HostedDB - Dedicated UNIX Servers
index_56
Router Security Configuration Guide UNCLASSIFIED 56 UNCLASSIFIED Version 1.0g problems.  Also, maintain the configuration offline by writing it offline (see above).   Only save off the running configuration for an emergency, because the saving will not include default values and on an IOS upgrade there will be unexpected configuration problems. When managing configuration files offline there are several security issues.  First, the system where the configuration files are stored should use the local operating system’s security mechanisms for restricting access to the files.  Only authorized router administrators should be given access to the files.  Second, if you set passwords in an offline configuration file, then they will be stored in the clear and transferred in the clear.  Instead, it is best to type the passwords while on-line (using the console) and then copy the encrypted strings to the offline configuration.  This is especially true for the enable secret password.  Third, with the configuration files offline the files must be transferred to the router in the relatively secure method.   The possible methods for transferring files to a router have increased with newer IOS releases.  The primary mechanisms available are the console terminal, telnet, tftp, rcp, and ftp (available for IOS 12.0 and newer). The example below shows how an encrypted enable secret setting would appear in an off-line configuration file.  You can obtain the encrypted string by setting the password manually on the router console, then displaying the running configuration, and then copying and pasting the encrypted string into your offline configuration file. ! set the enable secret password using MD5 encryption enable secret  5  $1$fIFcs$D.lgcsUnsgtLaWgskteq.8 Local and Remote Administration Section 4.1.3 recommends performing local administration.  In this case, using the terminal is the best choice for loading a new configuration.  The configuration files would be stored on the computer attached to the console and the local machine’s copy/paste buffer can be used for transferring the configuration to the router.  Only a few lines should be copied at a time so it can be determined that the entire configuration file is transferred successfully.  [Note: the default Windows NT 4.0 serial communication program, Hyperterminal, performs copy/paste very slowly.  On Windows NT and 2000, use a better communication program, such as TeraTerm Pro, if you have one available. On Linux, the minicom program is suitable for Cisco local console access.  On Solaris, the tip command can be used.] If remote administration is being allowed and the router is running an IOS older than version 12.0 then using the console connection or a telnet connection is the best choice for administration.  The file would again be transferred using the host systems copy/paste buffer to move the information from a file editor to the terminal emulation. If remote administration is allowed and the IOS is newer then version 12.0 then the FTP protocol may be used to transfer the configuration files to and from the router.