Chapter 18. Securing Cisco devices

 

If you work in a Windows Active Directory environment, you’re accustomed to having a single credential—that is, a username and password—to log into almost everything. Sadly, many Cisco networks haven’t adopted this “one credential to rule them all” approach. Instead, it’s quite common to find that each device requires nothing more than a generic administrator password to log in and start making changes. In slightly more secure environments, the devices may require a unique username and password.

One downside of this setup is that when you want to give someone access to several devices, you have to manually configure a credential on each one. For example, a company I once worked for hired a contractor to configure a Cisco IP phone system. He needed to log into a few of our routers that were scattered across the country, so I created individual, privileged accounts just on those routers he needed access to. Cisco calls each of these accounts a local user account.

Although having local accounts on each device isn’t ideal, it’s a reality in many organizations. As a Cisco network administrator, you need to know not only how to create local accounts but, more importantly, how to lock down your Cisco devices to mitigate the damage if such a privileged account gets into the wrong hands.

18.1. Creating a privileged user account

18.2. Reconfiguring the VTY lines

18.3. Securing the console port

18.4. Commands used in this chapter

18.5. Hands-on lab