ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
mm84
New Member
Posts:
2
Joined:
Mon Jul 23, 2007 2:52 pm

Dishonest IT Department

Mon Jul 23, 2007 3:05 pm

Without getting into all the details I will say that we have had several cases with our IT department where one thing was said and another done.

My question is concerning VPN. We currently have a Cisco router and our Network admin stated that nobody had access via VPN.

2 Days later we found out that an employee was working from home using a VPN connection.

While I'm leaving major details out from the "problems" that occured the question is simple.

We instructed the individual to change all the passwords out on the VPN accounts, and to set another person other then herself as Admin as she can not be trusted.

her response was that there is NO ADMIN account when speaking of VPN accounts she said they are just log ins.

While she proceded to show me on her screen I noticed that two names had the words "secret" and "priveledged" next to the user names.

When I asked why they said that...she replied that it was an "encryption" system.

1) How do I know if there are more VPN accounts that are created that I'm not being told about.

2) Is there such as thing as an Admin account and she just does not want to pass over the control?

Thanks for your time, as you may expect my IT knowledge is limited but this does not sound right.

Thanks in advance.

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Mon Jul 23, 2007 3:27 pm

It depends on the hardware platform you're running... is it cisco pix?

When speaking of host to site vpns, there is no "admin" account. Accounts are set up on a person-to-person basis. A person with an account can establish a vpn connection with the box.

In order to view all accounts on the box, again, it depends on the hardware and the configuration. Sometimes people will have the vpn accounts authenticated through a radius server (in which case, you would have to look on the server to see the accounts), or they could have them authenticated via the local database on the firewall box.

User avatar
netman839
Senior Member
Posts:
483
Joined:
Wed Mar 28, 2007 1:52 am

Tue Jul 24, 2007 8:20 am

The router may not be running the VPN endpoint but it might be letting it through. Try to find out what hardware or software is running the VPN then we might be able to help. There are quite a number out there. All the big network vendors have hardware based solutions. Eg. Cisco, Juniper, Nortel, Netgear. There are also PC based software ones like MS ISA server and OpenVPN for Linux/Unix systems.

User avatar
pfunix
Senior Member
Posts:
297
Joined:
Mon Apr 02, 2007 4:13 pm

Re: Dishonest IT Department

Tue Jul 24, 2007 8:33 am

mm84 wrote:Without getting into all the details I will say that we have had several cases with our IT department where one thing was said and another done.

My question is concerning VPN. We currently have a Cisco router and our Network admin stated that nobody had access via VPN.

2 Days later we found out that an employee was working from home using a VPN connection.

While I'm leaving major details out from the "problems" that occured the question is simple.

We instructed the individual to change all the passwords out on the VPN accounts, and to set another person other then herself as Admin as she can not be trusted.

her response was that there is NO ADMIN account when speaking of VPN accounts she said they are just log ins.

While she proceded to show me on her screen I noticed that two names had the words "secret" and "priveledged" next to the user names.

When I asked why they said that...she replied that it was an "encryption" system.

1) How do I know if there are more VPN accounts that are created that I'm not being told about.

2) Is there such as thing as an Admin account and she just does not want to pass over the control?

Thanks for your time, as you may expect my IT knowledge is limited but this does not sound right.

Thanks in advance.


if its says something like secret and privileged .. it may look like the following:

username blahblah password <blalalaa> privilege 15

ask ur netadmin for the "enable" password :) and the config file itself. this mostly brought up concerns legally.. but if your on another country other than US.. it's a bit concerning considering that if this router is the only way out for your company to work in... it would really be a hassle if it goes down.

there's quite a few nasty IT guys out there that companies would hire and get a "firm" hold of all the passwords within the infrastructure and there would be NO copy of the passwords/access to upper management... I guess it can be a nasty way of stating "job security"

I know someone that does that on where i work ;)

anyways.. just my 0.2cents

pf

User avatar
Rush_898
Member
Posts:
105
Joined:
Tue Mar 27, 2007 12:27 pm

Tue Jul 24, 2007 2:05 pm

I know it's kind of radical but there are also several scripts out there that will decrypt the password on that should this person decide to cause further trouble. If you have a copy of your config you shouldn't be locked out completely. I know THC used to have a script that did it, there are others.

mm84
New Member
Posts:
2
Joined:
Mon Jul 23, 2007 2:52 pm

Tue Jul 24, 2007 3:20 pm

The Router is a Cisco 2800 series. CCME
I'm fairly confident that the VPN is not software based as I have discussed this with her several times and she always falls back on the router.

I was able to get the passwords from her to all the devices and I can log in all of them except the ones that say TELNET. They all have IP addresses which I log on via a browser but how exactly do I log on to a something using TELNET?

Thanks

User avatar
ibarrere
Cisco Inferno
Posts:
10283
Joined:
Mon Jul 10, 2006 12:58 am

Tue Jul 24, 2007 4:02 pm

telnet <ip address>

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 10 guests