[j-nsp] Password Recovery

[Scott Morris]

Right...  It would seem more likely a good configuration of AAA with some
emphasis on logging and accounting for all user access and commands entered
would better suit the paranoia than making other lockdowns that are all moot
if you have physical access anyway.

Scott 

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Stacy W. Smith
Sent: Sunday, November 27, 2005 11:58 PM
To: jnsp list
Subject: Re: [j-nsp] Password Recovery


On Nov 27, 2005, at 7:04 PM, Thomas Salmen wrote:
>
> I should have mentioned this in my original post: this box is actually 
> a J-series in a not-completely-secure customer/POP site.
>
>  I don't know a great deal about the J-series physical construction - 
> I assume that config is stored on internal flash rather than a CF card 
> or hard drive?

The primary boot media, which also stores the config, on a J-series router
is a CF card inserted in the rear of the chassis. This CF card is behind a
metal cover with thumbscrew. Physical access makes it trivial to remove the
CF card.

Of course, neither password recovery nor CF card removal can be accomplished
without temporarily disrupting operation of the router.  
That could easily be detected with remote monitoring.

Physical access ALWAYS makes it possible for someone malicious to disrupt
operation of the local router. It's just a matter of whether the malicious
person needs a paper clip or a hammer to get the job done. If this is truly
a risk you are concerned about, physically secure the router (along with
cabling and power).

You seem most concerned about mis-configuration disrupting operation.  
While that's a valid concern, it seems unlikely that password recovery
and/or physical access are the avenues that lead to that mis- configuration.

--Stacy


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp