1. Field of the Invention
The present invention relates to the field of computer systems and data communications networks. More particularly, the present invention relates to a method and apparatus for providing password protection for multiple processing engines (PEs) in a high reliability computer system such as found in a data communications network.
2. The Background
A computer system on a data communications network is potentially accessible by anyone on the network. Since the Internet interconnects various networks, a computer system on such a network is potentially accessible to the tens of millions of people who now access the Internet. Therefore, security is a major requirement for almost all computer systems, so as to protect such computer systems from inadvertent or intentional accesses and undesirable actions.
Password protection is one of the various security devices for restricting or limiting access to a computer system. Passwords may be set in accordance with the mode or nature of commands to be executed on the system; various levels of access may be provided. For example, initial access to the computer system may be secured by setting passwords for individual access lines to the system through its interfaces and ports. Execution of some classes of commands may be allowed only to some privileged users, but not to all users who log in to the system. An ordinary user may execute nondestructive commands such as connecting to remote devices, changing terminal settings on a temporary basis, listing system information, etc. However, potentially destructive commands such as changing configuration parameters that affect the system as a whole, shutting down an interface, rebooting the system, and the like, generally require additional protection. The former commands are referred to as “user mode” commands and are executed in an ordinary user mode, and the latter are referred to as “privileged mode” commands, executable only in one of possibly several privileged modes. Typically, a privileged user is required to enter an enable password to get into the privileged mode after he or she is granted accesses to the user mode. Passwords are typically set during the initial configuration process of the system.
FIG. 1 shows an example of an initialization process which begins with the startup of a computer system, for example, a packet router. In a typical startup initialization process, the system checks the hardware and performs a power-on self-test by executing commands stored in a ROM (read only memory), and then finds and loads operating system (OS) software. The OS software may be loaded, for example, from a flash memory or ROM. Next, the system finds and loads configuration information from a configuration file. If the previously created and saved configuration file is found in a non-volatile random access memory (NVRAM), the configuration file is loaded into a memory (RAM) and executed on a line-by-line basis. This execution of the configuration file defines settings and parameters of interfaces and other hardware in the system, resulting in the system becoming operational.
If no previously created configuration file exists, the OS, such as a Cisco IOS™ product, available from Cisco Systems, Inc. of San Jose, Calif., executes a predefined question-driven configuration display (setup dialog) to a user and creates a basic configuration. The newly created configuration file is stored in the NVRAM and will be loaded as a default at the next initialization process. In the case of routers, for example, the configuration process includes defining router-specific attributes and protocol functions, defining addresses, operating rates and other parameters of interfaces and other hardware, and establishing passwords (including an enable password). The passwords can be changed thereafter by a user who has access to a privileged mode (a user with the enable password).
Reliability is another important requirement for computer systems, especially for computer systems maintaining important information or for those systems the failure of which would significantly affect other systems. Routers are an example of such computer systems requiring high reliability. Routers usually transfer packets of data from one network to another. The failure of a router may affect all networks and hosts that send or receive packets handled by that router. One technique used to realize high reliability in a computer system is to make the system redundant, providing the system with a primary processing engine and a secondary (back-up) processing engine. In such a redundant processing engine system, when the primary processing engine fails, the secondary processing engine can immediately take over the duties of the primary processing engine so as to continue running the system.
A processing engine (PE) usually includes one or more CPUs or microprocessors, supporting circuitry, a variety of memories such as DRAM, ROM, static RAM, etc., and a bus. In a symmetric multiprocessing (SMP) system, for example, a PE is a collection of unit processors. A PE may also be implemented as a microcode engine.
FIG. 2 shows operations in a prior art redundant PE system. In such a redundant PE system, when the system is started, the primary PE performs the initialization process for the system. The primary PE configures the system by loading and executing the configuration file thereof, during which an enable password for the primary PE (along with other passwords for the system) is set so as to protect the system. The secondary PE waits for the primary PE to fail, and then takes over the system after the failure of the primary PE is detected. Such a failover may take place when a failure of the hardware or a severe problem in the software occurs. For example, when a bus error or a segmentation violation occurs, it may be better to switch to a back up PE via a seamless take-over from the original PE rather than to attempt to resolve the problem on the original PE.
The failure may be detected by the lack of or issuance of a specific indication signal from the primary PE. Once the secondary PE takes over the system, it reboots the failed PE and performs reinitialization. At this point the secondary PE loads and executes its own configuration file (the configuration may or may not be the same as that of the primary PE). An enable password and other passwords are set for the secondary PE in this configuration process, and the system is password-protected as well.
In many computer systems, such as network routers, the operating system uses a command line interface (CLI). In a CLI-based system, commands are executed regardless of whether the commands are entered by a user, for example, from a console, or read from an executable file such as a configuration file. Thus, in a CLI-based system, loading a configuration file into a memory causes all configuration commands in the file to be executed. Therefore, if the secondary PE in a redundant PE system reads its configuration file, it could potentially redefine or alter all of the settings and parameters of the interfaces and other hardware of the system, which are still under the control of the primary PE. For this reason, in a conventional redundant PE system using a CLI, the secondary PE is not allowed to load the configuration file into its memory until the primary PE fails.
There are some situations where it is desirable for a redundant PE system to make certain commands available to the secondary PE before the primary PE fails. For example, suppose that in a router the primary PE is handling all routing functions, and the secondary PE is monitoring the primary PE waiting for it to fail. The primary PE could be signaling on a communications link, such as a backplane line, once per second as a result of a high-priority interrupt to let the secondary PE know that all is fine, but actually it is in an endless loop in a slightly lower priority interrupt. In this situation the primary PE has failed, but it is indicating to the secondary PE that it has not failed, preventing the secondary PE from taking over. In such a case, a system administrator may want to reboot the primary PE to fix the situation, forcing the primary PE to fail and allowing the secondary PE to take over. Such a forced failover may be caused by having the system administrator issue a command (presumably a privileged mode command) through a console port for the secondary PE.
However, because the secondary PE is prohibited from loading its configuration file until the first PE fails, it has no password protection until that time comes. If the system allows a user to obtain access to such privileged mode (without an enable password) through the second console, anyone with access to the second console can issue any destructive or privileged commands, for example, changing the configuration and then causing a forced failover at will. Such unrestricted issuance of commands without password protection poses a risk to the computer system. For example, some loss of information is almost inevitable if a failover occurs. Repeated forced failovers may lead to serious consequences. In addition, the performance of the secondary PE may be lower than that of the primary PE, so that a forced failover could cause lower performance in the system than desired. Thus, the prior art redundant PE system can improve its reliability only at the cost of its security.