Monday, March 3, 2008

protect your Router

There are 5 separate Passwords you need to protect your Router.

1.Console - protects the Console Port
2.Auxilary - protects the AUX Port (for your modem)
3.TTY - Protects against un-authorized Telenet Port logons
4.Enable - Guards the use of the Enable Mode Super-user status.
5.Enable Secret - an Encrypted Secret form of the Above (better!)

We've done the Console already, so let's run through the rest briefly.
Just for fun, I am including text-boxes for you to write the Commands in.

Set the Auxiliary Password
Password for external modem connections
Router# (Type in the command config t)
Note that "config t" is interpreted by the Cisco IOS same as "Configure Terminal"
Most commands can be entered in abbreviated form,
and even better you can press the "Tab" key to complete commands!
This gives you the following Prompt:
Router(config)# (Type in line aux 0
which takes you down to the mode to configure "line auxiliary 0" (zero).
Now you can start using the sub-commands to configure the Aux port.
Router(config-line)# (Type in login)
Router(config-line)# ( password your-aux-password-here)
Router(config-line)# Ctrl-Z
Router#
And now your Router has a password protecting the AUX port.

Setting Passwords on the Virtual (VTY) Ports
VTY Ports are rather a special case, since they are not real ports.
In other words, you won't find a Port on the back of your Router labelled VTY.
They are what could be called "Virtual Ports" that wait patiently
for a Remote Connection, usually using Telnet, to log in.
If you don't set these, you won't be able to Telnet in to your Router.
This means every time your routers have a problem, you have to drive in to work.
Or to where-ever the routers may be hidden (like Timbuktu?).
Configuring the VTY password is very similar to doing the Console and Aux ones.
The only difference is that there are 5 VTY virtual ports,
which are named 0, 1, 2, 3, and 4 .
You can use the shortcut 0 4 (a zero, a space, and 4) to set all 5 passwords at the same time.
Router# (type in config t)
Router(config)# (type in line vty 0 4)
Router(config-line)# (type in login)
Router(config-line)# (type in password VTY-Password-here)
This concludes setting your VTY Passwords!
(you can type in Ctrl-Z to go back to plain Enable Mode)
Router(config-line)# Ctrl-Z
Router#

Setting Your "Enable" Password
The Enable is the old form of the password that guards
the Exec Command Interpreter's "Privileged Mode".
Which as we mentioned earlier is usually called "Enable Mode"
since that is the word you type in to get to it.
Usually with newer equipment you'll be using the "Enable Secret",
which is a better password because it is stored in an encrypted form.
However, it is best to also set an Enable Password
because if for some reason your computer has to boot up into an old version
of the Cisco IOS (say for problems that make it go into ROM mode, eh?)
then the "Enable Secret" won't work. But the old-fashioned "Enable" will!
By now this should be getting familiar to you,
but remember that "Repetition helps you Memorize!"
Once again start out with the Router in "Enable" (or "Prilileged") mode.
From the Command Prompt issue the Global Command configure terminal
Router# (type in config t)
Router(config)# (type in enable password your-enable-password
That's all, it's done, even easier than before!
Notice that you are Not configuring a Line here, but the whole Router!
(that's why you didn't need to type in a "line..." command)
Again you can now do a Ctrl-Z to get back to your "Router#" prompt.
Setting Your "Enable Secret" Password
The "Enable Secret" password, as mentioned above, is an advanced form
of a "one-way cryptographic secret password".
In other words, once you put in the plain text password,
the Cisco IOS takes the text and encrypts it so that no one,
not even you, can ever read it again.
This is why it is good advice Not to forget your Enable Secret Password!
The Router doesn't like the Enable Secret to be the same as the Enable. Router(config)#enable secret CISCO
The enable secret you have chosen is the same as your enable password.
This is not recommended. Re-enter the enable secret.
So let us make the Enable Secret password CISCO2 instead.
The Enable Secret takes over from the regular Enable password.
This means if you set an Enable Secret Password, your Enable one will NOT work.
So Don't Forget Your Password!
(Reminder, your Password for everything in this tutorial is CISCO)
Again, this is a simple set of commands:
Router# (type in config t)
Router(config)#
(type in enable secret your-enable-secret-password
That's really all it takes. Don't forget it!
Again do a Ctrl-Z to exit.
This will put you back at the Global Enable Mode Prompt:
Router#

3 Types of Commands

Global, Major, and Sub-command!

The Global Command "Configure" takes you down to Router (config) Mode.
The Major Command "Line select-interface takes you to Router(Config-line)
The Subcommands "login" and "password" let you configure your password.
But we are certainly not finished setting Passwords yet!
If Cisco Routers were simple easy-to-use devices,

Logging Onto Your Router

You have now gotten your Router turned on.
And you should have a good connection to your Terminal Program
The very next step should be to Log On.
But since we have a brandnew Router and you've turned down the Setup Dialog
there is no Password yet,
By Default, as it comes from the factory,
a Router does not require a password on the Console Port.
If you think this would be a terrible security flaw, you are correct!
You should definitely set up Passwords for your Router as your first step!
This initial "setting of password" can only be done from the Console Port.
Anyway, you should see a Prompt that says:
Router>
This is called User Exec Mode.
As a User you are allowed to log on, look at things, and do very little else.
You can not set up Passwords as a humble "User".
To set up Passwords for your Router you need to first enter what is called:
Privileged Exec Mode
(think of this as Master Magician Mode)
To enter Privileged Exec Mode type in the word enable at the prompt.
Router> enable
Router# . . . . . . .
This changes the prompt from Router> (with an arrow)
To Router# (with a # or pound sign.)
The # means that you have entered Privileged Exec Mode
Needless to say, nearly everyone just calls it "Enable Mode" for short.
You will very seldom hear anyone call it Privileged Exec Mode.
If you want to go back to being a plain User, just type disable
Now you are Enabled, a super-user with awesome mystical powers!
Please note that you did not need to enter a password
when logging in from the Console -
Nor did you need one when changing to Privileged Exec (Enable) Mode.
So you should Immediately set Passwords so that everyone else can not
just as easily become All-Powerful Deity. This would be Bad!
Just to keep this Tutorial simple, let's use "CISCO" for all the passwords.
But wait, in order to set passwords you must be in the right Mode!
In order to configure nearly anything on a Cisco Router
you must be in Configuration Mode.
To get from Enable Mode to Configuration Mode
try typing the word configure
Router# configure
You will then see on your terminal screen the question:
"Configuring from terminal, memory, or network [terminal]?"
If you press Return (or write in the magic word "terminal")
you will be able to configure from your terminal (aka computer).
(the other two choices are fun, but for now we'll use the terminal, ok?)
This will leave you at the unusual prompt:
Router(config)#
Which means that you are in the Router (Configure) mode.
Now and only now can you start the process of configuring Passwords.
Configure is a Global Command.
To go back to our car analogy, if Cisco passwords were Keys
you'd have to be in Car(config)# mode in order to use them.
Your very next step should be to set the Password for the Console Port.
Starting from within the Router(config) mode.
You need to put in the following series of commands to create one.
Router(config)# line console 0
Router(config-line)# login
Router(config-line)# password CISCO
Router(config-line#Ctrl-Z
Please do not use CISCO as a password in real life. This is just a Demo!
Note that the Router prompt changes to Router(config-line)
when you put in the line console 0 command.
line is a major command that puts you into "sub-command" mode.
(this is where you yell "Down Periscope - Dive! Dive! Dive!)
Only in the Router(config-line)# mode can you configure individual "lines".
Also note that the Ctrl-Z (Control-Z, also written ^Z) ends your session,
and brings you back up to the Router# prompt.

What Happens As Your Router Boots Up

1.The "Power-On Self-Test" checks the Router Hardware.
This includes the CPU (Central Processor Unit), memory, and interfaces.

2.The "Bootstrap Program", which is stored in ROM, runs itself

3.The "Bootfield" is read to find out the proper Operating System source.

4.The "Operating System Image" is loaded into RAM. (Random Access Memory)

5.The "Configuration File" saved in NVRAM is loaded into the RAM.
The Configuration File is then executed one line at a time.

6.If no "Configuration File" is found in NVRAM,
the Cisco IOS will offer you the chance to use the "Initial Configuration Dialog".
This is a set of Questions for you to answer to do a basic configuration.
Since in our theoretical New Router there is no NVRAM configuration
This "Setup Dialog" will be one of the first things we see.
You should also start to see the following on your VT100 Terminal Program:

Important Router Parts

1.ROM - Read Only Memory.
This is a form of permanent memory used by the Router to store:
The "Power-On Self Test" that checks the Router on boot up.
The "Bootstrap Startup Program" that gets the Router going.
A very basic form of the Cisco IOS software.
(to change the ROM you have to remove and replace chips)

2.Flash Memory
An Electronically Erasable and Re-Programmable memory chip.
The "Flash" contains the full Operating System, or "Image".
This allows you to Upgrade the OS without removing chips.

3.NVRAM - Non-Volatile RAM
This stores your Router's "Startup Configuration File".
Similar to Flash memory, this retains data even when power is lost.

4.RAM - Random Access Memory
This is regular computer memory chips.
These are the working memory of the Router,
and provide Caching, Packet Buffering, and hold Routing Tables.
The RAM is also where the Running Operating System
lives when the Router is on.
RAM loses all its data when reset or powered off.

5.Interfaces - Where the Router meets the Outside World.
Basically your Router will have Serial interfaces,
Which are mostly used to connect long-distance as in a WAN (Wide-Area Network).
You will also have LAN (Local-Area Network) Interfaces,
such as Ethernet, Token Ring, and FDDI (Fiber Distributed Data Interface)