Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?

From: John Doe (security.department_at_tele2.ch)
Date: 01/26/05

  • Next message: Michael Gorsuch: "RE: tool for mount a dd image"
    To: security-basics@securityfocus.com
    Date: Wed, 26 Jan 2005 17:00:17 +0100

    list members,

    after following this list for about a year, I have my first question to you,
    and a apologize if I could have shortened my questions (English is not my
    native language):

    *** INTRO ***

    Just for fun, I did the following with an IP address appearing in my server


    bash-2.05b$ telnet aaa.bbb.ccc.ddd
    Trying aaa.bbb.ccc.ddd...
    Connected to aaa.bbb.ccc.ddd.
    Escape character is '^]'.

    User Access Verification

    % Bad passwords
    Connection closed by foreign host.

    ==[end session]
    (As password, I entered three times ^C)

    After a short whois "investigation" , I realized that the IP is part of the IP
    range through which the customers of this ISP connect to the internet via

    I know the person whose IP I telnet'ed: One of my customers handling sensitive
    data, located in the same building as the ISP.

    As a non-expert, I concluded that aaa.bbb.ccc.ddd must be a router of the ISP,
    and that this may be a security problem / misconfiguration by the ISP.

    So I contacted this ISP, giving the above example, and the ISP answered the
    following: "It's a zyxel router. We don't want to restrict the IP range for
    remote administration (by us) of the router. We didn't ever had any problems
    with this configuration".

    *** THE QUESTIONS ***

    Am I right with the following "interpretations" of this issue and with my
    reasons for these interpretations?

    1. The ISP shouldn't have revealed the model of the router, because otherwise
    I had to do some work to find out.

    2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the
    public internet, because a) telnet is insecure due to plain text passwords,
    b) the router is an important part of the network and should be specially

    3. (not quite shure): Asking only for a password (and no user name) is bad,
    because only one string has to be brute forced

    4. (my main question!): The reason given by the ISP to expose the router is
    totaly weird, because the IP range for _outgoing_ ADSL-connections is
    irrelevant for router remote administration, which is performed in the
    opposite direction and need's only one IP, p.ex. the one of the target router.

    5. Probable reasons for the ISP <<not having had any problems>>: they didn't
    realize an existing problem, or nobody tried to hack the router. Right?

    If I'm right with point 4.,

    *** SOLUTIONS? ***

    a) use a ssh connection to the router (hm... possible with this router?)

    b) put the router behind a firewall, ssh to the firewall and from there via
    telnet to the router (even if it's not optimal to allow logins from the
    outside to the router itself)

    c) put the router behind a DMZ host which itself is behind a firewall, then
    ssh through the firewall to the DMZ host and from there via telnet to the
    router (there's still a telnet connection which could be sniffed by a
    compromised host in the DMZ/local net)

    I very appreciate every feedback from people having an overview on the
    combination of the involved "issues". I plan to think hard about all your
    answers, and getting further in (I don't hope: at the beginning of ;-) my
    judgments concerning network security.

    thanks a lot in advance!

    P.S.: I don't have experience with ISP sized networks; my own network is
    small, with one router/paketfilter (gentoo on PC) between ADSL-Modem and local
    net. No DMZ. This is of course not optimal.

  • Next message: Michael Gorsuch: "RE: tool for mount a dd image"