Cisco password tricks

Published: 2007-12-14
Last Updated: 2007-12-14 18:14:23 UTC
by donald smith (Version: 1)
1 comment(s)

Jon, wrote in to tell us about this unusual cisco IOS “trick”.

Jon and several of the handlers discussed this in detail. I have included a summary of those discussions.

http://ioshints.blogspot.com/2007/11/type-7-decryption-in-cisco-ios.html
This describes a way to decode type 7 password without any additional software. There has been software available for many years that can do this but I believe this is the first time Cisco has provided a feature like this to display type 7 passwords in plain text directly on the router. In my opinion passwords should never be displayed in plain text. However some passwords and other “secrets” that are stored on a router or network element have to be stored in a reversible form of encryption as the plain text password is needed by the router due to the protocol specification. Many of the password protected by reversible encryption are also transmitted over the network in plain text so extensive work to secure them is probably not worth the effort. Cisco is not the only vendor who does this. Most network element vendors have reversible encryption algorithms. It may not be as well known as Cisco’s type 7 but when the router needs to reverse the password it can and the plain text password is stored in memory at least for a short period of time. 


So how does one go about ensuring their Cisco router meets minimum security requirements?
Cisco’s autosecure which is available in IOS version 12.2 and greater is a good easy to use tool that will assist you in securing their routers.
Cisco’s “tested and validated security solutions” which used to be called SAFE has lots of guidance for cisco elements. http://www.cisco.com/en/US/netsol/ns744/networking_solutions_program_home.html

Additionally I recommend the benchmark and tool from CISecurity.org.
http://www.cisecurity.org/ the benchmark is very detailed. It includes the commands needed to implement a security recommendation and explains why you might want to implement that feature.
It was recently upgraded and released in Nov 2007.

I also recommend reading rfc3871 “Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure “. Although targeted towards large ISPs many of the recommendations are worth understanding. It is not vendor specific and many of the ideas can be used in a mixed vendor environment.

Keywords:
1 comment(s)

Comments

Regarding the following comment:

> However some passwords and other “secrets” that are stored on a router or network element have to be stored in a reversible form of encryption as the plain text password is needed by the router due to the protocol specification.

No, they don't. This is a mistake often made by people (unfortunately). You are perfectly OK storing a transformation of the password which is unique with a high probability and not easily reversible, ie a cryptographic hash of the password.

Diary Archives