The use of password protection in any Cisco device is of paramount importance since passwords provide the first level of defence against unauthorised access to our Cisco networks. Especially on terminal lines (either console line or VTY lines), the use of passwords is a fundamental element of security.

The following techniques enable you to control who is allowed access to the router and what IOS privilege levels they are granted once they gain access:

• password (line configuration): To specify a password on a line, use the password command in line configuration mode. A line is a console port (CTY), auxiliary port (AUX), virtual terminal (VTY), or asynchronous (TTY) line.

After specifying a password on a line using the password command, you must activate password checking at login using the login command in line configuration mode. The example below illustrates how to enable password security on each of the available lines. The password and login commands are widely available within IOS.

Router(config)# line con 0
Router(config-line)# password s3cr3t
Router(config-line)# login
Router(config-line)# line 1 8
Router(config-line)# password s3cr3t
Router(config-line)# login
Router(config-line)# line aux 0
Router(config-line)# password s3cr3t
Router(config-line)# login
Router(config-line)# line vty 0 4
Router(config-line)# password s3cr3t
Router(config-line)# login

• username password: The password command described above specifies a password for a specific line. Using the configuration in the example above, any user that attempts to connect to a line must enter the configured line password to be granted user EXEC mode access. To establish local  username-based password authentication, use the username command in global configuration mode. After specifying a username password, you must activate username-based password checking for the lines using the login local command in line configuration mode. The username command is widely available within IOS.

• enable secret: To specify an additional layer of security use the enable secret command in global configuration mode. The enable secret command provides better security by storing the configured enable secret password using a nonreversible cryptographic hash function, compared to the enable password command, which stores the configured password in clear text or in an easily reversible encrypted format. Storing the password as a cryptographic hash helps to minimize the risk of password sniffing if the router configuration file is transferred across the network, such as to and from a TFTP server. It is also useful if an unauthorized user obtains a copy of your configuration file. Note, if neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console port, the console line password will serve as the enable password for all VTY lines, which includes Telnet, rlogin, and SSH connections. The enable secret command is widely available within IOS. Username passwords may also be stored in the router configuration file in cryptographic hash format, similar to the enable secret. The associated command is username secret.

•  service password-encryption: To encrypt local router passwords, use the service password-encryption command in global configuration mode. This command applies to line passwords, username passwords, enable passwords, and authentication key passwords, including routing authentication passwords and key strings. By default, IOS does not encrypt passwords. Encrypting passwords in this way helps to minimize the risk of password sniffing if the router configuration file is transferred across the network such as to and/or from a TFTP server. It is also useful if an unauthorized user obtains a copy of your configuration file. This command is widely available within IOS.

There are usually 5 VTY lines on Cisco routers (VTY 0 to 4). An attacker can perform a Denial of Service attack by opening several simultaneous Telnet or SSH connections to the router, thus occupying all available lines and prohibiting the legitimate administrators for managing the device.

To protect from this kind of attack, we can configure and apply an ACL on lines 0 to 3 allowing the general Network Management address range, and then configure a more restrictive ACL for the last VTY line 4, which allows only a specific management station to connect.

 Configuration Example:

! Allow access from the general Network Management range (assume management network is 10.10.10.0/24)
Router(config)# access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq ssh

! Allow access from a single management station
Router(config)# access-list 101 permit tcp host 10.10.10.10 any eq ssh

Router(config)# line vty 0 3
Router(config-line)# access-class 100 in
Router(config)# line vty 4
Router(config-line)# access-class 101 in

There are several mechanisms that can be used to protect a Cisco IP network from Denial of Service attacks. Especially for Service Provider networks, DoS Attacks are the biggest threat the network administrators face today. Worms, flooding attacks, Distributed Denial of Service by BotNets etc are some forms of DoS attacks that can hit a Service Provider IP Network. The two most effective security features on Cisco routers to mitigate DoS attacks are the following:

Receive Access Control Lists (rACL)

The Receive ACL feature is applicable on the GSR model routers. It is used to increase security on Cisco 12000 by protecting the router’s gigabit route processor (GRP) from unnecessary and potentially malicious traffic. The rACL feature can be used in combination with Control Plane Policing and Routing Protection to implement a successful defence-in-depth strategy for Control Plane Protection in the Core. This feature is supported in IOS version 12.0(24)S (and newer) of the GSR platform.

The traffic inspected by the rACL is the one passing through the GSR Line Cards (LC) towards the LC CPU (ICMP and Logging) and also traffic passing through the LC towards the route processor (GRP) (Routing Protocols, SSH, Telnet, SNMP, NTP). Because the GRP has limited capacity to handle excessive traffic coming from the Line Cards, there is a danger of a Denial-of-Service attack on the GRP. Receive ACLs explicitly permit or deny traffic destined to the GRP, while transit traffic in the Forwarding (Data) Plane is not affected. Traffic is filtered on the ingress LC prior to RP processing. Deploying rACLs has helped defend against several security advisories in all US Service Providers Network Infrastructure.

Control Plane Policing (CoPP)

The Control Plane Policing mechanism is complementary to the rACL feature. The later controls what protocols and traffic are allowed to flow towards the router processor, while the CoPP feature controls how much traffic is allowed to flow. This feature is applicable on both the GSR 12000 and 7600 routers.
The Control Plane Policing feature treats the CP as a separate entity with its own ingress (input) and egress (output) ports, which are like ports on a router and switch. Because the Control Plane Policing feature treats the CP as a separate entity, a set of rules can be established and associated with the ingress and egress port of the CP. These rules are applied only after the packet has been determined to have the CP as its destination or when a packet exits from the CP. Thereafter, you can configure a service policy to prevent unwanted packets from progressing after a specified rate limit has been reached; for example, a system administrator can limit all TCP/SYN packets that are destined for the CP to a maximum rate of 1 megabit per second.