HostedDB - Dedicated UNIX Servers

index_51
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 51   Privileges Cisco IOS provides for 16 different privilege levels ranging from 0 to 15.  The Cisco IOS comes with 2 predefined user levels.  User EXEC mode runs at privilege level 1 and “enabled” mode (privileged EXEC mode) runs at level 15.  Every IOS command is pre-assigned to either level 1 or level 15.  If the router is configured with  aaa new-model then AAA can be used for user authorization (see Section 4.6 for more details). By default Cisco provides EXEC (level 1) with a few commands which may make more sense being at a higher privilege level.  The next example shows how to move the commands to the privileged mode, which in most configurations should be protected better. Central(config)# privilege exec level 15 connect Central(config)# privilege exec level 15 telnet Central(config)# privilege exec level 15 rlogin Central(config)# privilege exec level 15 show ip access-lists Central(config)# privilege exec level 15 show access-lists Central(config)# privilege exec level 15 show logging Central(config)# privilege exec level 1 show ip The last line is required to move the show command back down to level 1. One possible scenario, would be if a site wanted to set up more than the two levels of administration on their routers.  This could be done by assigning a password to an intermediate level, like 5 or 10, and then assigning the extra commands to that privilege level.  This is beyond the scope of this document.  But, if an attempt was made to do something like this there are a few things to be very careful about.  First, do not use the username command to set up accounts above level 1, use the enable secret command to set a level password instead (see next sub-section).  Second, be very careful about moving too much access down from level 15, this could cause unexpected security holes in the system.  Third, be very careful about moving any part of the configure command down, once a user has write access they could leverage this to acquire greater access. Passwords  There are two password protection schemes in Cisco IOS.  Type 7 uses the Cisco- defined encryption algorithm which is known to the commercial security community to be weak.  Type 5 uses an MD5 hash which is much stronger.  Cisco recommends that Type 5 encryption be used instead of Type 7 where possible (see Configuring Passwords and Privileges in the Cisco IOS Security Configuration Guide). Type 7 encryption is used by the enable password, username, and line password commands.