Default Passwords for World Wide Packets/Lightning Edge Equipment

James Hess mysidia at gmail.com
Wed Jan 6 22:01:39 CST 2010


On Wed, Jan 6, 2010 at 1:12 PM, Jim Burwell <jimb at jsbc.cc> wrote:
[snip]
> Yeah.  And for devices with no console, only network interfaces, a
> default IP address, no default password, and no default route (just in
> case they plug it into a real LAN instead of a laptop.  :p  ).

Ah... don't worry about default routes..  Proxy ARP will  "fix it"..
when combined with a suitable router that does it by default,  and
help make sure the  default-pw'ed  device  can still be reached by the
bad guys.

As murphy would have it,  default device IP happens to correspond to a
valid LAN IP address formerly used by a server,  that the neglected
perimeter firewall   still  forwards  port 80 traffic to...

You know..  an extra port isn't so expensive these days. equipment
vendors could just make one of the network ports be labelled
"Manage",   ship the units with management access disabled, except on
that port.
Don't allow  normal traffic forwarding  to/from that port by default.

On first login,  require a password change to be made before all other
changes, such as  enabling full management are even allowed,
including turning the manage port into a normal port  (if it's even
necessary).

Device  should shutdown the manage port, until reboot, via "management
port security"..   when the first frame is received,  memorize the MAC
address,  as long as carrier is still detected.

If later a second MAC address is detected as the source on any frame,
or any multicast frame at all is received,  other than an ARP  for
switch's default IP.

Light up an  orange LED for "security violation"   or  a "user error"
light.   :)

--
-J




More information about the NANOG mailing list