Default Passwords for World Wide Packets/Lightning Edge Equipment

Nathan Eisenberg nathan at atlasnetworks.us
Thu Jan 7 09:37:59 UTC 2010


Matthew Palmer [mpalmer at hezmatt.org]
> To be fair, he was just asking about factory resetting the device
> because
> the current password was unknown, then reconfiguring the device (I'm
> willing
> to be generous and assume that the reconfiguration included setting a
> new,
> secure password).

Thank you - You're correct.  The administration and security of these devices is hardly magic - but one has to be able to access them in order to secure them.  The devices haven't even left my hotel room for the production site, and you would already be SOL if you didn't have access to the either the (management interface AND the Very Long Password) or the (reset button AND the management interface AND (the default password)).  

Dobbins, Roland [rdobbins at arbor.net]
> Which goes to show that they just really don't get it when it comes to
> security.  

So are you specifically opposed to globally default passwords, or are you opposed to being able to reset a device to factory defaults and somehow get into the device?  Because while I still maintain there's no real security issue with the former (if there is, there's a bigger issue), all that I'm really gung ho for is the ability to get into a piece of equipment I need to operate, even if I don't have credentials to it.  

Nothing grinds my gears more than equipment that has to be thrown out because there is no recovery mechanism.  I frankly don't much care if the default password on my WWP LE427 is 'wwp' or 'wwp[serial-number-which-is-printed-on-the-back]' - as long as I can get it so I can get in and change it, I'm happy.

Steven Bellovin [smb at cs.columbia.edu]
> And we all suffer from p0wned devices, because they
> get turned into bots.  Roland is 100% right.

Eh... I think this is confusing cause and effect.  We all suffer, but the fact that a device is compromised because of a default password is, at the root of the chain, the result of a faulty Operator.  Why was the password left at default?  Why was it possible to access the management interface to utilize the default password?  I would argue that the solution is to replace or modify the defective operator, rather than replacing, eliminating, or modifying the tool they misused.

Joe Hamelin [joe at nethead.com]
> I've been in training with the WWP folks for the last two days (VERY
> GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.

Are they still around, or are they Ciena employees?  My understanding was that they were completely acquired.

> If you got some serious layer 2 stuff to do, these boxes have a really
> interesting architecture and some trick features (unix type shell, for
> one.)

Yep, they're rock solid devices.  Every deployment I've seen of them as worked very well.  Ciena certainly got a good deal out of buying them!  I'm actually not sure how much of the WWP gear is still manufactured.

Thank you all again for helping me sort out what the factory default WWP passwords are so that I can now have a secure and documented deployment out here!  I've received a couple offers of technical assistance from WWP veterans that I may well take up moving forward.

Best Regards,
Nathan Eisenberg




More information about the NANOG mailing list