HostedDB - Dedicated UNIX Servers
index_47
UNCLASSIFIED Implementing Security on Cisco Routers  Version 1.0g  UNCLASSIFIED 47   Step 4 View or change the password, or erase the configuration.   Step 5 Reconfigure the router to boot up and read the NVRAM as it normally does.   Step 6 Reboot the system.”1 Anyone with experience or training using Cisco routers can parley physical access into full privileged administrative on a Cisco router; the procedure takes only a couple of minutes.  (Note: Step 5 is very important; if you need to use the password recovery procedure for any reason, do not neglect to restore the system boot settings after regaining access to the router.  Failure to do so will usually result in the router coming up in an insecure state on subsequent reboots.) A second reason for controlling physical access to the router involves flash memory cards.  Many Cisco router models offer PCMCIA slots that can hold additional flash memory.  Routers equipped wit h these kinds of slots will give preference to memory installed in a slot over memory installed in the chassis.  An attacker with physical access to a router on your network can install a flash memory card, or replace an old one.  They could then boot the router with their flash, thus causing the router to run their IOS version and configuration.  If done carefully and well, this kind of attack can be very difficult to detect.  The best defense against it is good physical security. An operational security concern closely related to physical security is physical operating environment.   Like most networking equipment, routers are sensitive to extreme temperature and humidity.  If  a router is not located in an environmentally friendly area then it may operate in unexpected ways and degrade its security.  This is also a personnel safety issue.  A room where routers are located should be free of electrostatic and magnetic interference.  The area should also be controlled for temperature and humidity.  If at all possible, all routers should be placed on an Uninterruptible Power Supply (UPS), because a short power outage can leave some network equipment in undetermined states. The console (con) and auxiliary (aux) ports on Cisco routers are used for serial connections to the router. Most Cisco routers have both a console and an auxiliary port, some of the smallest models have only a console port.  The primary difference between the two ports is that the password recovery mechanism can be used on the console port only.  In many cases, the auxiliary port is unused.  Some administrators connect a modem to the auxiliary port to facilitate remote administration via dial-up.   Permitting direct dial-in to any vital piece of network infrastructure is potentially very risky, and should be set up only when timely access by other means is not feasible.  In general, the auxiliary port should be disabled (see Section 4.1.3).                                                  1 Cisco IOS Release 12.0 Security Configuration Guide, “Configuring Passwords and Privileges”, “Password Recovery Process”  Cisco Systems, 1999.