A thumping sound from the Netherlands brings me back to the videoconference feed. Five time zones away, my friend Constantijn is putting the smackdown on some bugs in his apartment. He has wandered out of the shot, but his webcam transmits the sound of him swatting at las cucarachas with what turns out to be a copy of Noam Chomsky’s Hegemony or Survival. Sounds like the bugs are winning.
“How the hell are these bloody things getting in?” he asks. He lives in one of those hermetically-sealed apartment buildings where you can’t even crack open a window.
“Trash chute?” I hazard. Those things are never sealed tight.
I tell him about ants here in the Caribbean. They get in your house every summer, a thick conga line running across your wall from the point of ingress to your trashcan. Insidious. You practically have to build a moat to keep them out.
Controlling management access to a firewall, one is sometimes tempted to employ the tactics used for siege warfare. Caesar’s Commentarii de Bello Gallico is full of tales of overcoming enemy fortifications and starving out a besieged city by cutting off its supply lines. But a network’s like a functioning city. You gotta have a way for legit traffic to traverse the firewall. If it really were a siege, you wouldn’t have a firewall; you’d have an air gap.
Without a startup config, the Cisco ASA only allows management access via the console port. To connect via the console port, plug in one end of a console cable to the console port and plug in the other end to a computer running a terminal emulation program such as Putty or Secure CRT.
The default connection settings are:
To secure the console port, you need physical security, such a a locked cabinet, to protect the ASA. If anyone gains physical access to your ASA, they can console into the ASA and potentially obtain or change the config. (The intruder can also boot the ASA into ROMMON mode and reset the password unless you’ve run a no service password-recovery to disable this capability. Otherwise, it’s enabled by default.)
ciscoasa# conf t ciscoasa(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON.Â The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.
In EXEC mode, these commands are available:
clearÂ Â Â Â Â Â Reset functions enableÂ Â Â Â Â Turn on privileged commands exitÂ Â Â Â Â Â Â Exit from the EXEC helpÂ Â Â Â Â Â Â Interactive help for commands loginÂ Â Â Â Â Â Log in as a particular user logoutÂ Â Â Â Â Exit from the EXEC noÂ Â Â Â Â Â Â Â Â Negate a command or set its defaults pingÂ Â Â Â Â Â Â Send echo messages quitÂ Â Â Â Â Â Â Exit from the EXEC showÂ Â Â Â Â Â Â Show running system information tracerouteÂ Trace route to destination
Mostly useful for diagnostics and information gathering. Can’t change the config unless you get into Privileged EXEC mode. So, it’s important to configure a good enable password to defeat the casual intruder. But let’s face it, if there’s unrestricted physical access to the ASA, your ASA can be compromised. An intruder can snaffle the flash card and obtain or change the config.
Oh well, nothing is completely secure. Best keep the bug spray handy.