Default Passwords for World Wide Packets/Lightning Edge Equipment
James Hess
mysidia at gmail.com
Thu Jan 7 04:01:39 UTC 2010
On Wed, Jan 6, 2010 at 1:12 PM, Jim Burwell <jimb at jsbc.cc> wrote:
[snip]
> Yeah. And for devices with no console, only network interfaces, a
> default IP address, no default password, and no default route (just in
> case they plug it into a real LAN instead of a laptop. :p ).
Ah... don't worry about default routes.. Proxy ARP will "fix it"..
when combined with a suitable router that does it by default, and
help make sure the default-pw'ed device can still be reached by the
bad guys.
As murphy would have it, default device IP happens to correspond to a
valid LAN IP address formerly used by a server, that the neglected
perimeter firewall still forwards port 80 traffic to...
You know.. an extra port isn't so expensive these days. equipment
vendors could just make one of the network ports be labelled
"Manage", ship the units with management access disabled, except on
that port.
Don't allow normal traffic forwarding to/from that port by default.
On first login, require a password change to be made before all other
changes, such as enabling full management are even allowed,
including turning the manage port into a normal port (if it's even
necessary).
Device should shutdown the manage port, until reboot, via "management
port security".. when the first frame is received, memorize the MAC
address, as long as carrier is still detected.
If later a second MAC address is detected as the source on any frame,
or any multicast frame at all is received, other than an ARP for
switch's default IP.
Light up an orange LED for "security violation" or a "user error"
light. :)
--
-J
More information about the NANOG
mailing list