A thumping sound from the Netherlands brings me back to the videoconference feed. Five time zones away, my friend Constantijn is putting the smackdown on some bugs in his apartment. He has wandered out of the shot, but his webcam transmits the sound of him swatting at las cucarachas with what turns out to be a copy of Noam Chomsky’s Hegemony or Survival. Sounds like the bugs are winning.
“How the hell are these bloody things getting in?” he asks. He lives in one of those hermetically-sealed apartment buildings where you can’t even crack open a window.
“Trash chute?” I hazard. Those things are never sealed tight.
I tell him about ants here in the Caribbean. They get in your house every summer, a thick conga line running across your wall from the point of ingress to your trashcan. Insidious. You practically have to build a moat to keep them out.
Controlling management access to a firewall, one is sometimes tempted to employ the tactics used for siege warfare. Caesar’s Commentarii de Bello Gallico is full of tales of overcoming enemy fortifications and starving out a besieged city by cutting off its supply lines. But a network’s like a functioning city. You gotta have a way for legit traffic to traverse the firewall. If it really were a siege, you wouldn’t have a firewall; you’d have an air gap.
Without a startup config, the Cisco ASA only allows management access via the console port. To connect via the console port, plug in one end of a console cable to the console port and plug in the other end to a computer running a terminal emulation program such as Putty or Secure CRT.
The default connection settings are:
| Baud Rate | 9600 |
| Data Bits | 8 |
| Parity | None |
| Stop Bits | 1 |
| Flow Control | Hardware |
To secure the console port, you need physical security, such a a locked cabinet, to protect the ASA. If anyone gains physical access to your ASA, they can console into the ASA and potentially obtain or change the config. (The intruder can also boot the ASA into ROMMON mode and reset the password unless you’ve run a no service password-recovery to disable this capability. Otherwise, it’s enabled by default.)
ciscoasa# conf t ciscoasa(config)# no service password-recovery WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.
In EXEC mode, these commands are available:
clear      Reset functions enable     Turn on privileged commands exit       Exit from the EXEC help       Interactive help for commands login      Log in as a particular user logout     Exit from the EXEC no         Negate a command or set its defaults ping       Send echo messages quit       Exit from the EXEC show       Show running system information traceroute Trace route to destination
Mostly useful for diagnostics and information gathering. Can’t change the config unless you get into Privileged EXEC mode. So, it’s important to configure a good enable password to defeat the casual intruder. But let’s face it, if there’s unrestricted physical access to the ASA, your ASA can be compromised. An intruder can snaffle the flash card and obtain or change the config.
Oh well, nothing is completely secure. Best keep the bug spray handy.
Additional Information:
Service password-recovery command in the Cisco ASA 8.4 Command Reference.
Enable password command in the Cisco ASA 8.4 Command Reference.
gomjabbar: How To Break Into A Cisco ASA If You Do Not Have The Enable Password.
gomjabbar: Removing the Flash Memory from a Cisco ASA 5505.