index_56
Router Security Configuration Guide
UNCLASSIFIED
56
UNCLASSIFIED
Version 1.0g
problems. Also, maintain the configuration offline by writing it offline (see above).
Only save off the running configuration for an emergency, because the saving will
not include default values and on an IOS upgrade there will be unexpected
configuration problems.
When managing configuration files offline there are several security issues. First, the
system where the configuration files are stored should use the local operating
systems security mechanisms for restricting access to the files. Only authorized
router administrators should be given access to the files. Second, if you set
passwords in an offline configuration file, then they will be stored in the clear and
transferred in the clear. Instead, it is best to type the passwords while on-line (using
the console) and then copy the encrypted strings to the offline configuration. This is
especially true for the enable secret password. Third, with the configuration
files offline the files must be transferred to the router in the relatively secure method.
The possible methods for transferring files to a router have increased with newer IOS
releases. The primary mechanisms available are the console terminal, telnet, tftp,
rcp, and ftp (available for IOS 12.0 and newer).
The example below shows how an encrypted enable secret setting would appear
in an off-line configuration file. You can obtain the encrypted string by setting the
password manually on the router console, then displaying the running configuration,
and then copying and pasting the encrypted string into your offline configuration file.
! set the enable secret password using MD5 encryption
enable secret 5 $1$fIFcs$D.lgcsUnsgtLaWgskteq.8
Local and Remote Administration
Section 4.1.3 recommends performing local administration. In this case, using the
terminal is the best choice for loading a new configuration. The configuration files
would be stored on the computer attached to the console and the local machines
copy/paste buffer can be used for transferring the configuration to the router. Only a
few lines should be copied at a time so it can be determined that the entire
configuration file is transferred successfully. [Note: the default Windows NT 4.0
serial communication program, Hyperterminal, performs copy/paste very slowly. On
Windows NT and 2000, use a better communication program, such as TeraTerm Pro,
if you have one available. On Linux, the minicom program is suitable for Cisco local
console access. On Solaris, the tip command can be used.]
If remote administration is being allowed and the router is running an IOS older than
version 12.0 then using the console connection or a telnet connection is the best
choice for administration. The file would again be transferred using the host systems
copy/paste buffer to move the information from a file editor to the terminal
emulation.
If remote administration is allowed and the IOS is newer then version 12.0 then the
FTP protocol may be used to transfer the configuration files to and from the router.