Although similar in appearance to a router's configuration file (largely as a result of the fact that
both are from Cisco devices), the configuration file for a switch has a number of unique settings.
Thus, although the switch's configuration is just as easy to retrieve as a router's configuration,
by using Telnet and TFTP, a configuration management solution must be able to specifically
recognize switches in order to be able to parse the configuration file. The file itself contains key
data that allows this recognition to occur, such as the switch's OS version number and the
switch's manufacturer and model number. The file can also reveal security vulnerabilities, which
can be difficult to spot. Can you see any?
As a hint, let's take a closer look at the SNMP strings:
snmp-server engineID local 0000000902000002FDDBB700
snmp-server community private RW
snmp-server community public RO
snmp-server chassis-id 0x0E
This switch defines two strings, the default "public" and a not-too-imaginative "private," which
is probably the first string an attacker will try after "public." These long, detailed files make it
difficult to catch these problems--as with routers, the files are simply so large that, even though
they are easy to interpret, it's easy to overlook the details. In addition, it is pretty rare for
administrators to even scan through these files on a regular basis; most administrators tend to just
modify one or two settings at a time. This situation reinforces the value of a network
configuration management solution--it will never miss these problems.
The configuration of a switch is stored in a basic text file, making it easy to retrieve, easy to
analyze, and easy to store in a database for change-management purposes. Text files offer
additional advantages for comprehensive configuration management solutions. For example, the
solution can provide its own text editor for editing or creating configuration files, then push those
files out to devices. If the configuration files were in a more complex format, it would be more
difficult for a configuration management solution to offer an in-solution configuration editor.
Firewalls fall into one of three categories: their configuration files look a lot like the ones I've
shown you for a router and a switch, their configuration files look very different than those
we've already explore, or they don't have configuration files at all.
Standalone firewalls--so-called "black box" firewalls (such as Cisco's PIX products)--are
managed devices similar in nature to routers. In fact, they are routers with a lot of extra port-
filtering and security capabilities. Using these firewalls with a configuration management system
is typically straightforward because these firewalls have the same Telnet management interface
and TFTP capabilities that a router or switch has.
Other firewalls are built on a more general-purpose platform, such as a UNIX, Windows, or
Linux server. These firewalls--such as Microsoft's Internet Security and Acceleration (ISA)
Server or Checkpoint's Firewall1 product--are software-based and sometimes offer capabilities
beyond those offered by standalone, hardware firewalls such as a PIX box. However, the
complexity of software firewalls makes it very difficult, if not impossible, to incorporate them
into a configuration management system.
Chapter 4 Although similar in appearance to a router's configuration file (largely as a result of the fact that both are from Cisco devices), the configuration file for a switch has a number of unique settings. Firewalls Firewalls fall into one of three categories: their configuration files look a lot like the ones I've shown you for a router and a switch, their configuration files look very different than those we've already explore, or they don't have configuration files at all.