Security Basics mailing list archives
Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?
From: John Doe <security.department () tele2 ch>
Date: Wed, 26 Jan 2005 17:00:17 +0100
list members, after following this list for about a year, I have my first question to you, and a apologize if I could have shortened my questions (English is not my native language): *** INTRO *** Just for fun, I did the following with an IP address appearing in my server logs. ==[session] bash-2.05b$ telnet aaa.bbb.ccc.ddd Trying aaa.bbb.ccc.ddd... Connected to aaa.bbb.ccc.ddd. Escape character is '^]'. User Access Verification Password: Password: Password: % Bad passwords Connection closed by foreign host. ==[end session] (As password, I entered three times ^C) After a short whois "investigation" , I realized that the IP is part of the IP range through which the customers of this ISP connect to the internet via ADSL. I know the person whose IP I telnet'ed: One of my customers handling sensitive data, located in the same building as the ISP. As a non-expert, I concluded that aaa.bbb.ccc.ddd must be a router of the ISP, and that this may be a security problem / misconfiguration by the ISP. So I contacted this ISP, giving the above example, and the ISP answered the following: "It's a zyxel router. We don't want to restrict the IP range for remote administration (by us) of the router. We didn't ever had any problems with this configuration". *** THE QUESTIONS *** Am I right with the following "interpretations" of this issue and with my reasons for these interpretations? 1. The ISP shouldn't have revealed the model of the router, because otherwise I had to do some work to find out. 2. It's bad (hmmm... very bad) practice to expose a router unfiltered to the public internet, because a) telnet is insecure due to plain text passwords, b) the router is an important part of the network and should be specially secured. 3. (not quite shure): Asking only for a password (and no user name) is bad, because only one string has to be brute forced 4. (my main question!): The reason given by the ISP to expose the router is totaly weird, because the IP range for _outgoing_ ADSL-connections is irrelevant for router remote administration, which is performed in the opposite direction and need's only one IP, p.ex. the one of the target router. 5. Probable reasons for the ISP <<not having had any problems>>: they didn't realize an existing problem, or nobody tried to hack the router. Right? If I'm right with point 4., *** SOLUTIONS? *** a) use a ssh connection to the router (hm... possible with this router?) b) put the router behind a firewall, ssh to the firewall and from there via telnet to the router (even if it's not optimal to allow logins from the outside to the router itself) c) put the router behind a DMZ host which itself is behind a firewall, then ssh through the firewall to the DMZ host and from there via telnet to the router (there's still a telnet connection which could be sniffed by a compromised host in the DMZ/local net) I very appreciate every feedback from people having an overview on the combination of the involved "issues". I plan to think hard about all your answers, and getting further in (I don't hope: at the beginning of ;-) my judgments concerning network security. thanks a lot in advance! P.S.: I don't have experience with ISP sized networks; my own network is small, with one router/paketfilter (gentoo on PC) between ADSL-Modem and local net. No DMZ. This is of course not optimal.
Current thread:
- Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 27)