Re: read only access and need to protect all sensitive

That may not be possible in many cases.

The main difference between Type 5 and Type 7 is the reversibility of
the encryption. Type 5 passwords are irreversible, since they are only
locally verified. I.e. the router is the validator. However, when the
router itself needs to present its own credentials to other validators
(remote servers like RADIUS, TACACS, CHAP peers, etc), use of
irreversible hashes is not possible - hence, Type 7, which is a
two-way encryption (reversible).

That said, if auditors complain about the presence of Type 7 passwords
in places like RADIUS and TACACS keys, you should fire them on the
spot and get some who have a clue or two.

On the other hand, if you want to present auditors the configurations
and you're worried about them having seen your Type 7 passwords, you
can either present them with the saved configurations (use RANCID to
collect and sanitize, for example) or simply realize that the impact
of them being able to reverse RADIUS hashes is "not that great", since
those keys are different for each host and differ from all your other
passwords - correct? ;-)

--
Marko Milivojevic - CCIE #18427 (SP R&S)
Senior CCIE Instructor / Managing Partner - IPexpert
On Sat, Feb 16, 2013 at 9:22 AM, Steve Di Bias <sdibias_at_gmail.com> wrote:
> While these *other* methods are creative, I still think the best idea is to
> remove the type 7's entirely. This may not be possible in time for your
> audit, but as a long term goal I highly recommend it.
>
> Thanks,
> Steve Di Bias- CCIE #32840
>
>
> On Sat, Feb 16, 2013 at 7:46 AM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:
>
>> That's interesting. I guess you could also add an alias for them that
>> excludes
>> the password 7 and the alias. You could still use enable view with only
>> this
>> alias/macro available to them.
>>
>> Regards,
>> Jay McMickle- CCIE #35355 (RS)
>> Sent from my iPhone 5
>> Support me to fight MS!
>>
>> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
>> rsonal&fr_id=20226
>>
>>
>> On Feb 16, 2013, at 9:34 AM, Ovais Iqbal <ovais.iqball_at_yahoo.com> wrote:
>>
>> > Another easy way is to use EEM when show running is issued and parse the
>> entire running config through eem so that when ever it encounters line
>> containing password, it will simply skip it.
>> >
>> >
>> > From: Jay McMickle <jay.mcmickle_at_yahoo.com>
>> > To: Ovais Iqbal <ovais.iqball_at_yahoo.com>
>> > Cc: Imran Ali <immrccie_at_gmail.com>; "ccielab_at_groupstudy.com"
>> <ccielab_at_groupstudy.com>
>> > Sent: Saturday, February 16, 2013 6:09 PM
>> > Subject: Re: read only access and need to protect all sensitive passwords
>> >
>> > Agreed. Enable views is what you are looking for.
>> >
>> > However, while this limits the commands they can run, if you give them sh
>> run,
>> > it will still show your line password 7's. You shouldn't be running
>> enable
>> > pass on your routers, so I can only imagine you are concerned with the
>> line
>> > passwords.
>> >
>> > Why not remove the line passwords and point to Local, Radius, or TACACS
>> and
>> > you won't have those passwords to be seen?
>> >
>> > No enable pass
>> > Enable secret ...
>> > !
>> > aaa new-model
>> > username Cisco priv 15 pass Cisco
>> > !
>> > aaa auth login default.....
>> > Line con 0
>> > Login auth local
>> > line vty 0 15
>> > Login auth local
>> >
>> > Then enable your views. (enable view)
>> > And set the username login rights, etc.
>> >
>> > I'm going from memory here, so the syntax might be a little off, but you
>> get
>> > the point.
>> >
>> > Regards,
>> > Jay McMickle- CCIE #35355 (RS)
>> > Sent from my iPhone 5
>> > Support me to fight MS!
>> >
>>
>> http://main.nationalmssociety.org/site/TR/Bike/TXHBikeEvents?px=5886043&pg=pe
>> > rsonal&fr_id=20226
>> >
>> >
>> > On Feb 15, 2013, at 11:35 PM, Ovais Iqbal <ovais.iqball_at_yahoo.com>
>> wrote:
>> >
>> > > If you want to give only read only access to the entire active config,
>> then
>> > > perhaps you can use views. It doesnt need an external server and will
>> > surely
>> > > meet your requirements,
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Imran Ali
>> > > <immrccie_at_gmail.com>
>> > > To: Cisco certification <ccielab_at_groupstudy.com>
>> > > Sent:
>> > > Saturday, February 16, 2013 10:27 AM
>> > > Subject: read only access and need to
>> > > protect all sensitive passwords
>> > >
>> > > Hi all,
>> > >
>> > > i need to give read only access
>> > > of  my  routers  to  an audit  team .
>> > >
>> > > i have no issue setting up a  radius
>> > > server to throug  a  exec level  7
>> > > .... which i  customised on  the  router
>> > > to  allow only show
>> > >
>> > > Privelege  exec  all level  7  show .  i  found that
>> > > he cant  view
>> > > routing config  using " regular  show run ''  but with can view
>> > > last saved
>> > > config with show sartup-config.
>> > >
>> > > the  issue is my  radius  server
>> > > and  their is no option to specify
>> > > type  5  md5  strong password .
>> > >
>> > > i am
>> > > ending up  with showing  my  Radius key ..... as  type  7  can  be
>> > > easily  de
>> > > crepted .
>> > >
>> > > ......i  also  tried  service password  encryption..but it  is
>> > > again
>> > > using type  7 ...
>> > >
>> > >
>> > >
>> > > Any  chance  of saving  from over shoulder readng
>> > > attack ?
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > > _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net