Solved

Protect a PIX config from password removal utilities - can the PIX erase it's own config as a security measure if passwords are removed?

Posted on 2008-06-25
10
277 Views
Last Modified: 2013-11-16
Is is possible to have the PIX erase the startup-config if the password is removed in ROMMON using the (well known) BIN file utility?

Asked another way:  What measures can be taken to prevent a PIX from having its configuration leaked, especially using password removal utilities?

* My password is already hardned
* I know that the best security measure is to keep the device in a locked secured area, it IS in a secured area, but that area is offsite and the security of that room cannot be guaranteed, what if the PIX is stolen?

0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 5

Expert Comment

by:karwak
ID: 21865824
If you encrypt all confidential information (e.g. enable password...) in the config what should happen if someone get's the config? Information about routing or infrastructure can easily gathered in a remote office by just plugging in the own laptop...

Even access rules will not make somebody stop hacking your network. If it is properly configured you will have only the absolutely required ports open anyway....

Or do I miss something here?
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21865878
Scenario:

* Remote office has a PIX functioning as a VPN endpoint.
* PIX is in a locked room inside the building.
* The building is broken into, PIX stolen.

Now the configurarion can be gotten off of that box with a password removal utility, which is not a big deal, EXCEPT that that box has the SHARED KEY for the VPN programmed into it.

I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run, but if you do a "write tftp", and look at the file that is written,  the shared key shows up in cleartext.

Try it if you don't believe me, I've been recovering shared keys for poorly documented sites using this method for years.
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865924
Hmmm, you're right!

Have you had a look at the Cisco Command Lookup Tool. There might be an option to encrypt this key as well...
0
Ransomware - Can it be prevented?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

 
LVL 5

Author Comment

by:jkeegan123
ID: 21865964
Nothing I could find.  The IOS routers have the options to self-destruct the config if the passwordi s removed, some nastier ISPs do this on their managed edge equipment.  It just seems so likely that a PIX should be able to do this too...
0
 
LVL 5

Expert Comment

by:karwak
ID: 21865991
What's the exact command line for the VPN shared key. Can't find an example in the hurry ;-)....
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 21866024
isakmp key PASSWORD address 24.24.24.24 netmask 255.255.255.255
0
 
LVL 5

Expert Comment

by:karwak
ID: 21866275
Funnily enough there's a howto for getting the keys at Cisco:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

I read about the option to encrypt the key completely with IOS, but not with PIX/ASA... :-(
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21866295
>>I know that the SHARED KEY for the VPN connection does not show in the config when you do a show run

beg to differ m8y :(

more system:running-config
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 21866343
Basically on a 500 series running v6 your screwed. that sort of funtionality was added in v7
as the TAG for the Question says itts a 515E can you upgrade it to v7 then issue a

no service password-recovery

0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 31470566
True, this is updated in v7, but in version 6.33 and lower, there is NO service password-encryption available.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question