Security and Vulnerabilities
Cisco IOS has proven vulnerable to buffer overflows and other problems that have afflicted other operating systems and applications.
Because the IOS needs to know the cleartext password for certain uses, (e.g., CHAP authentication) passwords entered into the CLI by default are weakly encrypted as 'Type 7' ciphertext, such as "Router(config)#username jdoe password 7 0832585B1910010713181F". This is designed to prevent "shoulder-surfing" attacks when viewing router configurations and is not secure - they are easily decrypted using software called "getpass" available since 1995, or "ios7crypt", a modern variant, although the passwords can be decoded by the router using the "key chain" command and entering the type 7 password as the key, and then issuing a "show key" command; the above example decrypts to "stupidpass". However, the program will not decrypt 'Type 5' passwords or passwords set with the enable secret command, which uses salted MD5 hashes.
Note: Cisco recommends that all Cisco IOS devices implement the authentication, authorization, and accounting (AAA) security model. AAA can use local, RADIUS, and TACACS+ databases. However, a local account is usually still required for emergency situations.
Read more about this topic: Cisco IOS
Famous quotes containing the words security and and/or security:
“Happiness is peace after strife, the overcoming of difficulties, the feeling of security and well-being. The only really happy folk are married women and single men.”
—H.L. (Henry Lewis)
“There is one safeguard known generally to the wise, which is an advantage and security to all, but especially to democracies as against despots. What is it? Distrust.”
—Demosthenes (c. 384–322 B.C.)