Re: Default password in Bay Networks switches.

[dkelson () INCONNECT COM (Dax Kelson)]

On Wed, 10 Mar 1999, Dax Kelson wrote:

> The Bay Networks case number for this bug/oversight is: 990310-614
>
> Normally "backdoor" passwords on Bay gear only work through the console.

Sorry, should have included this in the first email.

Regardless of the existence of backdoors (not to say they aren't evil) it
is a good idea to limit who can connect to your equipment over the
network.  These BayStack switches have a "TELNET Configuration..." menu
where you can turn off telnet access and/or limit the IP addresses who are
allowed to telnet in.  While you're there you should secure your SNMP,
which is another item commonly left wide open (any networking equipment,
not just Bay).

Many networking devices don't have the ability to restrict who can connect
to them.  Even if the device does have the ability, it is often useful to
take care of securing all networking devices at once.  One way to do this
is to allocate a separate IP network for your network devices. This would
mean two IP networks on your physical network, your "main" IP network, and
the small "management" IP network.  At the gateway (eg a secondary IP on a
cisco's ethernet interface) into your management network you configure
ACLs to securely control connections to your devices.  Of course if the
gateway goes down you suddenly can't remotely admin any of the protected
devices, a good reason to have an out-of-band management system in place.

Comments?

Dax Kelson
Internet Connect, Inc.