console protection on a cisco router

Discussion in 'Cisco' started by priyati09@gmail.com, Jun 15, 2007.

  1. Guest

    I am testing for console protection on a Cisco 2610 router.

    The console port of a typical cisco router has 2 levels of protection:
    1 being the 'login' or 'view' password, and the second being the
    'enable' password where you can actually re-configure the router.
    Best way to protect the router from a console port hack/access is to
    secure it physically and to configure both access and enable passwords
    on it.

    My question is:
    Does the router automatically wipe out the config when you break in,
    can someone see the config when it breaks?
    If it does not do this automatically, is there a config setting that
    says upon break-in, remove all configs?
    , Jun 15, 2007
    #1
    1. Advertising

  2. Chad Mahoney Guest

    wrote:
    > I am testing for console protection on a Cisco 2610 router.
    >
    > The console port of a typical cisco router has 2 levels of protection:
    > 1 being the 'login' or 'view' password, and the second being the
    > 'enable' password where you can actually re-configure the router.
    > Best way to protect the router from a console port hack/access is to
    > secure it physically and to configure both access and enable passwords
    > on it.
    >
    > My question is:
    > Does the router automatically wipe out the config when you break in,
    > can someone see the config when it breaks?
    > If it does not do this automatically, is there a config setting that
    > says upon break-in, remove all configs?
    >



    Just curious how the router would know there was a break-in, I mean a
    person would have to enter a proper username and password to gain
    access, how would the router know it was unauthorized if the correct
    credentials were used?
    Chad Mahoney, Jun 15, 2007
    #2
    1. Advertising

  3. writes:
    >I am testing for console protection on a Cisco 2610 router.


    >The console port of a typical cisco router has 2 levels of protection:
    >1 being the 'login' or 'view' password, and the second being the
    >'enable' password where you can actually re-configure the router.
    >Best way to protect the router from a console port hack/access is to
    >secure it physically and to configure both access and enable passwords
    >on it.


    If you've properly secured it physically, you generally aren't too
    concerned about console port access in most environments..

    >My question is:
    >Does the router automatically wipe out the config when you break in,
    >can someone see the config when it breaks?
    >If it does not do this automatically, is there a config setting that
    >says upon break-in, remove all configs?


    I assume that you mean invoke password recovery.

    No, a router, unlike a firewall, generally does not wipe the config
    out when you do password recovery. The full config is there after
    doing so. The main security protection Cisco has designed in is that
    after doing password recovery, the router will have all interfaces in
    a shutdown state, so if somebody has done it "accidentally"
    (ie. messing around), the router generally will signal by it not
    passing traffic that something has happened.

    No, there is no config option that tells the router to wipe the config
    upon password recovery the way you are thinking...
    BUT, there is an undocumented option (which actually gets mentioned
    alot in tech notes now-a-days, maybe it has reached documentation status)
    to tell the router to not allow password recovery to happen.

    no service password-recovery

    Once you do this, then you can't do password-recovery, although with
    this on, some platforms have a way to wipe the config during a certain
    step in the boot process.

    Others do not, especially older systems, so once you do this, there
    will be no way to wipe out the config to get back into the box on
    those platforms, and you'd end up with a brick for that older system.

    http://www.cisco.com/en/US/products...s_configuration_example09186a00801d8113.shtml
    Doug McIntyre, Jun 15, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott

    Cisco Router Console Cable

    Scott, Aug 20, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,116
  2. Victor
    Replies:
    0
    Views:
    4,625
    Victor
    Jan 27, 2005
  3. Replies:
    1
    Views:
    343
    BernieM
    Jul 19, 2007
  4. Tintin
    Replies:
    0
    Views:
    431
    Tintin
    Aug 1, 2007
  5. Tintin
    Replies:
    2
    Views:
    3,414
Loading...

Share This Page