6.3. Device Access Control

💡 First Principle: Network devices are high-value targets—compromising a router or switch gives attackers control over traffic flows, visibility into communications, and a pivot point for further attacks. Think of it like keys to the building: if someone gets the master key, every room is accessible.

Consider this nightmare scenario: An attacker gains enable access to your core router. Now imagine what they can do: inspect all traffic flowing through the device, redirect traffic to malicious servers for credential harvesting, create backdoor accounts that persist through reboots, disable security logging to cover their tracks. One compromised router can take down an entire organization.

What happens with default configurations: Out of the box, Cisco devices have no enable password, console access requires no authentication, and VTY lines may allow Telnet (unencrypted). Leaving defaults is like leaving your front door unlocked while posting your address online. The first task on any new device is securing management access.

The principle of least privilege: Give users only the access they need. A help desk technician doesn't need enable access on core routers. An auditor needs read-only access, not configuration rights. Privilege levels and role-based access control enforce these boundaries.

Local Password Configuration:

Router(config)# enable secret SecurePassword123!
Router(config)# line console 0
Router(config-line)# password ConsolePass!
Router(config-line)# login
Router(config-line)# exec-timeout 5 0
Router(config)# line vty 0 15
Router(config-line)# password VTYPass!
Router(config-line)# login

Better: Local Username/Password:

Router(config)# username admin privilege 15 secret AdminPass123!
Router(config)# line console 0
Router(config-line)# login local
Router(config)# line vty 0 15
Router(config-line)# login local

Password Encryption:

Router(config)# service password-encryption    ! Type 7 (weak)