Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Sean Donelan <sean () donelan com>]

On Thu, 7 Jan 2010, Dobbins, Roland wrote:
> > Which goes to show that they just really don't get it when it comes to security.  Maybe they should look here at all the entries 
> > for 'default credentials':
>
> Actually, should be 'default password'.

Default credentials may be a more generic description of the problem 
(although "default password" is a better search term).  A problem with 
default credentials is history has demonstrated even an expert (i.e. 
the vendors own technical support) aren't always certain they've 
found and changed every default credential possible on complex devices. 
Its not just the usual console access, but also snmp protocals 
public/private, http protocols admin, ldap cn=admin, postscript none, 
decnet mop, and so on.  Even if you think you know every possible 
protocol, some vendors have had the habit of adding new protocols in 
updates with its own set of defaults for new remote access protocols.

Multiple protocols, using multiple authorization sources, with defaults.

Its not a suprise why old-timers get annoyed with vendor gear with 
default remote access methods enabled before the user configured the
access credentials for the access method.  Eventually you'll get bit by 
some device, some protocol, that has something enabled without your 
knowledge.  If you require your vendors not to ship stuff with remote
access enabled by default, its not a substitute for your own due 
dilgence, but in practice it helps reduce unexpected incidents.