Solved

Protect a PIX config from password removal utilities - can the PIX erase it's own config as a security measure if passwords are removed?

Posted on 2008-06-25
10
273 Views
Last Modified: 2013-11-16
Is is possible to have the PIX erase the startup-config if the password is removed in ROMMON using the (well known) BIN file utility?

Asked another way:  What measures can be taken to prevent a PIX from having its configuration leaked, especially using password removal utilities?

* My password is already hardned
* I know that the best security measure is to keep the device in a locked secured area, it IS in a secured area, but that area is offsite and the security of that room cannot be guaranteed, what if the PIX is stolen?

0
Comment
Question by:jkeegan123
  • 4
  • 4
  • 2
10 Comments
 
LVL 5

Expert Comment

by:karwak
ID: 21865824
If you encrypt all confidential information (e.g. enable password...) in the config what should happen if someone get's the config? Information about routing or infrastructure can easily gathered in a remote office by just plugging in the own laptop...

Even access rules will not make somebody stop hacking your network. If it is properly configured you will have only the absolutely required ports open anyway....

Or do I miss something here?
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21865878
Scenario:

* Remote office has a PIX functioning as a VPN endpoint.
* PIX is in a locked room inside the building.
* The building is broken into, PIX stolen.

Now the configurarion can be gotten off of that box with a password removal utility, which is not a big deal, EXCEPT that that box has the SHARED KEY for the VPN programmed into it.

I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run, but if you do a "write tftp", and look at the file that is written,  the shared key shows up in cleartext.

Try it if you don't believe me, I've been recovering shared keys for poorly documented sites using this method for years.
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865924
Hmmm, you're right!

Have you had a look at the Cisco Command Lookup Tool. There might be an option to encrypt this key as well...
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21865964
Nothing I could find.  The IOS routers have the options to self-destruct the config if the passwordi s removed, some nastier ISPs do this on their managed edge equipment.  It just seems so likely that a PIX should be able to do this too...
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865991
What's the exact command line for the VPN shared key. Can't find an example in the hurry ;-)....
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Author Comment

by:jkeegan123
ID: 21866024
isakmp key PASSWORD address 24.24.24.24 netmask 255.255.255.255
0
 
LVL 5

Expert Comment

by:karwak
ID: 21866275
Funnily enough there's a howto for getting the keys at Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

I read about the option to encrypt the key completely with IOS, but not with PIX/ASA... :-(
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21866295
>>I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run

beg to differ m8y :(

more system:running-config
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 21866343
Basically on a 500 series running v6 your screwed. that sort of funtionality was added in v7
as the TAG for the Question says itts a 515E can you upgrade it to v7 then issue a

no service password-recovery

0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 31470566
True, this is updated in v7, but in version 6.33 and lower, there is NO service password-encryption available.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now