Routing
Content
http://msdn.microsoft.com/en-us/library/ff648651.aspx
Chapter 15
Securing Your Network
Router Considerations
The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP). If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers. The configuration categories for the router are:
y y y y y y
Patches and updates Protocols Administrative access Services Auditing and logging Intrusion detection
Patches and Updates
Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found and they inevitably will be found good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.
Protocols
Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:
y y
Use ingress and egress filtering. Screen ICMP traffic from the internal network.
Use Ingress and Egress Filtering Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.
This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid and legitimately reachable source address. For more information, see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www.rfceditor.org/rfc/rfc2267.txt. Screen ICMP Traffic from the Internal Network ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. Commonly used ICMP messages are shown in Table 15.1. Table 15.1 Commonly Used ICMP Messages
Message
Description
Echo request
Determines whether an IP node (a host or a router) is available on the network
Echo reply
Replies to an ICMP echo request
Destination unreachable Informs the host that a datagram cannot be delivered Source quench Informs the host to lower the rate at which it sends datagrams because of congestion
Redirect Time exceeded
Informs the host of a preferred route Indicates that the time to live (TTL) of an IP datagram has expired
Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP can be used for troubleshooting, it can also be used for network discovery and mapping. Therefore, control the use of ICMP. If you must enable it, use it in echo-reply mode only. Prevent TTL Expired Messages with Values of 1 or 0 Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Trace routing is a means to collect network topology information. By blocking packets of this type, you prevent an attacker from learning details about your network from trace routes. Do Not Receive or Forward Directed Broadcast Traffic Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. Source addresses that should be filtered are shown in Table 15.2.
Table 15.2 Source Addresses That Should be Filtered
Source address
Description
0.0.0.0/8 10.0.0.0/8
Historical broadcast RFC 1918 private network
127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
Loopback Link local networks RFC 1918 private network
192.0.2.0/24 192.168.0.0/16 224.0.0.0/4
TEST-NET RFC 1918 private network Class D multicast
240.0.0.0/5 248.0.0.0/5 255.255.255.255/32
Class E reserved
Unallocated
Broadcast
For more information on broadcast suppression using Cisco routers, see "Configuring Broadcast Suppression" on the Cisco Web site at http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.ht ml.
Administrative Access
From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. In addition:
y y y
Disable unused interfaces. Apply strong password policies. Use static routing.
y
Audit Web facing administration interfaces.
Disable Unused Interfaces Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces. Apply Strong Password Policies Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords. Use Static Routing Static routing prevents specially formed packets from changing routing tables on your router. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes. Audit Web Facing Administration Interfaces Also determine whether internal access can be configured. When possible, shut down the external administration interface and use internal access methods with ACLs.
Services
On a deployed router, every open port is associated with a listening service. To reduce the attack surface area, default services that are not required should be shut down. Examples include bootps and Finger, which are rarely required. You should also scan your router to detect which ports are open.
Auditing and Logging
By default, a router logs all deny actions; this default behavior should not be changed. Also secure log files in a central location. Modern routers have an array of logging features that include the ability to set severities based on the data logged. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing.
Intrusion Detection
With restrictions in place at the router to prevent TCP/IP attacks, the router should be able to identify when an attack is taking place and notify asystem administrator of the attack. Attackers learn what your security priorities are and attempt to work around them. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks.
+++++ http://www.techrepublic.com/blog/networking/how-to-properly-secure-your-cisco-router-withpasswords/569
By David Davis June 26, 2008, 9:26 AM PDT
How to properly secure your Cisco router with passwords
Takeaway: Some of the worst security breaches occur because people neglect basic security measures. David Davis discusses the importance of maintaining proper passwords on your router, explains the three modes for the Cisco IOS, and shows you how to configure the five main passwords that protect your network.
Why do you need to secure your router with passwords?
The question you might ask is: Doesn¶t the router already have default passwords? The answer is NO, it doesn¶t. There is no automatic password defense that comes with your router. As a Cisco admin, this should be taken very seriously. It is so important and so easy to set up passwords. First, let¶s discuss the different modes of the Cisco IOS. They are set up in a hierarchical manner, which means that the deeper the access, the more privilege you have and, hopefully, the more passwords you have set up for each level. For additional information on security for your router, please see another of my TechRepublic articles, ³Fundamentals: Five Ways to Secure Your Cisco Routers and Switches.´
What are the three modes of the Cisco IOS?
