Security Basics mailing list archives

RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 27 Jan 2005 15:17:23 -0800

4. (my main question!): The reason given by the ISP to expose 
the router is totaly weird, because the IP range for 
_outgoing_ ADSL-connections is irrelevant for router remote 
administration, which is performed in the opposite direction 
and need's only one IP, p.ex. the one of the target router.


  Uh, no.  Any TCP connection needs both source and target addresses.

  What the ISP said is:  We've considered only allowing telnet
connections to this box from specific source addresses (assigned
to those who should be able to administer the router).  We haven't
restricted access to only those sources yet; it's entirely possible
that the administrators need the option to access it from wherever
they are on the Internet *today*, and that changes, either because
they travel and/or they get an address via DHCP or other dynamic 
mechanism.

  It's entirely possible that certain "known nuisance" and invalid
or spoofed source addresses are blocked; yours doesn't (yet) happen
to be one of them.

David Gillett

Current thread:

Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 27)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 27)
  - Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 28)
    - RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 28)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? david kuhlman (Jan 28)