[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 282
  • Last Modified:

Protect a PIX config from password removal utilities - can the PIX erase it's own config as a security measure if passwords are removed?

Is is possible to have the PIX erase the startup-config if the password is removed in ROMMON using the (well known) BIN file utility?

Asked another way:  What measures can be taken to prevent a PIX from having its configuration leaked, especially using password removal utilities?

* My password is already hardned
* I know that the best security measure is to keep the device in a locked secured area, it IS in a secured area, but that area is offsite and the security of that room cannot be guaranteed, what if the PIX is stolen?

0
jkeegan123
Asked:
jkeegan123
  • 4
  • 4
  • 2
1 Solution
 
karwakCommented:
If you encrypt all confidential information (e.g. enable password...) in the config what should happen if someone get's the config? Information about routing or infrastructure can easily gathered in a remote office by just plugging in the own laptop...

Even access rules will not make somebody stop hacking your network. If it is properly configured you will have only the absolutely required ports open anyway....

Or do I miss something here?
0
 
jkeegan123Author Commented:
Scenario:

* Remote office has a PIX functioning as a VPN endpoint.
* PIX is in a locked room inside the building.
* The building is broken into, PIX stolen.

Now the configurarion can be gotten off of that box with a password removal utility, which is not a big deal, EXCEPT that that box has the SHARED KEY for the VPN programmed into it.

I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run, but if you do a "write tftp", and look at the file that is written,  the shared key shows up in cleartext.

Try it if you don't believe me, I've been recovering shared keys for poorly documented sites using this method for years.
0
 
karwakCommented:
Hmmm, you're right!

Have you had a look at the Cisco Command Lookup Tool. There might be an option to encrypt this key as well...
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
jkeegan123Author Commented:
Nothing I could find.  The IOS routers have the options to self-destruct the config if the passwordi s removed, some nastier ISPs do this on their managed edge equipment.  It just seems so likely that a PIX should be able to do this too...
0
 
karwakCommented:
What's the exact command line for the VPN shared key. Can't find an example in the hurry ;-)....
0
 
jkeegan123Author Commented:
isakmp key PASSWORD address 24.24.24.24 netmask 255.255.255.255
0
 
karwakCommented:
Funnily enough there's a howto for getting the keys at Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

I read about the option to encrypt the key completely with IOS, but not with PIX/ASA... :-(
0
 
Pete LongTechnical ConsultantCommented:
>>I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run

beg to differ m8y :(

more system:running-config
0
 
Pete LongTechnical ConsultantCommented:
Basically on a 500 series running v6 your screwed. that sort of funtionality was added in v7
as the TAG for the Question says itts a 515E can you upgrade it to v7 then issue a

no service password-recovery

0
 
jkeegan123Author Commented:
True, this is updated in v7, but in version 6.33 and lower, there is NO service password-encryption available.
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now