Before I can tell you how to secure your router with passwords, I need to first make sure you know the three modes of the Cisco IOS. They are:
User: In User mode, basic interface information on the router is displayed. Well-known Cisco CCNA author, Todd Lammle, once called the user mode ³useless mode´ because no configuration changes can be made, nor can you view anything important at this level. It is also called user exec mode. Privileged: Sometimes called the privileged exec (or just priv mode), configuration views and changes are made at this level. In my opinion, this is the first point at which it is absolutely critical to have a password set (although you should have password access even at user mode). To move from user mode to priv mode, you just type enable while in user exec mode and press [Enter]:
Router> enable Router#
Global Configuration: From the exec priv mode, we can now access the global configuration mode. This is where you would make changes that would affect your whole router, including configuration changes. You will need to step in a little deeper in the router¶s commands to make changes to your configuration. Here¶s an example of how to access that mode:
Router# configure terminal Router(config)#
Note: you can also just type conf t.
How to configure the five main passwords of the Cisco IOS
The five main passwords of the Cisco IOS are:
y y y y y
Console Aux VTY Enable password Enable secret
Console
If you have no password set on the router¶s console, by default, you can access user mode (and then on to the other modes if no passwords are set there either). The console port is where you would initially start to configure a new router. It is critical to set a password on the console port of the router to protect someone from physically walking up to the router, connecting, and gaining access to user mode (and, potentially, much more).
Because there is only one console port per router, you would use the command line console 0 in global configuration mode, and then use the login and password commands to finish up the configuration. The command, login, tells the router to look under the console line configuration for the password. The command, password, sets the actual password. Here is what it looks like:
Router# config t Router(config)# line console 0 Router(config-line)# password SecR3t!pass Router(config-line)# login
Note: Complex passwords are important to keep someone from guessing your password.
Aux
This is short for auxiliary port. This is also a physical access port on the router. Not all routers have this port. As the aux port is a backup configuration port for the console, it is equally important to configure a password on it.
Router# config t Router(config)# line aux 0 Router(config-line)#password SecR3t!pass Router(config-line)# login
VTY
The ³virtual tty´ line is not a physical connection, but a virtual connection. You would use this line to Telnet or SSH into the router (for SSH configuration, see my article ³Configure SSH on Your Cisco Router³). Of course, you would need to have an active LAN or WAN interface set up on your router for Telnet to work. As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode. Here¶s an example of configuring vty lines:
Router# config t Router(config)# line vty 0 4 Router(config-line)# password SecR3t!pass Router(config-line)# login
Enable password
The enable password prevents someone from getting full access to your router. The enable command is actually used to change between different security levels on the router (there are 015 levels of security). However, it is typically used to go from user mode (level 1) to privileged
mode (level 15). In fact, if you are at user mode and you just type enable, it assumes you want to go to privileged mode. To set a password to control access from user mode to privileged mode, go to the global configuration mode and use the enable password command, like this:
Router# config t Router(config)# enable password SecR3t!enable Router(config)# exit
The downside of the enable password is that it can be easily unencrypted by someone, and that is why you should use enable secret instead.
Enable secret
The enable secret password has the same function as the enable password, but with enable secret, the password is stored in a much stronger form of encryption:
Router(config)# enable secret SecR3t!enable
Conclusion I¶ve introduced you to the different modes of the Cisco IOS and the five different types of passwords you need to set to ensure that your Cisco router or switch is secure. Remember that, many times, entire networks can be brought down due to the lack of simple password security. Make sure that your Cisco router and switch passwords are set properly
Why Cisco Routers Offer the Best Network Solution For Your Business?
