On 06/26/2011 01:13 PM, The Fungi wrote:
On Sun, Jun 26, 2011 at 12:26:40PM -0500, Marsh Ray wrote: [...]
Now maybe it's different for ISP core router admins, but the
existence of this product strongly implies that at least some
admins are connecting to their router with their web browser over
HTTPS and typing in the same password that they use via SSH.
[...]
Valid point, but flawed example. Managing these things day in and day
out, I can tell you this is the first thing any experienced admin
disables when initially configuring the device.
But what about all the other admins? :-)
You're probably right today, the guys running the core routers are some
of the best. This web management thing seems to be targeted to
small/medium non-ISP businesses.
But what about after a few more rounds of IT people graduate from
courses and certification programs which now divert time from the old
command-line stuff to teach the new web management functionality?
What if functionality gets released for which there is no command-line
interface?
What about all the other datacenter gear plugging into trusted segments?
What about the other makes of routers? Well, Juniper, that is.
Hmmm...
http://www.juniper.net/us/en/products-services/software/network-management-software/j-web/
http://www.redelijkheid.com/blog/2011/3/11/configure-ssl-certificate-for-juniper-j-web-interface.html
By default, the J-Web interface (GUI for the Juniper SRX firewalls)
has SSL enabled. Like most devices with SSL out-of-the-box, the
protection is based on a self-signed certificate. Self-signed
certificates are easy (they come basically out-of-the-box), but they
tend to nag you every time you connect to the GUI. So, it's time to
install a proper certificate.
OK, good, so this guy is going to make a cert for his router! He even
shows you how to use the subject alternative name to make it so you can
connect to it via the raw IP address 192.168.1.254!
Anyone else see any problems with that? :-)
http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-intranetssl.html
Intranet SSL Certificates allow you to secure internal servers with SSL issued
to
either a Full Server Name or a Private IP Address. [...]
Trusted by all popular browsers.
Comodo to the rescue! I wonder how many people they'll be willing to
sell the same IP address too.
On 06/26/2011 01:13 PM, The Fungi wrote:
If your admin is managing your routers with a Web interface, SSL MitM
is the *least* of your worries, honestly.
:-)
It's only the least of your worries until somebody gets around to
exploiting it, at which point it may be the greatest of your worries.
A lot of systems are set up with RADIUS/TACACS centralized
authentication. In these cases there are many admins with access to many
routers and other pieces of equipment. The bad guy only needs to
convince the high-level admin to use his password once on the
least-important piece of equipment.
A self-propagating router MitM would make for a very interesting and
scary worm. Hopefully such a thing would first start out on some small
home routers and give time to raise awareness for those with login
credentials on the big ones.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
