Solved

Protect a PIX config from password removal utilities - can the PIX erase it's own config as a security measure if passwords are removed?

Posted on 2008-06-25
10
274 Views
Last Modified: 2013-11-16
Is is possible to have the PIX erase the startup-config if the password is removed in ROMMON using the (well known) BIN file utility?

Asked another way:  What measures can be taken to prevent a PIX from having its configuration leaked, especially using password removal utilities?

* My password is already hardned
* I know that the best security measure is to keep the device in a locked secured area, it IS in a secured area, but that area is offsite and the security of that room cannot be guaranteed, what if the PIX is stolen?

0
Comment
Question by:jkeegan123
  • 4
  • 4
  • 2
10 Comments
 
LVL 5

Expert Comment

by:karwak
ID: 21865824
If you encrypt all confidential information (e.g. enable password...) in the config what should happen if someone get's the config? Information about routing or infrastructure can easily gathered in a remote office by just plugging in the own laptop...

Even access rules will not make somebody stop hacking your network. If it is properly configured you will have only the absolutely required ports open anyway....

Or do I miss something here?
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21865878
Scenario:

* Remote office has a PIX functioning as a VPN endpoint.
* PIX is in a locked room inside the building.
* The building is broken into, PIX stolen.

Now the configurarion can be gotten off of that box with a password removal utility, which is not a big deal, EXCEPT that that box has the SHARED KEY for the VPN programmed into it.

I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run, but if you do a "write tftp", and look at the file that is written,  the shared key shows up in cleartext.

Try it if you don't believe me, I've been recovering shared keys for poorly documented sites using this method for years.
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865924
Hmmm, you're right!

Have you had a look at the Cisco Command Lookup Tool. There might be an option to encrypt this key as well...
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21865964
Nothing I could find.  The IOS routers have the options to self-destruct the config if the passwordi s removed, some nastier ISPs do this on their managed edge equipment.  It just seems so likely that a PIX should be able to do this too...
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865991
What's the exact command line for the VPN shared key. Can't find an example in the hurry ;-)....
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 5

Author Comment

by:jkeegan123
ID: 21866024
isakmp key PASSWORD address 24.24.24.24 netmask 255.255.255.255
0
 
LVL 5

Expert Comment

by:karwak
ID: 21866275
Funnily enough there's a howto for getting the keys at Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

I read about the option to encrypt the key completely with IOS, but not with PIX/ASA... :-(
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21866295
>>I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run

beg to differ m8y :(

more system:running-config
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 21866343
Basically on a 500 series running v6 your screwed. that sort of funtionality was added in v7
as the TAG for the Question says itts a 515E can you upgrade it to v7 then issue a

no service password-recovery

0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 31470566
True, this is updated in v7, but in version 6.33 and lower, there is NO service password-encryption available.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now