Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Protect a PIX config from password removal utilities - can the PIX erase it's own config as a security measure if passwords are removed?

Posted on 2008-06-25
10
Medium Priority
?
280 Views
Last Modified: 2013-11-16
Is is possible to have the PIX erase the startup-config if the password is removed in ROMMON using the (well known) BIN file utility?

Asked another way:  What measures can be taken to prevent a PIX from having its configuration leaked, especially using password removal utilities?

* My password is already hardned
* I know that the best security measure is to keep the device in a locked secured area, it IS in a secured area, but that area is offsite and the security of that room cannot be guaranteed, what if the PIX is stolen?

0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 5

Expert Comment

by:karwak
ID: 21865824
If you encrypt all confidential information (e.g. enable password...) in the config what should happen if someone get's the config? Information about routing or infrastructure can easily gathered in a remote office by just plugging in the own laptop...

Even access rules will not make somebody stop hacking your network. If it is properly configured you will have only the absolutely required ports open anyway....

Or do I miss something here?
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21865878
Scenario:

* Remote office has a PIX functioning as a VPN endpoint.
* PIX is in a locked room inside the building.
* The building is broken into, PIX stolen.

Now the configurarion can be gotten off of that box with a password removal utility, which is not a big deal, EXCEPT that that box has the SHARED KEY for the VPN programmed into it.

I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run, but if you do a "write tftp", and look at the file that is written,  the shared key shows up in cleartext.

Try it if you don't believe me, I've been recovering shared keys for poorly documented sites using this method for years.
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865924
Hmmm, you're right!

Have you had a look at the Cisco Command Lookup Tool. There might be an option to encrypt this key as well...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Author Comment

by:jkeegan123
ID: 21865964
Nothing I could find.  The IOS routers have the options to self-destruct the config if the passwordi s removed, some nastier ISPs do this on their managed edge equipment.  It just seems so likely that a PIX should be able to do this too...
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865991
What's the exact command line for the VPN shared key. Can't find an example in the hurry ;-)....
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21866024
isakmp key PASSWORD address 24.24.24.24 netmask 255.255.255.255
0
 
LVL 5

Expert Comment

by:karwak
ID: 21866275
Funnily enough there's a howto for getting the keys at Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

I read about the option to encrypt the key completely with IOS, but not with PIX/ASA... :-(
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21866295
>>I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run

beg to differ m8y :(

more system:running-config
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 2000 total points
ID: 21866343
Basically on a 500 series running v6 your screwed. that sort of funtionality was added in v7
as the TAG for the Question says itts a 515E can you upgrade it to v7 then issue a

no service password-recovery

0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 31470566
True, this is updated in v7, but in version 6.33 and lower, there is NO service password-encryption available.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question