Skip to main content

No Service Password Recovery - It is not the end of the world

Myth


Having a chat with some people and this came up in conversation, "no service password recovery" and people seemed to be taking it quite literally. e.g. if you forget your password the devices it is dead and needs to go back to Cisco, not being a security guy I though ok, but it was bothering me. So a quick lookup on cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html

Fact


In fact what this feature does is prevent you from getting access to the startup configuration, you can recover the device to FACTORY DEFAULT - the config has gone. Of course will have a backup of the config so it should be no big deal to switch this feature on every device, assuming the device supports it.

 

Take Note of the comments : "

Before deploying this feature, TEST the password recovery. Some platforms (based on ROMMON version) are EXTREMELY hard to recover.

http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

"

Thanks Ivan

 

Comments

  1. Before deploying this feature, TEST the password recovery. Some platforms (based on ROMMON version) are EXTREMELY hard to recover.

    http://blog.ioshints.info/2007/12/recovering-from-disabled-password.html

    ReplyDelete
  2. Yep, we like to use this feature when deploying equipment into semi-trusted or untrusted environments. Gear residing at a vendor/partner's site, small ASAs/routers deployed to employee's homes for EasyVPN, etc. If someone wants to get clever and crack the device for fun, or it gets stolen, they will get nothing useful.

    Good post to clarify the feature!

    ReplyDelete

Post a Comment

Popular posts from this blog

Break the Network Emulators out of the Cloud

Cisco IOU and JunoSphere Recently both Cisco and Juniper have announced the availability of online resources to provide hands on training over the internet. They have built software emulators in the cloud that can be accessed remotely for a cost. These solutions are based purely around the certification programs and therefore are pretty rigid in the topology that are provided, not to mention the re-occurring cost. http://www.juniper.net/us/en/company/press-center/press-releases/2011/pr_2011_05_16-03_01.html https://learningnetworkstore.cisco.com/market/prod/listSubCatLearnLab.se.work?TRGT=85&/nxt/rcrs/=2559 Rack Rentals There are training providers such as Internetwork Expert (http://www.ine.com/) and IPexpert (http://www.ipexpert.com/) who provide rack rentals based on their training materials. These guy cannot possibly compete going forward. To keep these sustainable they will need to reduce the overhead of building physical racks, providing power and space for the racks. Using e

VMWARE ESXi 5.0 Command line quickies

Hi, It has been a long time since my last posts, but recently I have been working on my home ESXi lab so I thought I would share. I switched over to using Apple Mac just over a year ago, so I don't have a windows machine running by default to run the vSphere client software and generally all I want to do is startup VMs and switch off the ESXi server when I am done. I did some searching and found that I could use vmware vim-cmd if I SSHed into the ESXi server. This need to be enabled at the console, then you can use putty or your tool of choice to connect. Anyway there are several commands the following to me are most useful. List all Virtual Machines vim-cmd vmsvc/getallvms Get a Virtual Machines state (on/off etc) vim-cmd  vmsvc/power.getstate Power on a virtual machine vim-cmd vmsvc/power.on Combining command to a one liner you can find out the power on state of all Virtual Machines vim-cmd vmsvc/getallvms && for x in `vim-cmd vmsvc/getallvms|

Where are all the AAA and PKI solutions gone for Dot1x

More Question than answers (This series will be based on an enterprise with >20,000 dot1x devices) I have been looking into dot1x authentication for Wired and Wireless devices based on device identity using x.509 Certificates. While I understand PKI, AAA, PEAP and sorts I had never really had the opertunity to bring these technologies together. I quickly found out that despite this stuff being around for years,  it was difficult to answer the following questions: Which PKI solution should I use? Which AAA solution should I use? How to setup the PKI solution? Does the PKI server need to be part of AD? What if the clients are not in AD e.g. Wireless Tablets? How do I issue certificates for devices? How to configure the devices (wired and wireless)? What AAA server do I use? How do configure the rules and policies and identify clients?   What are the answers? I am going to kick off a series here at networking-guru.net that tries to address the question above; I have l