As part of a new initiative to tighten the security of your Cisco devices, you have configured the firewall to
restrict access to the devices from the outside.
What would be other recommended ways of protecting the integrity of the device configuration files on the
devices while ensuring your continued ability to manage the devices remotely? (Choose all that apply.)
A.
encrypt the configuration files
B.
use SSH to connect to the devices for management
C.
prevent the loss of administrator passwords by disabling their encryption
D.
disable the VTY ports on the devices
E.
use an encrypted password for VTY access
Explanation:
You should use SSH to connect to the devices for management. You should also require an encrypted
password for VTY access. Using Telnet for remote management transmits all information, including the
username and passwords, in clear text. Using an encrypted password for VTY access ensures that the
password cannot be read either in transit or in the configuration file.
Passwords used for access to the console, aux, or VTY connections can be encrypted if desired. When
passwords are created with the enable <password> command, the password is saved in clear text. When the
enable secret <password> command is used, however the password will be encrypted.If both types of password are configured for a particular connection type, the system will ignore the enable
password and require the enable secret password. For example, if the set of commands shown below were
executed, both types of password will be created for console access, but the system will require the password
crisco rather than cisco. Also make note that neither of those passwords will required for VTY access. That
password is sicso, which is the password configured after accessing the line VTY interface configuration
prompt.
Router(config)# enable secret crisco
Router(config)# enable password cisco
Router(config)# line vty 0 4
Router(config-line)# password sisco
Although it is possible to encrypt the password in the configuration files, it is not possible to encrypt the rest of
the files.
You should not disable the encryption of the passwords in the configuration files. Password encryption is a good
security measure to take, and sloppy password management should not be a reason to change this practice.
You should not disable the VTY ports on the devices. This would certainly enhance security, but it would
prevent you from managing the devices remotely
Objective:
Infrastructure Security
Sub-Objective:
Configure, verify, and troubleshoot basic device hardeningCisco IOS Security Configuration Guide, Release 12.2>Security Overview