Security: Secure Sensitive Data Management
Configuration Files
Cisco Small Business 200 Series Smart Switch Administration Guide 298
22
A device determines whether the integrity of a configuration file is protected by examining the File Integrity
Control command in the file's SSD Control block. If a file is integrity protected but a device finds the integrity
of the file is not intact, the device rejects the file. Otherwise, the file is accepted for further processing.
A device checks for the integrity of a text-based configuration file when the file is downloaded or copied to
the Startup Configuration file.
Read Mode
Each session has a Read mode. This determines how sensitive data appears. The Read mode can be either
Plaintext, in which case sensitive data appears as regular text, or Encrypted, in which sensitive data
appears in its encrypted form.
Configuration Files
A configuration file contains the configuration of a device. A device has a Running Configuration file, a
Startup Configuration file, a Mirror Configuration file (optionally), and a Backup Configuration file. A user can
manually upload and download a configuration file to and from a remote file-server. A device can
automatically download its Startup Configuration from a remote file server during the auto configuration
stage using DHCP. Configuration files stored on remote file servers are referred to as remote configuration
files.
A Running Configuration file contains the configuration currently being used by a device. The configuration
in a Startup Configuration file becomes the Running Configuration after reboot. Running and Startup
Configuration files are formatted in internal format. Mirror, Backup, and the remote configuration files are
text-based files usually kept for archive, records, or recovery. During copying, uploading, and downloading
a source configuration file, a device automatically transforms the source content to the format of the
destination file if the two files are of different formats.
File SSD Indicator
When copying the Running or Startup Configuration file into a text-based configuration file, the device
generates and places the file SSD indicator in the text-based configuration file to indicate whether the file
contains encrypted sensitive data, plaintext sensitive data or excludes sensitive data.
• The SSD indicator, if it exists, must be in the configuration header file.
• A text-based configuration that does not include an SSD indicator is considered not to contain
sensitive data.
• The SSD indicator is used to enforce SSD read permissions on text-based configuration files, but is
ignored when copying the configuration files to the Running or Startup Configuration file.
To Next Page
Loading...
Need help?
General