11 Replies Latest reply on May 29, 2014 9:21 AM by in4ni

    Protecting the 908

    in4ni New Member

      I have  system out on a lease that includes a TA908e, how can I protect the 908 from someone plugging into the serial port and using the "bypass passwords" command?

      I know most carriers have some type of configuration that DOES NOT allow the "bypass passwords" to work, It looks like the startup-config is ran at the end of the configuration maybee?

       

       

       

      Thank you


        • Re: Protecting the 908
          jayh Hall_of_Fame

          Specifically what is it that you are trying to guard against?  Theft of the gear for resale?  Someone viewing the configuration?  Someone changing the configuration? 

           

          As a general rule, if someone has physical access to the equipment it is pretty much game over for a sophisticated individual. You may not be able to prevent access but you can take measures to detect it and make it much less useful for an attacker.

           

          Keep in mind that the "no service password-recovery" scenario of Brand C doesn't prevent someone from gaining access to the box to factory reset or repurpose it, it just makes it difficult to retrieve the current running configuration without some extra steps.

           

          Some things you can do:

          • Employ "service password-encryption" so that the actual passwords won't be visible in the configuration.
          • Use a different username/password for each location, or:
          • Use RADIUS or TACACS so that the actual login credentials aren't stored locally (and can be changed remotely).
          • Monitor the connection (Nagios, etc.) so that you are alerted should it go offline.  This is good customer service anyway, and because it is necessary to reboot the box to get it to bootstrap mode you will be alerted and can call the customer. 
          • Monitor the configuration with RANCID to detect any changes and alert your NOC. This can also show uptime, and a script will show last reboot. Adtran's N-Command may have similar functionality.
            • Re: Protecting the 908
              in4ni New Member

              Thank for the speedy reply

               

              I'm trying to guard against config changes if possible I dont care if someeone can view the config.

               

              This is my first system lease using a TA908 and my contract states that I am the only one that can make config changes (because this is billable)

               

              I'm trying to acheive something similiar to what the carriers do, when the boot is halted and the "bypass passwords" command is used you still cant cant login

               

              Thank you

                • Re: Protecting the 908
                  jayh Hall_of_Fame

                  in4ni wrote:

                   

                  I'm trying to guard against config changes if possible I dont care if someeone can view the config.

                   

                  Probably RANCID is your best bet, a server keeping track of all of your devices and their configurations, with an email showing whenever a change is made and keeping historical differences.

                   

                  I'm trying to acheive something similiar to what the carriers do, when the boot is halted and the "bypass passwords" command is used you still cant cant login

                   

                  They are likely using TACACS or RADIUS, where authentication is done remotely.  If the device has no reachability back to the TACACS/RADIUS server you should be able to get in to the box from the console.

                    • Re: Protecting the 908
                      in4ni New Member

                      Im not interested in setting up a server, I was just trying to secure the box similar to what the the carriers like Nuvox, Tw telecom and Comcast do

                       

                       

                       

                       

                      Thank you for your reply

                        • Re: Protecting the 908
                          jayh Hall_of_Fame

                          I think they use RADIUS.  Without a remote server it's tough to either force remotely-authenticated logins or monitor for changes.  You can periodically log in and do a "show flash" to look at the configuration file size.  Also play some games with the console configuration, set its speed to 2400, line-timeout to one minute, parity to something like 7-odd-2 stopbits.

                           

                          But, if someone has physical access they can likely figure out a way.  Even if you can't prevent it you can certainly detect it.

                          • Re: Protecting the 908
                            petersjncv Visitor

                            I am curious as to why you are so concerned about the security at the console port.  Keep in mind, even with very secure passwords and remote authentication, if someone has console access and knows what they are doing, then as jayh says, its pretty much game over from there.  However, that calls into question the security of the physical location of the unit.  Furthermore, if someone has physical access to the unit to attempt to gain console access, it is going to require rebooting the unit or bringing it down in some way.  If you are using a monitoring system, you should get an alert that your IAD is down.  You could also setup a syslog server pretty cheaply/easily and turn up your logging and dump it all to syslog so you can inspect it on a regular basis, including config changes. 

                             

                            Speaking from a carrier's perspective, the wording of the contract is such that the carrier is protected and not liable for silly or goofed up configuration changes by inexperienced users.  Its actually a little surprising that you have an equipment lease that you are allowed to make config changes on.  Normally that is left to the service provider.  If you don't have access to use remote authentication protocols, lock your telnet down via an access list (only accept connections from specific IP addresses), secure the console with a complex password, and make sure the physical location of your equipment is secure. 

                              • Re: Protecting the 908
                                in4ni New Member

                                Im trying the acheive a similar setup like most carriers use, On most carriers TA908's if you plug into the console port, Escape out of the boot, enter "bypass passwords" and "boot" the unit. After the booting process completes you are prompted for a user name, Bypass passwords hs no effect. This is all I'm terying to acheive

                                 

                                 

                                 

                                Thank you

                      • Re: Protecting the 908
                        david Employee

                        In4ni,

                         

                        The responses you received above are the same as ADTRAN's recommended security for the unit.  Physical security of the unit is a must, and if this is breached, generally someone skilled can change your configuration.   

                         

                        Best regards,

                        David

                          • Re: Protecting the 908
                            in4ni New Member

                            Im going to take jayh's advice and setup some monitoring and keep config notes so if i see the config change I can take it up with the customer

                             

                            Thank you everyone for your advice, Physical security is key to securing any piece of hardware

                          • Re: Protecting the 908
                            in4ni New Member


                            Last week I had to opportunity to tinker around with a carriers TA908, I disconnected it from the network, plugged into the serial port, rebooted, Escaped and entered "bypass passwords" then load

                             

                            After the 908 loaded i was still prompted for a username and password

                             

                            I was wondering how they are doing this?

                             

                            Thank you