>> If there is a new user account, or if the enable and access passwords
>> have changed, look out! The miscreants love to scan and find routers
>> with "cisco" as the access and enable passwords.
>
> I thought everyone sensible put ACLs on vtys. Guess I was wrong.
I've seen ACL-less VTYs because someone copied a config from a router
with fewer VTYs. 8-(
Yes, but these are clue problems, not router operating system
problems. The OS problem is when they leave a device with
a default backdoor because they want to make it easy for
their customers. It's almost like the cheaper the box the
less secure and the consideration seems to be that an unsavvy folk
is buying the cheaper boxen so "it needs to be easy".
If you look at the maintenance and
surveillance networks of a few large tier1's, you'll find
this "dummy" gear on those networks since they are cheap and
generalte no revenue. My last M/S design was dual rail
2XXX, 1600's for firewalls and frame terminations, which handled
console and monitoring for the cost of an ethernet port and
< 15K per facility. For the use, the capex matches as well as
the reliability.
If we accept the "clue" problem as the solution, I think we
accept the fact that we condone the vendor not having secure
solutions. That may be fine for our new colleague the 'security
engineer', but it's not good for the Internet as a whole and it
distracts us from the work of making it work.
Offering tutorials at NANOG is a great effort towards the
clue issue, but maybe we should offer vendors tutorials on
the inverse?
-M<
If we accept the "clue" problem as the solution, I think we
accept the fact that we condone the vendor not having secure
solutions. That may be fine for our new colleague the 'security
vendors should always, or be beatten about the head/shoulders when not,
put out secure products... always.
engineer', but it's not good for the Internet as a whole and it
distracts us from the work of making it work.
how is it better for security engineers? it's hell, every 3rd month a new
'default passwd' often on a 'security' device 
talk about stupid
Offering tutorials at NANOG is a great effort towards the
clue issue, but maybe we should offer vendors tutorials on
the inverse?
Some vendors have asked and received this sort of thing, does huwei (which
I butchered the spelling of) want one? (or need one?) how about netgear
and their lovely NTP issue? or checkpoint or ... there are quite a few
vendors out there, some even attend NANOG. If they listened to their
customers I suspect they'd hear: "I want a secure platform!" quite loudly.
...
Some vendors have asked and received this sort of thing, does huwei (which
I butchered the spelling of) want one? (or need one?) how about netgear
and their lovely NTP issue? or checkpoint or ... there are quite a few
vendors out there, some even attend NANOG. If they listened to their
customers I suspect they'd hear: "I want a secure platform!" quite loudly.
Only from the engineers. From the money people (Layer 8), they may be
hearing: "I want an inexpensive platform, and make it as easy to manage
as MS Windows, so I don't have to hire all these expensive network
engineers, eh?"
The trick may be to get the Layer 9 people to understand that this is a
losing proposition.