Those wondering which routers in the industry are the best will often hear a common single word response: Cisco. Yes, Cisco routers are frequently recommended as the best available systems and are often an automatic go-to for businesses ± large or small. Of course, the answer itself raises a question. What is it about Cisco routers that make them such a reliable and popular choice? Two words can be employed to sum up such a question: quality and reliability. Cisco routers deliver on all their intended functions and do so without fail. No, this is not to infer that they last forever or are not prone to any potential damage. However, they are produced with a high enough level of quality that they will handle a great deal of use without displaying any loss of function. That alone can be considered a huge positive for a business. It certainly would not be helpful to a business¶ bottom line to repeatedly replace routers. Yet, this may be the case when the network employs less reliable or durable. Why deal with such problems when Cisco routers would prove to be the much better option? In addition to the great reliability associated with Cisco routers, the affordable price makes them well worth looking acquiring. Businesses always need to have an eye on the proverbial bottom line. This is not always easy considering the high prices certain computer hardware comes with. For those businesses in need of a top router system, this is the brand to consider. This combination of cost-effectiveness and reliability would certainly prove incredibly difficult to beat. Do you have to be a tech wizard in order to run Cisco routers? If you did then they would probably never have proven to be as popular as they have become. They understand that userfriendliness is greatly valued by those businesses seeking to purchase networking equipment. This is just one of the reason that they are seen as easy to install and operate. No one needs to feel confused or unsure when it comes time to ³push buttons´ on the company¶s router. Cisco has made sure the router system¶s that bear the company¶s name are highly easy to use.
Similarly, concerns about configuration may raise their head. Or do they? Depending upon the particular router model a business purchases, configuration may not even be necessary. This would be another great positive since it eliminates the need for any additional and potentially confusing steps to run them. The more steps that are eliminated, the easier the router is to use. The easier the router is to use, the less time your business needs to spend dealing with router problems and issues. All in all, it would be very difficult to top the great value that Cisco routers bring to the table. Cisco routers are affordable, efficient, east to operate, and come with a low price. When you take all of this into account it¶s easy to see why they remain such a popular choice with businesses throughout the world. Vincent Rogers is a freelance writer who writes for a number of UK businesses. To find more information about or to purchase Cisco Routing and Switching, he recommends Prodec Networks.
http://www.robinsnestwebsites.com/87-why-cisco-routers-offer-the-best-network-solution-for-yourbusiness.html
Cisco Router Hardware
http://www.skullbox.net/routers.php
Routers are nothing more than a special type of PC. Routers and PCs both have some of the same components such as a motherboard, RAM, and an operating system. The main difference is between a router and standard PC, is that a router performs special tasks to control or "route" traffic between two or more networks. Remember that routers are the "smartest" networking devices. They operate at layer 3 of the OSI model. If you are unsure of the difference between a router, switch, or hub click here.
Hardware Components
There are 7 major internal components of a router:
o o o o o o o
CPU RAM NVRAM Flash ROM Console Interfaces
CPU The CPU performs functions just as it does in a normal PC. It executes commands given by the IOS using other hardware components. High-end routers may contain multiple processors or extra slots to add more CPUs later.
RAM Random Access Memory; this component is dynamic. Meaning, its content changes constantly. The main role of the RAM is to: hold the ARP cache, Store routing tables, hold fast-switching cache, performs packet buffering, and hold queues. It also provides temporary memory for the configuration file of the router while the router is powered on. However, the RAM loses content when router is restarted or powered off. This component is upgradeable! NVRAM Nonvolatile RAM is used to store the startup configuration files. This type of RAM does not lose its content when the router is restarted or powered off. Flash Flash memory is very important because it saves your ass if you screw up the operating system configuration. It holds the Cisco IOS image file, as well as backups. This flash memory is classified as an EEPROM (Electronically Erasable Programmable Read Only Memory). The flash ROM is upgradeable in most Cisco routers. ROM The ROM performs the same operations as a BIOS. It holds information about the systems hardware components and runs POST when the router first starts up. This component can be upgraded by "unplugging" the chip and installing a new one. A ROM upgrade ensures newer versions of the IOS. Console The console consists of the physical plugs and jacks on the router. The purpose of the console is to provide access for configurations. Interfaces The interfaces provide connectivity to LAN, WAN, and Console/Aux. They can be RJ-45 jacks soldered onto the motherboard, transceiver modules, or card modules. Cisco routers, especially the higher-end models, can be configured in many different ways. They can use a combination of transceivers, card modules and onboard interfaces. The picture below shows the components of a Cisco 804 ISDN router. Click to enlarge:
Chapter 15
Securing Your Network
Router Considerations
The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP). If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers. The configuration categories for the router are:
y y y y y y
Patches and updates Protocols Administrative access Services Auditing and logging Intrusion detection
Patches and Updates
Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found and they inevitably will be found good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.
