Security Basics mailing list archives
Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?
From: david kuhlman <david.kuhlman () gmail com>
Date: Fri, 28 Jan 2005 06:12:56 -0500
*** THE QUESTIONS *** Am I right with the following "interpretations" of this issue and with my reasons for these interpretations? 1. The ISP shouldn't have revealed the model of the router, because otherwise I had to do some work to find out.
True. Security through obscurity.
2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the public internet, because a) telnet is insecure due to plain text passwords, b) the router is an important part of the network and should be specially secured.
True, don't want to give people keys to the kingdom.
3. (not quite shure): Asking only for a password (and no user name) is bad, because only one string has to be brute forced
Not so true. Routers have a default name for their super user which is trivial to know. Still, user names allow for variable access control.
4. (my main question!): The reason given by the ISP to expose the router is totaly weird, because the IP range for _outgoing_ ADSL-connections is irrelevant for router remote administration, which is performed in the opposite direction and need's only one IP, p.ex. the one of the target router.
I think David Gillett is correct here but I can't completely understand what you are asking. Basically, if they want to remotely administer the router from anywhere in the world they can't restrict any IP's. But this is very bad security practice of course.
*** SOLUTIONS? ***
The best solution is to only allow physical access to the router such as a console port. The computer that connects through the console port should not be accessible by the Internet or connected to the Internet at all. This is the best strategy and what is most commonly done. I would expect a commercial ISP to have a technician available to handle the network at all times eliminating the need for remote administration. Besides, router configurations should be required to change often enough to require remote administration. My two cents. David Kuhlman
Current thread:
- Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 27)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 27)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? david kuhlman (Jan 28)