disable password recovery and factory reset through console port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2016 06:22 AM
Hello,
How can I disable password recovery and configuration removal through boot menu on Extreme Switches? Its a security risk as anyone can connect to the console port and undo all the configuration.
How can I disable password recovery and configuration removal through boot menu on Extreme Switches? Its a security risk as anyone can connect to the console port and undo all the configuration.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2016 09:06 AM
To be fair, there's a big difference between changing the config register and then booting a Cisco to selecting no config in the EXOS bootrom.
If you change the confreg, you can boot and get to the config with no password trivially with a 'show conf'; this isn't possible on EXOS - the switch will boot with a default config and there is no way to show the non-booted configuration.
I may be missing an attack vector here, and if so I apologise; but I still think that if someone has physical access to a device then you have a much harder job to secure it. I could, for example, de-solder the flash chips and read them directly if I have the switch - you'd notice that for sure, but you can't prevent that even with encryption because the keys would also have to be there, so the switch could decrypt the config on boot 🙂
Paul.
If you change the confreg, you can boot and get to the config with no password trivially with a 'show conf'; this isn't possible on EXOS - the switch will boot with a default config and there is no way to show the non-booted configuration.
I may be missing an attack vector here, and if so I apologise; but I still think that if someone has physical access to a device then you have a much harder job to secure it. I could, for example, de-solder the flash chips and read them directly if I have the switch - you'd notice that for sure, but you can't prevent that even with encryption because the keys would also have to be there, so the switch could decrypt the config on boot 🙂
Paul.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2016 07:27 AM
other vendors have similar options to counter this risk, like in cicso you can prevent the NVRAM register value to be changed. I think the option should be there and it should be up to the customer whether they want to implement it or not.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2016 06:37 AM
I don't think there is any way to prevent this - which is actually a good thing; you need to be able to recover a switch for a number of very legitimate reasons sometimes.
There was a recent version of the boot menu that disabled 'config none' - and a lot of people complained to the TAC and this was reversed (the only way to recover one of those switches was a very slow erase and TFTP new code onto it).
If someone has physical access to your infrastructure, no amount of clever software features are going to close that security hole. I would expect that someone erasing the configuration would cause an outage more than being a security risk to you though?
Paul.
There was a recent version of the boot menu that disabled 'config none' - and a lot of people complained to the TAC and this was reversed (the only way to recover one of those switches was a very slow erase and TFTP new code onto it).
If someone has physical access to your infrastructure, no amount of clever software features are going to close that security hole. I would expect that someone erasing the configuration would cause an outage more than being a security risk to you though?
Paul.
