Three years ago, the Department of Homeland Security (DHS) released an alert on how cyber adversaries obtained hashed password values and other sensitive information from network infrastructure configuration files. Once the hashes were obtained, the adversaries were able to compromise network devices. That alert showed the results of what happens when cyber adversaries compromise device configurations that have insecure, reversible hashes: they are able to extract sensitive information and compromise networks.
The rise in the number of compromises of network infrastructures in recent years is a reminder that authentication to network devices is an important consideration. Network devices could be compromised due to:
- Poor password choice (vulnerable to brute force password spraying),
- Router configuration files (which contain hashed passwords) sent via unencrypted email, or
- Reused passwords (where passwords recovered from a compromised device can then be used to compromise other devices).
Using passwords by themselves increases the risk of device exploitation. While NSA strongly recommends multi-factor authentication for administrators managing critical devices, sometimes passwords alone must be used. Choosing good password storage algorithms can make exploitation much more difficult.
Cisco® devices offer a variety of different password hashing and encryption schemes to secure passwords stored in configuration files. Cisco systems come in a variety of platforms and are widely used within many infrastructure networks worldwide. Cisco networking devices are configured to propagate network traffic among various subnets. They also protect network information that flows into these subnets. The devices contain a plaintext configuration file that is loaded after the Cisco operating system boots. The configuration file:
- Contains specific settings that control the behavior of the Cisco device,
- Determines how to direct traffic within a network, and
- Stores pre-shared keys and user authentication information.
To protect this sensitive data, Cisco devices can use hashing or encryption algorithms to secure this information, but only if they are properly configured to do so.