From: Thomas Larus (tlarus@xxxxxxx)
Date: Fri Nov 30 2001 - 13:44:59 GMT-3
Does that mean that entering "no service password recovery" and saving
the config makes the router write to the boot rom? Pretty neat!
I hate to say it, but it seems like this whole field is becoming way too
centered on security. I know security is important, and that the
biggest security risks are employees, but perhaps the solution is to
vigorously prosecute employees who engage in criminal behaviour. It's
not like the employee who would mess with the router using password
recovery would always use gloves. Catch him and put him away for few
years, and you will find fewer cases occurring.
I know. Corporations want to avoid any publicity about any security
problems, so the perps go largely unpunished, and all top network
managers will end up keeping spare boot roms locked in a safe in their
office, a safe that will have two combination locks, one memorized by
the top network manager, and the other memorized by the CIO. And if one
of them forgets the combo to that safe, then a technician from the
company that made that safe will have to make an expensive service call.
Of course, it will become impossible for anyone to get spare boot roms
without fulfilling all kinds of security procedures, otherwise the
malefactor would be able to get them, too.
And VPNs. Like all data is top secret. Heaven forbid that someone with
a sniffer in the internet somewhere finds out the menu for the company
picnic. It's not just the sensitive data that gets encrypted. All that
extra overhead for ALL traffic just to protect a very small amount of
data that is really sensitive. I know all this makes more jobs for
people like us, but gosh, wouldn't it be nice if we could ever get to
the point where we actually get to enjoy the full benefits of high
bandwidth and memory and processor power we have today unencumbered by
the extra overhead of encryption. Sometimes it seems like it's all a
scam to make everyone buy new computers and purchase more bandwidth.
It's like we have all bought expensive sports cars and then put 65 MPH
governors on them.
I know, all this ranting just because of a feature that was put in there
for some top-security outfit. But I guarantee you that there will be
tons of corporate managers who will decide to implement a policy that
all Cisco equipment will have "no service password-recovery". Then when
the company goes belly-up (as they so often do, these days), and the
equipment is sold at auction or to a liquidator, we will all have to get
boot rooms to make the equipment work (IF we are lucky enough to have
read this thread and know of the simple solution).
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Harris, Joe F
Sent: Friday, November 30, 2001 10:27 AM
To: ccielab@groupstudy.com
Subject: OT:UPDATE- No Service Password-Recovery
All:
There was a thread floating around a month or so ago regarding the "no
service password-recovery" command. Most people say that the command
cannot
be "undone" once is has been issued and therefore should be avoided at
all
costs. TAC will even inform you that you must return the router to Cisco
in
order to reverse the effect of the command, however there is a simple
fix
that will allow you to circumvent the effects of the command. The only
down
side to reversing the command is that you need a small amount of extra
equipment in order to reverse, like new BootROM. Here is an example:
USED WITH "NO SERVICE PASSWORD-RECOVERY", WROTE THE CONFIG TO MEM &
RELOADED
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 49152 Kbytes of main memory <-Issued Break
PC = 0x8000830c, Vector = 0x500, SP = 0x82fffeb0
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x928024
Self decompressing the image : ####################################
CHANGED BOOTROM:
System Bootstrap, Version 11.3(2)XA3, PLATFORM SPECIFIC RELEASE SOFTWARE
(fc1)
Copyright (c) 1998 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 49152 Kbytes of main memory
program load complete, entry point: 0x80008000, size: 0x928024
Self decompressing the image : ##############################
!
!Reloaded Router and Attempted to enter rommon>
!
System Bootstrap, Version 11.3(2)XA3, PLATFORM SPECIFIC RELEASE SOFTWARE
(fc1)
Copyright (c) 1998 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 49152 Kbytes of main memory
PC = 0xfff0a53c, Vector = 0x500, SP = 0x8000488c
monitor: command "boot" aborted due to user interrupt
rommon 1 >
-Joe
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:27 GMT-3