|
Home > Archive > CCNP > November 2002 > Cisco Security???
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Do any of you guys think that it is odd that on both routers and switches, if someone has physical access to them, it would be really easy for them to get into them and change the configuration? The routers are not that hard to get into, and from what I have just learned, its really easy to get into a 4000/5000/6000 series switch. Just reboot it and hit enter as a password??? Seems really UNsecure to me. Anyone else think this way? | |
| ssimpson53 2002-11-12, 6:15 pm |
| Well Dude, most folks choose to enable different types of passwords on their routers and switches that make it a little more difficult to access than just hitting enter. Many people fail to set a password for User Mode...can't remember if this is the same as the telnet password or if it is specific to the terminal. If you fail to set one this can allow access to some of the config information from a terminal emulation application. However, most people will set an enable password, which is stored in clear text in the config or an enable secret password which is stored encrypted. If either of these are set you must enter it in order to gain access to executive mode, global config mode, etc. basically to make any changes you have to have this password. | |
|
| I think he is referring to gaining physical access and therefore, you can do password recovery and other measures to by pass the password protection you described.
what is important to note is, it IS easy to do password recovery and bypass it all, it SHOULD NOT be easy to gain physical access. The server room should be locked, if biometric and other sophiscated authentication method is to be used, it is at the server room. Server room should be locked at all time, who when how long spent there should be logged and then further secured depending on role. open rack/locable rack etc...
much like host protection, what good is all that when I can take your server and walk off with the hard drive? (didn't this happen a lot... remmeber reading lots of reports of this nature.)
edit: it appeared to me that it is I who can't read  , my apologies. | |
| bhets 2002-11-13, 12:44 am |
| As an administrator one should make sure that all password level to a router/switch should be configured properly. You can enable tacacs or radius authentication if you have lots of router/switch on your network, also it gives a centralized level of authentication. | |
| MadChef 2002-11-13, 5:57 am |
| quote:
Originally posted by Dude
Seems really UNsecure to me. Anyone else think this way?
Yes, it is trivial to get around any Cisco authentication methods and this is to be considered very insecure if you don't properly physically secure your network devices. Authentication, authorization and accounting are only part of the security piece and to wholly rely on them is foolish. You don't give the public access to your phone switch, do you? Then why would you do the same with your data infrastructure?
MadChef | |
| MadChef 2002-11-13, 5:59 am |
| quote:
Originally posted by ssimpson53
Well Dude, most folks choose to enable different types of passwords on their routers and switches that make it a little more difficult to access than just hitting enter.
However just hitting enter is exactly what is required on any Cat4000, 5000 or 6000 series switch within 60 seconds of it booting, which was his statement. 
MC | |
|
| Sorry guys that I didnt make it clear, but I was talking about password recovery/unwanted entry. Thanks MadChef and Mikop for knowing what I meant. And in the environment I am in, I have ZERO physical security. Not because I dont want it, but because my company is too cheap to do anything about it. So, that would be a concern to me. |
|
|
|
|