Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?
From: david kuhlman (david.kuhlman_at_gmail.com)
Date: 01/28/05
- Previous message: bernie_at_e-mich.com: "Re: Apache attacks"
- In reply to: John Doe: "Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Jan 2005 06:12:56 -0500 To: security-basics@securityfocus.com
> *** THE QUESTIONS ***
>
> Am I right with the following "interpretations" of this issue and with my
> reasons for these interpretations?
>
> 1. The ISP shouldn't have revealed the model of the router, because otherwise
> I had to do some work to find out.
True. Security through obscurity.
> 2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the
> public internet, because a) telnet is insecure due to plain text passwords,
> b) the router is an important part of the network and should be specially
> secured.
True, don't want to give people keys to the kingdom.
> 3. (not quite shure): Asking only for a password (and no user name) is bad,
> because only one string has to be brute forced
Not so true. Routers have a default name for their super user which
is trivial to know. Still, user names allow for variable access
control.
> 4. (my main question!): The reason given by the ISP to expose the router is
> totaly weird, because the IP range for _outgoing_ ADSL-connections is
> irrelevant for router remote administration, which is performed in the
> opposite direction and need's only one IP, p.ex. the one of the target router.
I think David Gillett is correct here but I can't completely
understand what you are asking. Basically, if they want to remotely
administer the router from anywhere in the world they can't restrict
any IP's. But this is very bad security practice of course.
> *** SOLUTIONS? ***
>
The best solution is to only allow physical access to the router such
as a console port. The computer that connects through the console
port should not be accessible by the Internet or connected to the
Internet at all. This is the best strategy and what is most commonly
done. I would expect a commercial ISP to have a technician available
to handle the network at all times eliminating the need for remote
administration. Besides, router configurations should be required to
change often enough to require remote administration.
My two cents.
David Kuhlman
- Previous message: bernie_at_e-mich.com: "Re: Apache attacks"
- In reply to: John Doe: "Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
