[c-nsp] disable console port

Ed Ravin eravin at panix.com
Fri Jul 1 11:53:24 EDT 2005


On Fri, Jul 01, 2005 at 11:52:06AM +1000, Matt Hill wrote:
> One valid reason I can think of is to protect ISAKMP keys or passwords
> or the like.  However I do agree if your physical security isn't up to
> scratch then not much else matters...
> 
> But to stop password recovery the config is:
> 
> No service password-recovery
> 
> What this will do is when someone attempts a password recovery they will
> not be able and all they can do is restore the router to a default
> config rather than just bypassing the startup config.  This will protect
> the config on the box but isn't going to stop someone running away with
> it!

Or grabbing the flash card with the config on it and analyzing it elsewhere.

Pop quiz - how many people here would notice if an attacker yanked your
flash card for a few hours, or maybe even days, and then put it back?

If you ran RANCID, depending on how often you had it checking the routers,
you'd get email about the hardware change.  Would other router management
products notice this?


More information about the cisco-nsp mailing list