Protocols
Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:
y y
Use ingress and egress filtering. Screen ICMP traffic from the internal network.
Use Ingress and Egress Filtering Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.
This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid and legitimately reachable source address. For more information, see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www.rfceditor.org/rfc/rfc2267.txt. Screen ICMP Traffic from the Internal Network ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. Commonly used ICMP messages are shown in Table 15.1. Table 15.1 Commonly Used ICMP Messages
Message
Description
Echo request
Determines whether an IP node (a host or a router) is available on the network
Echo reply
Replies to an ICMP echo request
Destination unreachable Informs the host that a datagram cannot be delivered Source quench Informs the host to lower the rate at which it sends datagrams because of congestion
Redirect Time exceeded
Informs the host of a preferred route Indicates that the time to live (TTL) of an IP datagram has expired
Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP can be used for troubleshooting, it can also be used for network discovery and mapping. Therefore, control the use of ICMP. If you must enable it, use it in echo-reply mode only. Prevent TTL Expired Messages with Values of 1 or 0 Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Trace routing is a means to collect network topology information. By blocking packets of this type, you prevent an attacker from learning details about your network from trace routes. Do Not Receive or Forward Directed Broadcast Traffic Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. Source addresses that should be filtered are shown in Table 15.2.
Table 15.2 Source Addresses That Should be Filtered
Source address
Description
0.0.0.0/8 10.0.0.0/8
Historical broadcast RFC 1918 private network
127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
Loopback Link local networks RFC 1918 private network
192.0.2.0/24 192.168.0.0/16 224.0.0.0/4
TEST-NET RFC 1918 private network Class D multicast
240.0.0.0/5 248.0.0.0/5 255.255.255.255/32
Class E reserved
Unallocated
Broadcast
For more information on broadcast suppression using Cisco routers, see "Configuring Broadcast Suppression" on the Cisco Web site at http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.ht ml.
Administrative Access
From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. In addition:
y y y
Disable unused interfaces. Apply strong password policies. Use static routing.
y
Audit Web facing administration interfaces.
Disable Unused Interfaces Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces. Apply Strong Password Policies Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords. Use Static Routing Static routing prevents specially formed packets from changing routing tables on your router. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes. Audit Web Facing Administration Interfaces Also determine whether internal access can be configured. When possible, shut down the external administration interface and use internal access methods with ACLs.
Services
On a deployed router, every open port is associated with a listening service. To reduce the attack surface area, default services that are not required should be shut down. Examples include bootps and Finger, which are rarely required. You should also scan your router to detect which ports are open.
Auditing and Logging
By default, a router logs all deny actions; this default behavior should not be changed. Also secure log files in a central location. Modern routers have an array of logging features that include the ability to set severities based on the data logged. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing.
Intrusion Detection
With restrictions in place at the router to prevent TCP/IP attacks, the router should be able to identify when an attack is taking place and notify asystem administrator of the attack. Attackers learn what your security priorities are and attempt to work around them. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks.
+++++ http://www.techrepublic.com/blog/networking/how-to-properly-secure-your-cisco-router-withpasswords/569
By David Davis June 26, 2008, 9:26 AM PDT
How to properly secure your Cisco router with passwords
Takeaway: Some of the worst security breaches occur because people neglect basic security measures. David Davis discusses the importance of maintaining proper passwords on your router, explains the three modes for the Cisco IOS, and shows you how to configure the five main passwords that protect your network.
Why do you need to secure your router with passwords?
The question you might ask is: Doesn¶t the router already have default passwords? The answer is NO, it doesn¶t. There is no automatic password defense that comes with your router. As a Cisco admin, this should be taken very seriously. It is so important and so easy to set up passwords. First, let¶s discuss the different modes of the Cisco IOS. They are set up in a hierarchical manner, which means that the deeper the access, the more privilege you have and, hopefully, the more passwords you have set up for each level. For additional information on security for your router, please see another of my TechRepublic articles, ³Fundamentals: Five Ways to Secure Your Cisco Routers and Switches.´
What are the three modes of the Cisco IOS?
