WebRamp M3 Perceived Bug

[rward () RAMPNET COM (Robert Ward)]

In response to John Stanley's posting on January 21, 1999.

1)  The perceived problem is that upon manualling disabling the diversion of
incoming telnet requests to the webramp, and not setting up a Visible
Computer, or telnet Local Server, telnet traffic continues to divert to the
Webramp.

This is largely due to the Webramp's logic.  Upon receiving incoming traffic
on port 23 the WebRamp checks it's divert port options, notices that telnet
diversion is off, then looks for a visible computer or local server to pass
the traffic to.  Failing this the WebRamp then defaults back to diverting
the port 23 traffic to itself.

We designed this box with being able to access the CLI or HTTP interface
from the WAN in mind.  This feature allows for remote management and trouble
shooting of the WebRamp, and has proved to be an essential tool to our
support department.  If security is a concern change the Administrative
password on your WebRamp, and do so frequently.

The Divert Port options were never intended to be a security feature, rather
they are there so that you can bypass the webramps built in telnetd and
httpd and pass packets to your in-house server.

2)  This is true for every M3/M3t/M3i/300 user who is not using Visible
Computers or telnet Local Servers.  I would approximate this number to be in
the 90% or higher range.  The number of customers who have actively tried to
disable incoming telnet sessions that we are aware of is much lower than 1%.

3)  There are workarounds readily available.

The easiest way to prevent unwanted access to your WebRamp is to change the
Admin Password, and as with all things security related, change it often.

To completely block telnet access (so that the session can't even be
initiated) from the WAN you have two options.

Method 1:  Enable a Visible Computer for each active modem port and pointing
to IP addresses that are not being used in your LAN (e.g. 192.168.1.254 is a
good place to start as DHCP is not likely to ever pass it out), and uncheck
both of the divert incoming boxes.

Method 2:  Enable a Local Server of the Telnet and Web type and point them
to an IP address that is not in use on your network.  Then telnet into the
webramp and use the divertport to disable all incoming diversions.  This
will only work for modem 1.  If you are using 2 or more modems use method
one.

4)  Last but not least, engineering has agreed to incorporate a change in
the M3 families code to mimic the 310.  This would allow the user to simply
check one box to disallow WAN access to the httpd and telnetd processes.
Since there are workarounds available, and useability/functionality is not
impaired, this is considered to be a priority 4 and may be incorporated in
the next point release.

Robert Ward
Senior Customer Support Engineer
Ramp Networks