Marty, Thanks for your posting. I wanted to clarify a few of the points that you made. Most of the items are covered in standard Bay Router Admin/Install doc and are reinforced in router admin customer training. 1. To address security concerns, Bay has documented in the 'Quick Starting Routers' manual, that users initially configure the router using the Bay Command Console (BCC). Using the BCC requires the authorized user to consciously configure all access related services. The BCC also provides the ability to define access policies for IP related protocols such as Telnet, FTP, TFTP, NTP, and SNMP. The BCC has been available for the Bay Networks Access Node router since BayRS 11.02. 2. Bay recommends that both accounts (User and Manager) have passwords assigned. Both have default/null passwords as they ship from the factory, just like a Unix system. The administrator should immediately take measures to secure the system, at initial system install, so that an unauthenticated user/manager doesn't have access to device management information, such as the community names and addresses via telnet/console. 3. As stated in your email Marty, the User account can access the community name and its defined IP address. -Assuming that a User/hacker uses the community name and spoofs the associated IP address, that user could use Bay Networks Site Manager to change IP filters or the device's configuration. -A User or any SNMP Management Appl can not edit the routing tables as they are learned and are read-only entries within the Bay MIB. -Due to the Bay specific method for instrumenting IP filters in the router, it would require a fair amount of reverse engineering to change the filters from the Technicians Interface, and this would also require an authenticated Manager account not a User login. -Bay does provide as part of Site Manager and the BayRS, a proprietary security mode that can be enabled to prevent any unauthenticated SNMP manager from accessing the router and performing SNMP SETs. -To prevent the initial access to the router via Telnet, it is recommended that Telnet be disabled, or as previously mentioned, the initial configuration can define specific IP access policies that enforce what addresses can be used for Telnet access or any other IP Global services like FTP, etc.. 4. Bay does acknowledge that 'displaying' information on community names, etc. can provide an additional information to a hacker. For this reason Bay has already made changes to restrict access to the community strings and designed new applications such as the Router Embedded Web Server from allowing a User account access to this SNMP information. Kirby Dolak Product Manager, Routing Products Bay Networks, Inc. kdolakat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:27 PDT