index_51
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
51
Privileges
Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. The Cisco
IOS comes with 2 predefined user levels. User EXEC mode runs at privilege level 1
and enabled mode (privileged EXEC mode) runs at level 15. Every IOS command
is pre-assigned to either level 1 or level 15. If the router is configured with aaa
new-model then AAA can be used for user authorization (see Section 4.6 for more
details).
By default Cisco provides EXEC (level 1) with a few commands which may make
more sense being at a higher privilege level. The next example shows how to move
the commands to the privileged mode, which in most configurations should be
protected better.
Central(config)# privilege exec level 15 connect
Central(config)# privilege exec level 15 telnet
Central(config)# privilege exec level 15 rlogin
Central(config)# privilege exec level 15 show ip access-lists
Central(config)# privilege exec level 15 show access-lists
Central(config)# privilege exec level 15 show logging
Central(config)# privilege exec level 1 show ip
The last line is required to move the show command back down to level 1.
One possible scenario, would be if a site wanted to set up more than the two levels of
administration on their routers. This could be done by assigning a password to an
intermediate level, like 5 or 10, and then assigning the extra commands to that
privilege level. This is beyond the scope of this document. But, if an attempt was
made to do something like this there are a few things to be very careful about. First,
do not use the username command to set up accounts above level 1, use the enable
secret command to set a level password instead (see next sub-section). Second, be
very careful about moving too much access down from level 15, this could cause
unexpected security holes in the system. Third, be very careful about moving any
part of the configure command down, once a user has write access they could
leverage this to acquire greater access.
Passwords
There are two password protection schemes in Cisco IOS. Type 7 uses the Cisco-
defined encryption algorithm which is known to the commercial security community
to be weak. Type 5 uses an MD5 hash which is much stronger. Cisco recommends
that Type 5 encryption be used instead of Type 7 where possible (see Configuring
Passwords and Privileges in the Cisco IOS Security Configuration Guide).
Type 7 encryption is used by the enable password, username, and line
password commands.