Before I can tell you how to secure your router with passwords, I need to first make sure you know the three modes of the Cisco IOS. They are:
User: In User mode, basic interface information on the router is displayed. Well-known Cisco CCNA author, Todd Lammle, once called the user mode ³useless mode´ because no configuration changes can be made, nor can you view anything important at this level. It is also called user exec mode. Privileged: Sometimes called the privileged exec (or just priv mode), configuration views and changes are made at this level. In my opinion, this is the first point at which it is absolutely critical to have a password set (although you should have password access even at user mode). To move from user mode to priv mode, you just type enable while in user exec mode and press [Enter]:
Router> enable Router#
Global Configuration: From the exec priv mode, we can now access the global configuration mode. This is where you would make changes that would affect your whole router, including configuration changes. You will need to step in a little deeper in the router¶s commands to make changes to your configuration. Here¶s an example of how to access that mode:
Router# configure terminal Router(config)#
Note: you can also just type conf t.
How to configure the five main passwords of the Cisco IOS
The five main passwords of the Cisco IOS are:
y y y y y
Console Aux VTY Enable password Enable secret
Console
If you have no password set on the router¶s console, by default, you can access user mode (and then on to the other modes if no passwords are set there either). The console port is where you would initially start to configure a new router. It is critical to set a password on the console port of the router to protect someone from physically walking up to the router, connecting, and gaining access to user mode (and, potentially, much more).
Because there is only one console port per router, you would use the command line console 0 in global configuration mode, and then use the login and password commands to finish up the configuration. The command, login, tells the router to look under the console line configuration for the password. The command, password, sets the actual password. Here is what it looks like:
Router# config t Router(config)# line console 0 Router(config-line)# password SecR3t!pass Router(config-line)# login
Note: Complex passwords are important to keep someone from guessing your password.
Aux
This is short for auxiliary port. This is also a physical access port on the router. Not all routers have this port. As the aux port is a backup configuration port for the console, it is equally important to configure a password on it.
Router# config t Router(config)# line aux 0 Router(config-line)#password SecR3t!pass Router(config-line)# login
VTY
The ³virtual tty´ line is not a physical connection, but a virtual connection. You would use this line to Telnet or SSH into the router (for SSH configuration, see my article ³Configure SSH on Your Cisco Router³). Of course, you would need to have an active LAN or WAN interface set up on your router for Telnet to work. As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode. Here¶s an example of configuring vty lines:
Router# config t Router(config)# line vty 0 4 Router(config-line)# password SecR3t!pass Router(config-line)# login
Enable password
The enable password prevents someone from getting full access to your router. The enable command is actually used to change between different security levels on the router (there are 015 levels of security). However, it is typically used to go from user mode (level 1) to privileged
mode (level 15). In fact, if you are at user mode and you just type enable, it assumes you want to go to privileged mode. To set a password to control access from user mode to privileged mode, go to the global configuration mode and use the enable password command, like this:
Router# config t Router(config)# enable password SecR3t!enable Router(config)# exit
The downside of the enable password is that it can be easily unencrypted by someone, and that is why you should use enable secret instead.
Enable secret
The enable secret password has the same function as the enable password, but with enable secret, the password is stored in a much stronger form of encryption:
Router(config)# enable secret SecR3t!enable
Conclusion I¶ve introduced you to the different modes of the Cisco IOS and the five different types of passwords you need to set to ensure that your Cisco router or switch is secure. Remember that, many times, entire networks can be brought down due to the lack of simple password security. Make sure that your Cisco router and switch passwords are set properly
Why Cisco Routers Offer the Best Network Solution For Your Business?
