[6774] in bugtraq
Re: Bay Networks Security Hole
daemon@ATHENA.MIT.EDU (Berislav Todorovic)
Fri May 15 16:22:46 1998
X-Envelope-To: bugtraq@netspace.org
X-Vms-To: BUGTRAQ
Date: Fri, 15 May 1998 19:53:00 +0100
Reply-To: Berislav Todorovic <BERI@ETF.BG.AC.YU>
From: Berislav Todorovic <BERI@ETF.BG.AC.YU>
To: BUGTRAQ@NETSPACE.ORG
Kirby Dolak wrote:
>> 2. Bay recommends that both accounts (User and Manager) have passwords
>> assigned. Both have default/null passwords as they ship from the factory,
>> just like a Unix system. The administrator should immediately take
>> measures to secure the system, at initial system install, so that an
>> unauthenticated user/manager doesn't have
>> access to device management information, such as the community names and
>> addresses via telnet/console.
Gert Doering wrote:
>> I like the way Cisco approaches this issue.
>> And if you are logged in to an unprivileged account, you cannot become
>> superuser unless you have already set the enable password from the console.
>>
>> This is VERY good.
>>
>> No need to "recommend" anything, it's just "secure out of the box". If
>> you neglect to configure the password, it just isn't accessible at all
>> (except from the physical console).
Sounds reasonable to me to apply good password on User/Manager accounts and
thus secure the box. I'm wondering, however, what's the real raison d'etre
of two privilege levels, if I can obtain a more privileged information from
a higher-privileged level. The basic function of a non-privileged level is
to give it to the remote support officer, ISP engineer or to a responsible
person from the network peering with my network, according to the ripe-037
document.
Well, I also wouldn't like to recommend anything, but here are the facts:
Cisco IOS gives the possibility to define up to 16 different privilege
levels, with strictly defined rights. IOS, further, allows to define a
restricted set of commands, which may be executed from each privilege
level. I can, thus, give this type of access to the peering ISP personnel
for the purpose of monitoring without any fear ... At last - try to telnet
to route-views.oregon-ix.net - a Cisco box with public access! No password!
Now, what to do with a Bay box, located in the middle of a network? Sit and
cry! When your peer ISP asks you to take a look at your router config,
you'll have to log into it yourself and read them (oops, sorry - not to
"log in" - you'll have to start a "user-friendly" SNMP client, drink a
coffee until it brings itself up completely, then click, click, click ...).
I can talk about fun with Bay routers for hours, but that's another story.
Best regards,
Beri
.-------.
| --+-- | Berislav Todorovic, B.Sc.E.E. | E-mail: BERI@etf.bg.ac.yu
| /|\ Hostmaster of the YU TLD |
|-(-+-)-| School of Electrical Engineering | Phone: (+381-11) 3221-419
| \|/ Bulevar Revolucije 73 | 3370-106
| --+-- | 11000 Belgrade SERBIA, YUGOSLAVIA | Fax: (+381-11) 3248-681
`-------' --------------------------------------------------------------------
