[c-nsp] disable console port
Sean Granger
sgranger at randfinancial.com
Fri Jul 1 11:58:20 EDT 2005
>>> Ed Ravin <eravin at panix.com> 07/01/05 10:53AM >>>
>>On Fri, Jul 01, 2005 at 11:52:06AM +1000, Matt Hill wrote:
>> One valid reason I can think of is to protect ISAKMP keys or passwords
>> or the like. However I do agree if your physical security isn't up to
>> scratch then not much else matters...
>>
>> But to stop password recovery the config is:
>>
>> No service password-recovery
>>
>> What this will do is when someone attempts a password recovery they will
>> not be able and all they can do is restore the router to a default
>> config rather than just bypassing the startup config. This will protect
>> the config on the box but isn't going to stop someone running away with
>> it!
>
>Or grabbing the flash card with the config on it and analyzing it elsewhere.
>
>Pop quiz - how many people here would notice if an attacker yanked your
>flash card for a few hours, or maybe even days, and then put it back?
>
>If you ran RANCID, depending on how often you had it checking the routers,
>you'd get email about the hardware change. Would other router management
>products notice this?
:: Cue the marketing materials ::
More information about the cisco-nsp
mailing list