Those wondering which routers in the industry are the best will often hear a common single word response: Cisco. Yes, Cisco routers are frequently recommended as the best available systems and are often an automatic go-to for businesses ± large or small. Of course, the answer itself raises a question. What is it about Cisco routers that make them such a reliable and popular choice? Two words can be employed to sum up such a question: quality and reliability. Cisco routers deliver on all their intended functions and do so without fail. No, this is not to infer that they last forever or are not prone to any potential damage. However, they are produced with a high enough level of quality that they will handle a great deal of use without displaying any loss of function. That alone can be considered a huge positive for a business. It certainly would not be helpful to a business¶ bottom line to repeatedly replace routers. Yet, this may be the case when the network employs less reliable or durable. Why deal with such problems when Cisco routers would prove to be the much better option? In addition to the great reliability associated with Cisco routers, the affordable price makes them well worth looking acquiring. Businesses always need to have an eye on the proverbial bottom line. This is not always easy considering the high prices certain computer hardware comes with. For those businesses in need of a top router system, this is the brand to consider. This combination of cost-effectiveness and reliability would certainly prove incredibly difficult to beat. Do you have to be a tech wizard in order to run Cisco routers? If you did then they would probably never have proven to be as popular as they have become. They understand that userfriendliness is greatly valued by those businesses seeking to purchase networking equipment. This is just one of the reason that they are seen as easy to install and operate. No one needs to feel confused or unsure when it comes time to ³push buttons´ on the company¶s router. Cisco has made sure the router system¶s that bear the company¶s name are highly easy to use.
Similarly, concerns about configuration may raise their head. Or do they? Depending upon the particular router model a business purchases, configuration may not even be necessary. This would be another great positive since it eliminates the need for any additional and potentially confusing steps to run them. The more steps that are eliminated, the easier the router is to use. The easier the router is to use, the less time your business needs to spend dealing with router problems and issues. All in all, it would be very difficult to top the great value that Cisco routers bring to the table. Cisco routers are affordable, efficient, east to operate, and come with a low price. When you take all of this into account it¶s easy to see why they remain such a popular choice with businesses throughout the world. Vincent Rogers is a freelance writer who writes for a number of UK businesses. To find more information about or to purchase Cisco Routing and Switching, he recommends Prodec Networks.
http://www.robinsnestwebsites.com/87-why-cisco-routers-offer-the-best-network-solution-for-yourbusiness.html
Cisco Router Hardware
http://www.skullbox.net/routers.php
Routers are nothing more than a special type of PC. Routers and PCs both have some of the same components such as a motherboard, RAM, and an operating system. The main difference is between a router and standard PC, is that a router performs special tasks to control or "route" traffic between two or more networks. Remember that routers are the "smartest" networking devices. They operate at layer 3 of the OSI model. If you are unsure of the difference between a router, switch, or hub click here.
Hardware Components
There are 7 major internal components of a router:
o o o o o o o
CPU RAM NVRAM Flash ROM Console Interfaces
CPU The CPU performs functions just as it does in a normal PC. It executes commands given by the IOS using other hardware components. High-end routers may contain multiple processors or extra slots to add more CPUs later.
RAM Random Access Memory; this component is dynamic. Meaning, its content changes constantly. The main role of the RAM is to: hold the ARP cache, Store routing tables, hold fast-switching cache, performs packet buffering, and hold queues. It also provides temporary memory for the configuration file of the router while the router is powered on. However, the RAM loses content when router is restarted or powered off. This component is upgradeable! NVRAM Nonvolatile RAM is used to store the startup configuration files. This type of RAM does not lose its content when the router is restarted or powered off. Flash Flash memory is very important because it saves your ass if you screw up the operating system configuration. It holds the Cisco IOS image file, as well as backups. This flash memory is classified as an EEPROM (Electronically Erasable Programmable Read Only Memory). The flash ROM is upgradeable in most Cisco routers. ROM The ROM performs the same operations as a BIOS. It holds information about the systems hardware components and runs POST when the router first starts up. This component can be upgraded by "unplugging" the chip and installing a new one. A ROM upgrade ensures newer versions of the IOS. Console The console consists of the physical plugs and jacks on the router. The purpose of the console is to provide access for configurations. Interfaces The interfaces provide connectivity to LAN, WAN, and Console/Aux. They can be RJ-45 jacks soldered onto the motherboard, transceiver modules, or card modules. Cisco routers, especially the higher-end models, can be configured in many different ways. They can use a combination of transceivers, card modules and onboard interfaces. The picture below shows the components of a Cisco 804 ISDN router. Click to enlarge:
