The following article is to describe how to perform initial and basic security configuration and on the Cisco router using the Cisco command-line interface (CLI) on IOS router operating system.
1. Configuring device hostname
Cisco router is packed with factory-assigned default hostname as “Router”. However, you will want to have an identical device hostname for your organization, and the following are the steps you can follow to Specifies or modifies the hostname.
Enables privileged EXEC mode
Router> enable
Enters global configuration mode
Router# configure terminal
Specifies or modifies the hostname for the network server
Router(config)# hostname MY_ROUTER
Now the router prompt displays the new hostname like below
MY_ROUTER (config)#
2. Configuring the Enable and Enable Secret Passwords
In a production environment, it is always recommended to add an additional layer of security across the network infrastructure, particularly to provide passwords for our network devices. Hence, enable password command or enable secret command, both will accomplish the same purpose by allowing you to establish an encrypted password that authorized administrative user must enter to gain access to the privilege EXEC (enable) mode.
However, Cisco recommends using enable secret command because it uses an improved encryption algorism over enable password command. The enable password command will set the clear text password and is only useful when you boot an older version of Cisco IOS image software or if you are booting the older boot ROMs that enable secret command is not supported.
MY_ROUTER> enable
MY_ROUTER# configure terminal
MY_ROUTER(config)# enable password Cisco => to set enable password as “Cisco” but will be shown as clear text
MY_ROUTER (config)#enable secret Cisco123 => to set enable password (secret) to “Cisco123” in encrypted mode.
Cisco also has one special command to encrypt all clear text passwords in its product as well to boost additional security.
MY_ROUTER (config)#service password-encryption
3. Configuring Telnet Access Password Authentication
Telnet is not a secured method for connecting remotely to manage the router because the traffic is not encrypted over a telnet session. But since it is widely used to connect to the router, you can add some additional security by enabling a telnet password.
MY_ROUTER> enable
MY_ROUTER# configure terminal
MY_ROUTER(config)# line vty 0 4
MY_ROUTER (config-line)#password Cisco123
MY_ROUTER (config-line)#login
4. Configuring Console Access Password Authentication
Console Access is direct management access which is used for initial device configuration as well as in some situation which you cannot log in to your device remotely. To secure the console mode, we need to set a password string for all the access.
MY_ROUTER> enable
MY_ROUTER# configure terminal
MY_ROUTER(config)# line console 0
MY_ROUTER (config-line)#password Cisco123
MY_ROUTER (config-line)#login
5. Configuring Cisco Banners
In a production environment, it is always best practice to place banners on your Cisco devices that contains warning information and other legal information for unauthorized access attempting to connect to your devices.
Following are differences of banners in Cisco devices:
• MOTD (Message of the day) banners are shown to everyone who connects to the router, prior to a login banner and before user authentication
MY_ROUTER(config)#banner motd #
Enter TEXT message. End with the character ‘#’.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
#
MY_ROUTER(config)#
• Login banners are shown before authentication prompt and upon an attempting exec session establishment
MY_ROUTER(config)#banner login ^
Enter TEXT message. End with the character ‘^’
##########################################
# This is a Login banner used to show #
# legal and privacy information. #
# #
# Unauthorized users prohibited #
##########################################
^
MY_ROUTER(config)#end
• EXEC banners are shown once an individual has started an EXEC session with the router
MY_ROUTER(config)#banner exec ^
Enter TEXT message. End with the character ‘^’
Session established to $(hostname) on line $(line)
^
MY_ROUTER(config)#