On the Oct 24th Security Now podcast Steve discussed the brutal flaws in Cisco routers and switches. The bug was in the web interface and Steve said, of course, not to leave the web UI open to the Internet. But, his alternative was to " use a VPN to connect to the private network behind the router"
I don't understand what this means.
What VPN server is he suggesting that someone connect to?
A server running on the router? If so, why would you assume the VPN server software is perfect while the web UI is buggy? And a VPN server on the router also opens a port to the Internet at large. A VPN server running on an internal device? This too would open a port in the router.
In general, limiting web admin access by source IP is a great idea, but depending on the bug in the web interface, it may not offer full protection.
Many, if not most routers can be administered via a cloud service. TP-Link has a few different cloud services. Peplink has one. Asus is rare in not offering one. Using a cloud service means no holes in the router firewall as the router itself phones home to the cloud. But, it means trusting every employee of the hardware manufacturer.
You could also remotely control an internal device using a remote control system that uses the cloud to make a connection. There are many such programs. Then, from the internal device get at the LAN side of the router.
On a related note, I track router bugs (RouterSecurity.org) and Cisco has a disgraceful security record. I would not use their hardware if they gave it away for free.
I don't understand what this means.
What VPN server is he suggesting that someone connect to?
A server running on the router? If so, why would you assume the VPN server software is perfect while the web UI is buggy? And a VPN server on the router also opens a port to the Internet at large. A VPN server running on an internal device? This too would open a port in the router.
In general, limiting web admin access by source IP is a great idea, but depending on the bug in the web interface, it may not offer full protection.
Many, if not most routers can be administered via a cloud service. TP-Link has a few different cloud services. Peplink has one. Asus is rare in not offering one. Using a cloud service means no holes in the router firewall as the router itself phones home to the cloud. But, it means trusting every employee of the hardware manufacturer.
You could also remotely control an internal device using a remote control system that uses the cloud to make a connection. There are many such programs. Then, from the internal device get at the LAN side of the router.
On a related note, I track router bugs (RouterSecurity.org) and Cisco has a disgraceful security record. I would not use their hardware if they gave it away for free.