Attention! The Adtran support community will be placed in read-only mode on Monday, January 20th, at 8 AM CST for system maintenance. During this time, new posts, replies, or other content updates will be unavailable. The system will return to normal functionality by 9 AM CST on Tuesday, January 21st. If you encounter any product issues during this read-only period, you can reach out to Adtran support at any time. Thank you!
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Protecting the 908

I have  system out on a lease that includes a TA908e, how can I protect the 908 from someone plugging into the serial port and using the "bypass passwords" command?

I know most carriers have some type of configuration that DOES NOT allow the "bypass passwords" to work, It looks like the startup-config is ran at the end of the configuration maybee?

Thank you


Tags (3)
0 Kudos
11 Replies
jayh
Honored Contributor
Honored Contributor

Re: Protecting the 908

Specifically what is it that you are trying to guard against?  Theft of the gear for resale?  Someone viewing the configuration?  Someone changing the configuration? 

As a general rule, if someone has physical access to the equipment it is pretty much game over for a sophisticated individual. You may not be able to prevent access but you can take measures to detect it and make it much less useful for an attacker.

Keep in mind that the "no service password-recovery" scenario of Brand C doesn't prevent someone from gaining access to the box to factory reset or repurpose it, it just makes it difficult to retrieve the current running configuration without some extra steps.

Some things you can do:

  • Employ "service password-encryption" so that the actual passwords won't be visible in the configuration.
  • Use a different username/password for each location, or:
  • Use RADIUS or TACACS so that the actual login credentials aren't stored locally (and can be changed remotely).
  • Monitor the connection (Nagios, etc.) so that you are alerted should it go offline.  This is good customer service anyway, and because it is necessary to reboot the box to get it to bootstrap mode you will be alerted and can call the customer. 
  • Monitor the configuration with RANCID to detect any changes and alert your NOC. This can also show uptime, and a script will show last reboot. Adtran's N-Command may have similar functionality.
Anonymous
Not applicable

Re: Protecting the 908

Thank for the speedy reply

I'm trying to guard against config changes if possible I dont care if someeone can view the config.

This is my first system lease using a TA908 and my contract states that I am the only one that can make config changes (because this is billable)

I'm trying to acheive something similiar to what the carriers do, when the boot is halted and the "bypass passwords" command is used you still cant cant login

Thank you

jayh
Honored Contributor
Honored Contributor

Re: Protecting the 908


in4ni wrote:



I'm trying to guard against config changes if possible I dont care if someeone can view the config.


Probably RANCID is your best bet, a server keeping track of all of your devices and their configurations, with an email showing whenever a change is made and keeping historical differences.


I'm trying to acheive something similiar to what the carriers do, when the boot is halted and the "bypass passwords" command is used you still cant cant login


They are likely using TACACS or RADIUS, where authentication is done remotely.  If the device has no reachability back to the TACACS/RADIUS server you should be able to get in to the box from the console.

Anonymous
Not applicable

Re: Protecting the 908

Im not interested in setting up a server, I was just trying to secure the box similar to what the the carriers like Nuvox, Tw telecom and Comcast do

Thank you for your reply

jayh
Honored Contributor
Honored Contributor

Re: Protecting the 908

I think they use RADIUS.  Without a remote server it's tough to either force remotely-authenticated logins or monitor for changes.  You can periodically log in and do a "show flash" to look at the configuration file size.  Also play some games with the console configuration, set its speed to 2400, line-timeout to one minute, parity to something like 7-odd-2 stopbits.

But, if someone has physical access they can likely figure out a way.  Even if you can't prevent it you can certainly detect it.

Anonymous
Not applicable

Re: Protecting the 908

I am curious as to why you are so concerned about the security at the console port.  Keep in mind, even with very secure passwords and remote authentication, if someone has console access and knows what they are doing, then as jayh says, its pretty much game over from there.  However, that calls into question the security of the physical location of the unit.  Furthermore, if someone has physical access to the unit to attempt to gain console access, it is going to require rebooting the unit or bringing it down in some way.  If you are using a monitoring system, you should get an alert that your IAD is down.  You could also setup a syslog server pretty cheaply/easily and turn up your logging and dump it all to syslog so you can inspect it on a regular basis, including config changes. 

Speaking from a carrier's perspective, the wording of the contract is such that the carrier is protected and not liable for silly or goofed up configuration changes by inexperienced users.  Its actually a little surprising that you have an equipment lease that you are allowed to make config changes on.  Normally that is left to the service provider.  If you don't have access to use remote authentication protocols, lock your telnet down via an access list (only accept connections from specific IP addresses), secure the console with a complex password, and make sure the physical location of your equipment is secure. 

Anonymous
Not applicable

Re: Protecting the 908

Im trying the acheive a similar setup like most carriers use, On most carriers TA908's if you plug into the console port, Escape out of the boot, enter "bypass passwords" and "boot" the unit. After the booting process completes you are prompted for a user name, Bypass passwords hs no effect. This is all I'm terying to acheive

Thank you

jayh
Honored Contributor
Honored Contributor

Re: Protecting the 908

I think you'll find that if you disconnect the unit from the network so that it can't phone home to its RADIUS servers the password recovery method will work.

Anonymous
Not applicable

Re: Protecting the 908

In4ni,

The responses you received above are the same as ADTRAN's recommended security for the unit.  Physical security of the unit is a must, and if this is breached, generally someone skilled can change your configuration.   

Best regards,

David

Anonymous
Not applicable

Re: Protecting the 908

Im going to take jayh's advice and setup some monitoring and keep config notes so if i see the config change I can take it up with the customer

Thank you everyone for your advice, Physical security is key to securing any piece of hardware

Anonymous
Not applicable

Re: Protecting the 908


Last week I had to opportunity to tinker around with a carriers TA908, I disconnected it from the network, plugged into the serial port, rebooted, Escaped and entered "bypass passwords" then load

After the 908 loaded i was still prompted for a username and password

I was wondering how they are doing this?

Thank you