Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Console switch configuration

     What are the security issues in connecting a notebook to a console of the 2950 switch?

Can  virus or trojan enter into a switch during configuration session? If the answer is yes, what precoutions must I take to prevent such case?

Does anybody heard about such problem?

Everyone's tags (3)
2 REPLIES
Cisco Employee

Console switch configuration

Hello Felix,

This is a very interesting question. The short and practical answer is - no, the switch can not be infected by a virus or a trojan through a console session.

The longer answer would be: it is not totally impossible but it is practically unheard-of. Infecting the switch through a console session is extremely impractical and difficult because of these reasons (and there are certainly more but these are the ones I see right now):

  • The 2950 switch uses a MIPS processor with a different instruction set than Intel or AMD based PCs. Thus, a machine code of a virus or of a trojan running on PCs is unable to run on 2950 switches per se, and vice versa. The virus would need to recompile itself before "downloading" itself to the 2950.
  • The console session does not allow direct access to executable code of the IOS either in the memory or in the FLASH. Thus, the virus would need to exploit a buffer overflow or a similar bug (if there is any of such type!) in the command interpreter that would allow it to inject its code into the IOS code.
  • The attack would be visible in the console session because the only way the virus could install itself into the switch would be via sending itself, character by character, to the switch. And because in a terminal emulator, we see the complete conversation carried between the PC and the switch, an attempt to infiltrate the switch via the console session would not go unnoticed (unless, of course, the virus somehow disabled the terminal emulator to not display these data - but that is an outright conspirative thinking).

As usual, in the world of IT, nothing is 100% secure. But ultimately, if something is or is not done depends mostly on whether it is reasonable enough to put effort into. Creating a virus that would infiltrate the 2950 - an end-of-life switch - via its console port is something way impractical and useless for anyone to invest the huge effort into. And certainly, the 2950 is immune to all existing PC-based infiltrations.

Do not worry about infecting your Cisco devices via the console session.

Best regards,

Peter

Console switch configuration

hi felix,

further adding on peter's excellent post, the only security issues when a PC is connected via console to a cisco device (router or switch) would be as below:

by default, the console port does not require a password for admin access. it should be configured with a line password as a security precaution:

Router(config)#line console 0

Router(config-line)#password

Router(config-line)#login

also, a user is logged in for 10 minutes and if you're away from your terminal while the  console session is active, an attacker has up to 10 minutes to gain privilege access. it is recommended that the exec-timeout is fine-tuned to limit the amount of time a user is logged in.

Router(config-line)#exec-timeout

425
Views
0
Helpful
2
Replies