Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?

From: John Doe (security.department_at_tele2.ch)
Date: 01/26/05

  • Next message: Michael Gorsuch: "RE: tool for mount a dd image" 
    To: security-basics@securityfocus.com
Date: Wed, 26 Jan 2005 17:00:17 +0100

    list members,

    after following this list for about a year, I have my first question to you,
    and a apologize if I could have shortened my questions (English is not my
    native language):

    *** INTRO ***

    Just for fun, I did the following with an IP address appearing in my server
    logs.

    ==[session]

    bash-2.05b$ telnet aaa.bbb.ccc.ddd
    Trying aaa.bbb.ccc.ddd...
    Connected to aaa.bbb.ccc.ddd.
    Escape character is '^]'.

    User Access Verification

    Password:
    Password:
    Password:
    % Bad passwords
    Connection closed by foreign host.

    ==[end session]
    (As password, I entered three times ^C)

    After a short whois "investigation" , I realized that the IP is part of the IP
    range through which the customers of this ISP connect to the internet via
    ADSL.

    I know the person whose IP I telnet'ed: One of my customers handling sensitive
    data, located in the same building as the ISP.

    As a non-expert, I concluded that aaa.bbb.ccc.ddd must be a router of the ISP,
    and that this may be a security problem / misconfiguration by the ISP.

    So I contacted this ISP, giving the above example, and the ISP answered the
    following: "It's a zyxel router. We don't want to restrict the IP range for
    remote administration (by us) of the router. We didn't ever had any problems
    with this configuration".

    *** THE QUESTIONS ***

    Am I right with the following "interpretations" of this issue and with my
    reasons for these interpretations?

    1. The ISP shouldn't have revealed the model of the router, because otherwise
    I had to do some work to find out.

    2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the
    public internet, because a) telnet is insecure due to plain text passwords,
    b) the router is an important part of the network and should be specially
    secured.

    3. (not quite shure): Asking only for a password (and no user name) is bad,
    because only one string has to be brute forced

    4. (my main question!): The reason given by the ISP to expose the router is
    totaly weird, because the IP range for _outgoing_ ADSL-connections is
    irrelevant for router remote administration, which is performed in the
    opposite direction and need's only one IP, p.ex. the one of the target router.

    5. Probable reasons for the ISP <<not having had any problems>>: they didn't
    realize an existing problem, or nobody tried to hack the router. Right?

    If I'm right with point 4.,

    *** SOLUTIONS? ***

    a) use a ssh connection to the router (hm... possible with this router?)

    b) put the router behind a firewall, ssh to the firewall and from there via
    telnet to the router (even if it's not optimal to allow logins from the
    outside to the router itself)

    c) put the router behind a DMZ host which itself is behind a firewall, then
    ssh through the firewall to the DMZ host and from there via telnet to the
    router (there's still a telnet connection which could be sniffed by a
    compromised host in the DMZ/local net)

    I very appreciate every feedback from people having an overview on the
    combination of the involved "issues". I plan to think hard about all your
    answers, and getting further in (I don't hope: at the beginning of ;-) my
    judgments concerning network security.

    thanks a lot in advance!

    P.S.: I don't have experience with ISP sized networks; my own network is
    small, with one router/paketfilter (gentoo on PC) between ADSL-Modem and local
    net. No DMZ. This is of course not optimal.

  • Next message: Michael Gorsuch: "RE: tool for mount a dd image"

    Relevant Pages

    • Re: Problems setting up a web server with Win XP and IIS 5.1...???
      ... service on this PC (or use your Linksys, which may have an update client ... a conflict...having the router as well as DynDNS's software set to update the ... When I "configured" the firewall, under the exceptions tab, I clicked "Add ... "Can you successfully telnet to your public IP address on port 80, ...
      (microsoft.public.windowsxp.network_web)
    • Re: DMZ (De-militarized Zone)
      ... > Cisco 800 series router which gets configured by our ISP! ... > firewall software and 3 NIC) to used instead of a Router/Firewall? ...
      (comp.security.firewalls)
    • Re: Problems setting up a web server with Win XP and IIS 5.1...???
      ... I also noticed that my router ... When I "configured" the firewall, under the exceptions tab, I clicked ... would enter the local IP of my server? ... "The telnet would be a useful test....as would knowing whether you can ...
      (microsoft.public.windowsxp.network_web)
    • RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)
      ... I wouldn't expect the ISP to provide this service for nothing - some ISPs ... purchase and manage an additional filtering router. ... two-brain rule (where at least two people are involved in a firewall change ... use up precious customer bandwidth. ...
      (Incidents)
    • RE: [fw-wiz] Query regarding Cisco Router
      ... as well as router to firewall interface can use ... is dynamic_objects) with the new set of IPs from the second ISP. ... I have connected Firewall behind it. ... Both ISP are told to put DNS entries of others IP in their DNS Server. ...
      (Firewall-Wizards)