Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

Config File

Go to solution
laurabolda
Level 1
Level 1

‎05-25-2010 09:13 AM

We have ASA 5510, running IOS 8.2(2).  If someone had a copy of the Config file, would that person be able to find out the Enable Password or any passwords (group VPN password, local password to login to VPN client, etc) from the Config file?

Thanks.

Laura

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-25-2010 09:16 AM

Laura,

The information that is encrypted on the file cannot be seen even with a copy of the configuration file.

If from the ASA you copy the configuration to a TFTP server, you can read the pre-shared-keys for the VPN tunnels for example, but no passwords that are encrypted in the configuration.

Federico.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-25-2010 09:16 AM

Laura,

The information that is encrypted on the file cannot be seen even with a copy of the configuration file.

If from the ASA you copy the configuration to a TFTP server, you can read the pre-shared-keys for the VPN tunnels for example, but no passwords that are encrypted in the configuration.

Federico.

0 Helpful

Go to solution
m.kafka
Level 4
Level 4

‎05-25-2010 02:15 PM

Dear Laura

If you look at sites like: http://www.rainbowtables.net/products.php you should be careful with any sort of hashed password.

neohapsis published in 2002 the details of pix passwords - and the output of ASA 8.2 still looks the same

http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0121.html

Cisco published a security advisory in 2003 about weak PIX password algorithm, referring to the neohapsis vulnerability report

I would not trust an ASA password that escaped to the outside, even if "encrypted"

regards,

MiKa

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to m.kafka

‎05-25-2010 02:21 PM

Laura,

Actually is correct.

If you feel the configuration is compromised or somebody else has the configuration file, its always better to change the passwords (can't be a better recomendation).

What I'm saying is that the normal user will not be able to do anything with encrypted data.

Obvioulsy I don't want to say that's it's impossible to break the password and get the content because it is not.

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents