I've been in training with the WWP folks for the last two days (VERY
GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.
They say if a customer is willing to pay they can change the
initialization method. But I'm guessing that anyone willing to pay
would be the type to actually secure the box once it's turned-up.
If you got some serious layer 2 stuff to do, these boxes have a really
interesting architecture and some trick features (unix type shell, for
one.)
-Joe
Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':
<http://www.cisco.com/en/US/products/products_security_advisories_listing.html#advisory>
Actually, should be 'default password'.
[snip]
Yeah. And for devices with no console, only network interfaces, a
default IP address, no default password, and no default route (just in
case they plug it into a real LAN instead of a laptop.).
Ah... don't worry about default routes.. Proxy ARP will "fix it"..
when combined with a suitable router that does it by default, and
help make sure the default-pw'ed device can still be reached by the
bad guys.
As murphy would have it, default device IP happens to correspond to a
valid LAN IP address formerly used by a server, that the neglected
perimeter firewall still forwards port 80 traffic to...
You know.. an extra port isn't so expensive these days. equipment
vendors could just make one of the network ports be labelled
"Manage", ship the units with management access disabled, except on
that port.
Don't allow normal traffic forwarding to/from that port by default.
On first login, require a password change to be made before all other
changes, such as enabling full management are even allowed,
including turning the manage port into a normal port (if it's even
necessary).
Device should shutdown the manage port, until reboot, via "management
port security".. when the first frame is received, memorize the MAC
address, as long as carrier is still detected.
If later a second MAC address is detected as the source on any frame,
or any multicast frame at all is received, other than an ARP for
switch's default IP.
Light up an orange LED for "security violation" or a "user error"
light. 
One of the problems I have seen is an organization where someone uses
something stupid just to get something up and running (say a password of
"password" or "foo" or something) with every intention of coming back to
fix it later but forgets to. That is what I meant yesterday about an
organizational "default" password that can be just as bad as the
manufacturers default.
At least with some manufacturers you can log in from the console with
the factory "default" password but can't log in over the network unless
you have set one.
Roland, this isn't the home wi-fi market we're talking about. Anyone
that's going to buy one of these puppies is going to have a clue about
putting their password in. BTW: You have to be on the console or the
management port on them to use the default password (ok, you could get
on the right VLAN too.) Problem solved, except for those cases where
the operator is a total idiot. Trust me, the shop I'm working for
isn't that way, not with the size of the roll-out we're doing (25k+
switches.)
I liked what you said about firewalls vs. servers but, to be honest, in
this thread you're really beating a dead horse.
-Joe
"Jeffrey I. Schiller" <jis@MIT.EDU> writes:
An option I saw years ago (I forgot on whose equipment) was a default
password which was a function of the equipment's serial number. So you
had to have the algorithm and you needed the serial number which was not
related to the MAC. So if you didn't have physical access, you were not
in a good position to learn the password.I suspect this was a support nightmare for the vendor and I bet they
went to a more standard (read: the same) factory password.
Another class of devices, but the Compaq OOM management cards for
servers ("RILOE") used to do this. Really nice when the serial number
is placed on a sticker on a PCI card... You would usually have to shut
down the server and pull out the card to read the sticker. Unless it
had fallen off. Did I mention that the cards had a number of stickers
with similar numbers on them with no indication which was the real
serial number?
Well, I'm not going to claim this was the reason why there is no Compaq
anymore, but it must have cost them *a lot* in support and frustrated
users. For what passible gain? It was still a default password, just a
tiny bit more obscure.
Bjørn
Default credentials may be a more generic description of the problem (although "default password" is a better search term). A problem with default credentials is history has demonstrated even an expert (i.e. the vendors own technical support) aren't always certain they've found and changed every default credential possible on complex devices. Its not just the usual console access, but also snmp protocals public/private, http protocols admin, ldap cn=admin, postscript none, decnet mop, and so on. Even if you think you know every possible protocol, some vendors have had the habit of adding new protocols in updates with its own set of defaults for new remote access protocols.
Multiple protocols, using multiple authorization sources, with defaults.
Its not a suprise why old-timers get annoyed with vendor gear with default remote access methods enabled before the user configured the
access credentials for the access method. Eventually you'll get bit by some device, some protocol, that has something enabled without your knowledge. If you require your vendors not to ship stuff with remote
access enabled by default, its not a substitute for your own due dilgence, but in practice it helps reduce unexpected incidents.
I kind of liked the way the Symantec Vraptor (piece of junk) firewalls used to do it. Factory reset from the front panel, set addressing and it generates new passwords displayed on the LCD.
Jason
*** NOTICE--The attached communication contains privileged and confidential information. If you are not the intended recipient, DO NOT read, copy, or disseminate this communication. Non-intended recipients are hereby placed on notice that any unauthorized disclosure, duplication, distribution, or taking of any action in reliance on the contents of these materials is expressly prohibited. If you have received this communication in error, please delete this information in its entirety and contact the Amedisys Privacy Hotline at 1-866-518-6684. Also, please immediately notify the sender via e-mail that you have received this communication in error. ***
Again, look at http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirects=0 -- while consumer devices were much worse, there was a noticeable problem on enterprise devices and a significant problem with VoIP devices, and I suspect that those latter are largely enterprise-based.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Gadzoox used to do that... the management modules for their hubs had factory set random passwords. It's provided on a sticker with the card, so you can put it where you want -- just don't lose it, because that's only place it exists (without breaking out a JTAG debugger.)
Yes, their later gear has standard default passwords.
--Ricky
And their CPE gear had a 5 minute password reset window after power on. We hated the customers who'd figured that out.
While we're on the subject, a lot of leibert gear has a dip switch/jumper block to turn passwords off entirely. (of course, that requires physical access and a power cycle.)
--Ricky