[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Directed broadcasts; known exploits; defalt passwords
- To: opsec <opsec@ops.ietf.org>
- Subject: Directed broadcasts; known exploits; defalt passwords
- From: "George M. Jones" <gmjones@mitre.org>
- Date: Wed, 11 Jun 2003 22:24:10 -0400
- References: <Pine.LNX.4.44.0306111733240.6250-100000@sasami.anime.net>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
[name witheld] wrote:
2.3.12 Ability to Disable Directed Broadcasts
'These SHOULD be the default settings.'
s/SHOULD/MUST/
I can see your point, but herein lies a conflict: 2.3.1 says the device
must comply with RFCs, including 1812 which
requires directed brodcasts......so, unless we're going to put this on
standards track (not clear yet)
and have it officially superceed/supplement 1812 (which we may), I'm
going to leave this
one as it is for now.
If you give vendors leeway to make stupid defaults, they WILL choose the
stupid ones. History has conclusively proven this.
I hear you...and usually agree, but in some cases the're starting to get it
(or get it and get enough pressure from customers in the form of $$$) to
"do the right thing":
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm
Basically, the opsec RFC should mandate that a device plugged into a
network with its default settings and no changes from defaults whatsoever
MUST NOT be able to be exploited or used for any known attack.
2.3.8
There doesnt seem to be anything regarding default passwords, which is a
known avenue of attack on many devices.
2.12.4
Thanks,
---George Jones