Marty, Thanks for your posting. I wanted to clarify a few of the points that
you made. Most of the items are covered in standard Bay Router
Admin/Install doc
and are reinforced in router admin customer training.
1. To address security concerns, Bay has documented in the 'Quick Starting
Routers' manual, that users initially configure the router using the Bay
Command
Console (BCC). Using the BCC requires the authorized user to consciously
configure
all access related services. The BCC also provides the ability to define
access
policies for IP related protocols such as Telnet, FTP, TFTP, NTP, and SNMP.
The
BCC has been available for the Bay Networks Access Node router since BayRS
11.02.
2. Bay recommends that both accounts (User and Manager) have passwords
assigned. Both have default/null passwords as they ship from the factory,
just like a Unix system. The administrator should immediately take
measures to secure the system, at initial system install, so that an
unauthenticated user/manager doesn't have
access to device management information, such as the community names and
addresses
via telnet/console.
3. As stated in your email Marty, the User account can access the
community name
and its defined IP address.
-Assuming that a User/hacker uses the community name and spoofs the
associated IP address, that user could use Bay Networks Site Manager to
change IP filters or the device's configuration.
-A User or any SNMP Management Appl can not edit the routing tables
as they are learned and are read-only entries within the Bay MIB.
-Due to the Bay specific method for instrumenting IP filters in the
router, it would require a fair amount of reverse engineering to change
the filters
from the Technicians Interface, and this would also require an authenticated
Manager account not a User login.
-Bay does provide as part of Site Manager and the BayRS, a proprietary
security mode that can be enabled to prevent any unauthenticated SNMP
manager from accessing the router and performing SNMP SETs.
-To prevent the initial access to the router via Telnet, it is recommended
that Telnet be disabled, or as previously mentioned, the initial
configuration
can define specific IP access policies that enforce what addresses can be
used for Telnet access or any other IP Global services like FTP, etc..
4. Bay does acknowledge that 'displaying' information on community names, etc.
can provide an additional information to a hacker. For this reason Bay has
already made changes to restrict access to the community strings and designed
new applications such as the Router Embedded Web Server from allowing a User
account access to this SNMP information.
Kirby Dolak
Product Manager, Routing Products
Bay Networks, Inc.
kdolakat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:27 PDT