[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comments

To: Dan Hollis <goemon@anime.net>
Subject: Re: comments
From: "George M. Jones" <gmjones@mitre.org>
Date: Mon, 16 Jun 2003 14:16:15 -0400
Cc: "Smith, Donald" <Donald.Smith@qwest.com>, "'opsec@ops.ietf.org '"<opsec@ops.ietf.org>
References: <Pine.LNX.4.44.0306131654200.2156-100000@sasami.anime.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Dan Hollis wrote:

On Fri, 13 Jun 2003, Smith, Donald wrote:

But for example the cisco default has been WELL documented for a long time.
In fact there isnt a default password in most cisco routers.

What I mean in regard to default password is for default password on public interfaces (eg serial, ethernet). Default password on management ports (eg console port) is OK. But we should discourage plugging in a router with default password on ethernet, so that it gets owned 10 seconds after connecting it to the LAN.

Maybe a 'vendor devices MUST NOT have a common default password on any public interface'? Its ok if they have random passwords that are e.g. printed on a card that comes with the device.

How about the following, which I think is the way IOS works by default now:

Requirement:

The device MUST NOT allow any remote access for management without
explicit configuration of authenticaiton and authorization.

Example:

It should not be possible to use a well know default password to remotely
manage a newly installed device using standard management protocols
(telnet, SNMP, SSH ...)

---George

Follow-Ups:
- Re: comments
  - From: Dan Hollis <goemon@anime.net>

References:
- RE: comments
  - From: Dan Hollis <goemon@anime.net>

Prev by Date: Re: comments
Next by Date: Re: comments
Previous by thread: RE: comments
Next by thread: Re: comments
Index(es):
- Date
- Thread