Security: Secure Sensitive Data Management
SSD Properties
370 Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
19
After a device is reset to the factory default, its local passphrase is reset to the default
passphrase. As a result, the device will be not able to decrypt any sensitive data encrypted
based on a user-defined passphrase entered from a management session (GUI/CLI), or in any
configuration file with restricted mode, including the files created by the device itself before it
is reset to factory default. This remains until the device is manually reconfigured with the user-
defined passphrase, or learns the user-defined passphrase from a configuration file.
Configuration File Integrity Control
A user can protect a configuration file from being tampered or modified by creating the
configuration file with Configuration File Integrity Control. It is recommended that
Configuration File Integrity Control be enabled when a device uses a user-defined passphrase
with Unrestricted Configuration File Passprhase Control.
!
CAUTION Any modification made to a configuration file that is integrity protected is considered
tampering.
A device determines whether the integrity of a configuration file is protected by examining the
File Integrity Control command in the file's SSD Control block. If a file is integrity protected
but a device finds the integrity of the file is not intact, the device rejects the file. Otherwise, the
file is accepted for further processing.
A device checks for the integrity of a text-based configuration file when the file is downloaded
or copied to the Startup Configuration file.
Read Mode
Each session has a Read mode. This determines how sensitive data appears. The Read mode
can be either Plaintext, in which case sensitive data appears as regular text, or Encrypted, in
which sensitive data appears in its encrypted form.
To Next Page
Loading...
