disable password recovery and factory reset through console port

How can I disable password recovery and configuration removal through boot menu on Extreme Switches? Its a security risk as anyone can connect to the console port and undo all the configuration.

3 replies

Userlevel 3
I don't think there is any way to prevent this - which is actually a good thing; you need to be able to recover a switch for a number of very legitimate reasons sometimes.

There was a recent version of the boot menu that disabled 'config none' - and a lot of people complained to the TAC and this was reversed (the only way to recover one of those switches was a very slow erase and TFTP new code onto it).

If someone has physical access to your infrastructure, no amount of clever software features are going to close that security hole. I would expect that someone erasing the configuration would cause an outage more than being a security risk to you though?

other vendors have similar options to counter this risk, like in cicso you can prevent the NVRAM register value to be changed. I think the option should be there and it should be up to the customer whether they want to implement it or not.
Userlevel 3
To be fair, there's a big difference between changing the config register and then booting a Cisco to selecting no config in the EXOS bootrom.

If you change the confreg, you can boot and get to the config with no password trivially with a 'show conf'; this isn't possible on EXOS - the switch will boot with a default config and there is no way to show the non-booted configuration.

I may be missing an attack vector here, and if so I apologise; but I still think that if someone has physical access to a device then you have a much harder job to secure it. I could, for example, de-solder the flash chips and read them directly if I have the switch - you'd notice that for sure, but you can't prevent that even with encryption because the keys would also have to be there, so the switch could decrypt the config on boot 🙂