disable password recovery and factory reset through console port

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello,
How can  I disable password recovery and configuration removal through boot menu on Extreme Switches? Its a security risk as anyone can connect to the console port and undo all the configuration.
Photo of f3rha4n

f3rha4n

  • 230 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Paul Thornton

Paul Thornton

  • 1,424 Points 1k badge 2x thumb
I don't think there is any way to prevent this - which is actually a good thing; you need to be able to recover a switch for a number of very legitimate reasons sometimes.

There was a recent version of the boot menu that disabled 'config none' - and a lot of people complained to the TAC and this was reversed (the only way to recover one of those switches was a very slow erase and TFTP new code onto it).

If someone has physical access to your infrastructure, no amount of clever software features are going to close that security hole.  I would expect that someone erasing the configuration would cause an outage more than being a security risk to you though?

Paul.
Photo of f3rha4n

f3rha4n

  • 230 Points 100 badge 2x thumb
other vendors have similar options to counter this risk, like in cicso you can prevent the NVRAM register value to be changed. I think the option should be there and it should be up to the customer whether they want to implement it or not. 
Photo of Paul Thornton

Paul Thornton

  • 1,424 Points 1k badge 2x thumb
To be fair, there's a big difference between changing the config register and then booting a Cisco to selecting no config in the EXOS bootrom.

If you change the confreg, you can boot and get to the config with no password trivially with a 'show conf'; this isn't possible on EXOS - the switch will boot with a default config and there is no way to show the non-booted configuration.

I may be missing an attack vector here, and if so I apologise; but I still think that if someone has physical access to a device then you have a much harder job to secure it.  I could, for example, de-solder the flash chips and read them directly if I have the switch - you'd notice that for sure, but you can't prevent that even with encryption because the keys would also have to be there, so the switch could decrypt the config on boot :)

Paul.