In preparation of your CCNA Security 640-553 exam, we want to make sure we cover the topics that you will encounter on your CCNA exam. So to assist you, below we will discuss the CCNA Security concept, setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements. As you progress through your CCNA exam studies, I am sure with repetition you will find that all the topics become much easier. So even though this may be a difficult concept initially, keep at it as no one said getting your Cisco certification would be easy!

Technical controls needed to secure both local and remote administrative access to Cisco routers.

Console Interface

The console line interface is a serial RJ45 port on the router. It provides a clock, and you have to match its settings. You can connect a dumb terminal or a computer running a terminal emulation program to it with a Cisco rollover cable and access the various command prompts on the router. This is an out-of-band line interface.

To configure a line interface, you use the line global configuration command, as illustrated with the following command

Router(config)#line ?

<0-6> First Line number

aux Auxiliary line

console Primary terminal line

vty Virtual terminal

Router (config)#line console 0

Router (config-line)#

Router(config)#line console 0

Router(config-line)#login

Login disabled on line 0, until ‘password’ is set

Router(config-line)#password cisco

Auxiliary Interface

All routers also have another physical line interface called the auxiliary port. You

can attach an external modem to this interface so that you can dial in to the

device’s auxiliary port over the plain old telephone to perform out-of-band configuration.

Virtual Line Interfaces

By default, all Cisco routers (and many other Cisco devices) come with five virtual terminal line interfaces: vty 0, 1, 2, 3, and 4. These virtual line interfaces are pseudo or dummy

interfaces that terminate configuration traffic that arrives on the router in-band.

Router(config)#line vty 0 4

Router(config-line)#login

% Login disabled on line 6, until ‘password’ is set

Router(config-line)#password cisco

Enable Password

Setting an enable password or, better yet, an enable secret password, protects the

enable (super user) mode of the router

Router(config)#enable password cisco

Secret Password

The following command creates an encrypted secret password for the enable mode using an MD5 hash. When the enable secret password is set, it supersedes the enable password that is subsequently ignored:

Router(config)#enable secret sanfran

Service Password Encryption

For even better security, you can encrypt all the passwords on the device (with the exception of the hashed enable secret). This is not as strong encryption as the MD5 hash on the enable secret, but it will prevent accidental discovery of the router’s passwords.

Router(config)#service password encryption

Setting Timeouts for Router Lines

No one should be able to remain forever on an inactive line interface (console, auxiliary, vty). The exec-timeout minutes seconds command terminates an inactive connection.

If you wanted to terminate an inactive console connection after 5 minutes and 20 seconds, you would type the following two commands

Router(config)#line console 0

Router(config-line)#exec-timeout 5 20

Configuring Minimum Password Length

While Cisco recommends a minimum password length for all passwords there is no enforcement by default. The security passwords min-length command enforces a minimum password length. For example, if you wanted the minimum password length to be 16 characters, you would type in the following command

Router(config)#security passwords min-length 18

I hope you found this article to be of use and it helps you prepare for your Cisco CCNA Security 640-553 certification exam. I am sure you will quickly find out that hands-on real world experience that our CCNA lab kits offer is the best way to cement the CCNA concepts in your head to help you pass your CCNA test!