[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: draft status, BoF, replies to issues

To: "Harrington, David" <dbh@enterasys.com>, gmj@pobox.com
Subject: RE: draft status, BoF, replies to issues
From: "Wijnen, Bert (Bert)" <bwijnen@lucent.com>
Date: Fri, 20 Feb 2004 17:32:23 +0100
Cc: opsec@ops.ietf.org

W.r.t.
> > > but not having default
> > > passwords would not be popular with many customers because 
> > > it increases the burden of configuring a new device.
> > 
> > Again, back to target audience + scope.  I believe that for "large IP
> > networks" provisioning will be done according to a defined process
> > and/or by skilled network engineers.  Adding a step to the process
> > vs. having core networking elements compromised seems like a fair
> > tradeoff.  If we're talking about SOHO devices ("why do I need
> > password ?"), I could see your point.
> 
> I'm not talking about SOHO devices. SOHO is easy because there are so
> few devices involved.
> 
> I'm talking about large enterprises that want to use, say, an SNMP
> application like HPOV to "discover" their network using default
> passwords, or applications to zero-config out-of-the-box devices using a
> default password designed for that purpose (which might be eliminated as
> part of the zero-config process). Being able to discover/identify and/or
> autoconfig devices coming into your network can be critical for security
> purposes.
> 
> When SNMPv2 was first designed by security geeks who liked the "party
> model", they made it impossible to autodiscover a network; the keys for
> each device needed to be entered manually at both the agent and the
> manager before the manager could detect the presence/identity of the
> device. Hiding a device's identity seems prefectly reasonable if you're
> only thinking about security, but disabling autodiscovery greatly
> reduces ease-of-use, and hides rogue devices added to the network. 
> 
> After months (years) of debate, the SNMP community realized they would
> never be able to convince people to use the protocol if they took away
> autodiscover capabilities for the sake of security, and the result would
> be a less secure management environment. Autodiscovery of new
> out-of-the-box devices depends on having some standard pre-configured
> passwords (or lack of passwords). The SNMP community defined a way to
> keep autodiscovery but to limit what could be accessed during a
> discovery process. 
> 
But discovery without first creating a "secret" or "password" at a 
new device gets you VERY VERY little, basically only that a SNMP 
agent exists. That is if you follow recommendations/rules in RFC3414.
See appendix A in RFC3414.

> Standardizing the default passwords across vendors and standardizing
> rigorous security surrounding their use is a better approach than not
> allowing any standard/default passwords at all.
> 
I am not sure I fully agree with this. I understand your motivation, but
I also have VERY BAD experinces with such initial and (defacto) standard
passwords on systems. They often still exists many many years after
installation and are exploited very often in attacks.

Bert

Prev by Date: Re: draft status, BoF, replies to issues
Next by Date: Re: Reply to comments on opsec draft from Bert Wijnen/OPS directorate. Part 1.
Previous by thread: Re: draft status, BoF, replies to issues
Next by thread: RE: draft status, BoF, replies to issues
Index(es):
- Date
- Thread