP access, enter the following command:

Switch(config)#ip http server

Password security for web access can be applied similar to console and virtual terminal access. The following command can be used to specify what kind of authentication should be used:

Switch(config)#ip http authentication [ aaa | enable | local | tacacs ]

The four types of authentication that can be set in this command are:

• aaa, which indicates that authentication, authorization, and accounting (AAA) should be used for authentication;

• enable, which indicates that the enable password should be used. This is the default method;

• local, which indicates that the local user database is used for authentication information; and

• tacacs, which indicates that a TACACS server should be used for authentication.