Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?
From: John Doe (security.department_at_tele2.ch)
To: email@example.com Date: Wed, 26 Jan 2005 17:00:17 +0100
after following this list for about a year, I have my first question to you,
and a apologize if I could have shortened my questions (English is not my
*** INTRO ***
Just for fun, I did the following with an IP address appearing in my server
bash-2.05b$ telnet aaa.bbb.ccc.ddd
Connected to aaa.bbb.ccc.ddd.
Escape character is '^]'.
User Access Verification
% Bad passwords
Connection closed by foreign host.
(As password, I entered three times ^C)
After a short whois "investigation" , I realized that the IP is part of the IP
range through which the customers of this ISP connect to the internet via
I know the person whose IP I telnet'ed: One of my customers handling sensitive
data, located in the same building as the ISP.
As a non-expert, I concluded that aaa.bbb.ccc.ddd must be a router of the ISP,
and that this may be a security problem / misconfiguration by the ISP.
So I contacted this ISP, giving the above example, and the ISP answered the
following: "It's a zyxel router. We don't want to restrict the IP range for
remote administration (by us) of the router. We didn't ever had any problems
with this configuration".
*** THE QUESTIONS ***
Am I right with the following "interpretations" of this issue and with my
reasons for these interpretations?
1. The ISP shouldn't have revealed the model of the router, because otherwise
I had to do some work to find out.
2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the
public internet, because a) telnet is insecure due to plain text passwords,
b) the router is an important part of the network and should be specially
3. (not quite shure): Asking only for a password (and no user name) is bad,
because only one string has to be brute forced
4. (my main question!): The reason given by the ISP to expose the router is
totaly weird, because the IP range for _outgoing_ ADSL-connections is
irrelevant for router remote administration, which is performed in the
opposite direction and need's only one IP, p.ex. the one of the target router.
5. Probable reasons for the ISP <<not having had any problems>>: they didn't
realize an existing problem, or nobody tried to hack the router. Right?
If I'm right with point 4.,
*** SOLUTIONS? ***
a) use a ssh connection to the router (hm... possible with this router?)
b) put the router behind a firewall, ssh to the firewall and from there via
telnet to the router (even if it's not optimal to allow logins from the
outside to the router itself)
c) put the router behind a DMZ host which itself is behind a firewall, then
ssh through the firewall to the DMZ host and from there via telnet to the
router (there's still a telnet connection which could be sniffed by a
compromised host in the DMZ/local net)
I very appreciate every feedback from people having an overview on the
combination of the involved "issues". I plan to think hard about all your
answers, and getting further in (I don't hope: at the beginning of ;-) my
judgments concerning network security.
thanks a lot in advance!
P.S.: I don't have experience with ISP sized networks; my own network is
small, with one router/paketfilter (gentoo on PC) between ADSL-Modem and local
net. No DMZ. This is of course not optimal.