Home page logo
/

nanog logo nanog mailing list archives

Re: Is my router owned? How would I know?
From: Martin Hannigan <hannigan () world std com>
Date: Thu, 12 Jan 2006 18:10:15 -0500 (EST)




If there is a new user account, or if the enable and access passwords
have changed, look out!  The miscreants love to scan and find routers
with "cisco" as the access and enable passwords.

I thought everyone sensible put ACLs on vtys. Guess I was wrong.

I've seen ACL-less VTYs because someone copied a config from a router
with fewer VTYs. 8-(


Yes, but these are clue problems, not router operating system
problems. The OS problem is when they leave a device with 
a default backdoor because they want to make it easy for
their customers. It's almost like the cheaper the box the
less secure and the consideration seems to be that an unsavvy folk
is buying the cheaper boxen so "it needs to be easy".

If you look at the maintenance and
surveillance networks of a few large tier1's, you'll find
this "dummy" gear on those networks since they are cheap and
generalte no revenue. My last M/S design was dual rail
2XXX, 1600's for firewalls and frame terminations, which handled
console and monitoring for the cost of an ethernet port and 
< 15K per facility. For the use, the capex matches as well as
the reliability.

If we accept the "clue" problem as the solution, I think we
accept the fact that we condone the vendor not having secure
solutions. That may be fine for our new colleague the 'security
engineer', but it's not good for the Internet as a whole and it
distracts us from the work of making it work. 

Offering tutorials at NANOG is a great effort towards the
clue issue, but maybe we should offer vendors tutorials on
the inverse?

-M<


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]