Re: news story and router passwords

[bugtraq () EXORSUS NET]

> Most routers are administered by telnet, which is, of course, plain
> text.  Fine and dandy: we can sniff it and see passwords.  Most
> routers also have password recovery procedures, and these generally
> involve having physical access to the device.
>
> You can avoid having this happen to you by administering your
> routers prudently.  For a Cisco, you have many options: use AAA
> and a 1-time password scheme (like SecureID and a RADIUS or TACACS+
> server), put an access-list on the VTY port so the router can only
> be administered from a trusted host (like a UNIX box to which you
> can SSH) so even if I know the password I can't use it, or use SSH
> on the router itself (not an option under older IOS images).  Also,
> try not to administer your core infrastructure devices from networks
> where people are running sniffers and trying to hack you, when you
> can avoid it.

Just a quick addition there, IP based authentication cannot secure the
machine on a compromised network, since if the intruder can sniff the
passwords from a session, he can also sniff the TCP sequence numbers and
therefore successfully spoof a connection from the same location.

If you're going to use IP limited authentication, you must ensure that the
connection between that IP and the router you're admining is not
sniffable...of course, this defeats the entire point of worrying about
your password being sniffed :)

Phi.