Security: Secure Sensitive Data Management
Configuration Files
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4 371
19
Configuration Files
A configuration file contains the configuration of a device. A device has a Running
Configuration file, a Startup Configuration file, a Mirror Configuration file (optionally), and a
Backup Configuration file. A user can manually upload and download a configuration file to
and from a remote file-server. A device can automatically download its Startup Configuration
from a remote file server during the auto configuration stage using DHCP. Configuration files
stored on remote file servers are referred to as remote configuration files.
A Running Configuration file contains the configuration currently being used by a device. The
configuration in a Startup Configuration file becomes the Running Configuration after reboot.
Running and Startup Configuration files are formatted in internal format. Mirror, Backup, and
the remote configuration files are text-based files usually kept for archive, records, or
recovery. During copying, uploading, and downloading a source configuration file, a device
automatically transforms the source content to the format of the destination file if the two files
are of different formats.
File SSD Indicator
When copying the Running or Startup Configuration file into a text-based configuration file,
the device generates and places the file SSD indicator in the text-based configuration file to
indicate whether the file contains encrypted sensitive data, plaintext sensitive data or excludes
sensitive data.
• The SSD indicator, if it exists, must be in the configuration header file.
• A text-based configuration that does not include an SSD indicator is considered not to
contain sensitive data.
• The SSD indicator is used to enforce SSD read permissions on text-based
configuration files, but is ignored when copying the configuration files to the Running
or Startup Configuration file.
The SSD indicator in a file is set according to the user’s instruction, during copy, to include
encrypted, plaintext or exclude sensitive data from a file.
SSD Control Block
When a device creates a text-based configuration file from its Startup or Running
Configuration file, it inserts an SSD control block into the file if a user requests the file is to
include sensitive data. The SSD control block, which is protected from tampering, contains
SSD rules and SSD properties of the device creating the file. A SSD control block starts and
ends with "ssd-control-start" and "ssd-control-end" respectively.
To Next Page
Loading...
