RE: Locking Cisco Router

["Dozal, Tim" <tdozal () cisco com>]

If you have local console access to the router and physical access to
reboot the router (both needed for a PW recovery I believe) to get into
rommon mode then the router is already pretty compromised.  During a PW
recovery the previous programming is overwritten by your new setup so
what would be gained by permanently locking a router other than making
more sales for Cisco (which I won't complain about) after a router pw is
lost and you now need to buy a new piece of hardware.

I may be missing the real question here because I just don't see why you
would want to make a piece of hardware permanently unusable if a PW is
lost.


-Tim

(btw, these are my comments and may not be shared by my company nor were
they influenced by actual company information on this subject... Just my
2cents on the question)


-----Original Message-----
From: Rok Pintar [mailto:rokp () news reproms si] 
Sent: Saturday, November 16, 2002 2:22 AM
To: security-basics () securityfocus com
Subject: Re: Locking Cisco Router


> is it possible to lock a cisco router to a point that even a password 
> recovery cant work to enter the router.

Well, there are supposed to be new 2600/3600 ROMMON images that allow
you to disable password recovery. If you have it, you can do something
like "no service password-recovery". 
ROK