On Wed, 10 Mar 1999, Dax Kelson wrote: > The Bay Networks case number for this bug/oversight is: 990310-614 > > Normally "backdoor" passwords on Bay gear only work through the console. Sorry, should have included this in the first email. Regardless of the existence of backdoors (not to say they aren't evil) it is a good idea to limit who can connect to your equipment over the network. These BayStack switches have a "TELNET Configuration..." menu where you can turn off telnet access and/or limit the IP addresses who are allowed to telnet in. While you're there you should secure your SNMP, which is another item commonly left wide open (any networking equipment, not just Bay). Many networking devices don't have the ability to restrict who can connect to them. Even if the device does have the ability, it is often useful to take care of securing all networking devices at once. One way to do this is to allocate a separate IP network for your network devices. This would mean two IP networks on your physical network, your "main" IP network, and the small "management" IP network. At the gateway (eg a secondary IP on a cisco's ethernet interface) into your management network you configure ACLs to securely control connections to your devices. Of course if the gateway goes down you suddenly can't remotely admin any of the protected devices, a good reason to have an out-of-band management system in place. Comments? Dax Kelson Internet Connect, Inc.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:51 PDT