[120975] in North American Network Operators' Group
RE: Default Passwords for World Wide Packets/Lightning Edge Equipment
daemon@ATHENA.MIT.EDU (Nathan Eisenberg)
Thu Jan 7 04:38:47 2010
From: Nathan Eisenberg <nathan@atlasnetworks.us>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 7 Jan 2010 01:37:59 -0800
In-Reply-To: <20100107053254.GM25450@hezmatt.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Matthew Palmer [mpalmer@hezmatt.org]
> To be fair, he was just asking about factory resetting the device
> because
> the current password was unknown, then reconfiguring the device (I'm
> willing
> to be generous and assume that the reconfiguration included setting a
> new,
> secure password).
Thank you - You're correct. The administration and security of these devic=
es is hardly magic - but one has to be able to access them in order to secu=
re them. The devices haven't even left my hotel room for the production si=
te, and you would already be SOL if you didn't have access to the either th=
e (management interface AND the Very Long Password) or the (reset button AN=
D the management interface AND (the default password)). =20
Dobbins, Roland [rdobbins@arbor.net]
> Which goes to show that they just really don't get it when it comes to
> security. =20
So are you specifically opposed to globally default passwords, or are you o=
pposed to being able to reset a device to factory defaults and somehow get =
into the device? Because while I still maintain there's no real security i=
ssue with the former (if there is, there's a bigger issue), all that I'm re=
ally gung ho for is the ability to get into a piece of equipment I need to =
operate, even if I don't have credentials to it. =20
Nothing grinds my gears more than equipment that has to be thrown out becau=
se there is no recovery mechanism. I frankly don't much care if the defaul=
t password on my WWP LE427 is 'wwp' or 'wwp[serial-number-which-is-printed-=
on-the-back]' - as long as I can get it so I can get in and change it, I'm =
happy.
Steven Bellovin [smb@cs.columbia.edu]
> And we all suffer from p0wned devices, because they
> get turned into bots. Roland is 100% right.
Eh... I think this is confusing cause and effect. We all suffer, but the f=
act that a device is compromised because of a default password is, at the r=
oot of the chain, the result of a faulty Operator. Why was the password le=
ft at default? Why was it possible to access the management interface to u=
tilize the default password? I would argue that the solution is to replace=
or modify the defective operator, rather than replacing, eliminating, or m=
odifying the tool they misused.
Joe Hamelin [joe@nethead.com]
> I've been in training with the WWP folks for the last two days (VERY
> GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.
Are they still around, or are they Ciena employees? My understanding was t=
hat they were completely acquired.
> If you got some serious layer 2 stuff to do, these boxes have a really
> interesting architecture and some trick features (unix type shell, for
> one.)
Yep, they're rock solid devices. Every deployment I've seen of them as wor=
ked very well. Ciena certainly got a good deal out of buying them! I'm ac=
tually not sure how much of the WWP gear is still manufactured.
Thank you all again for helping me sort out what the factory default WWP pa=
sswords are so that I can now have a secure and documented deployment out h=
ere! I've received a couple offers of technical assistance from WWP vetera=
ns that I may well take up moving forward.
Best Regards,
Nathan Eisenberg
