Safe access to Cisco (or any router)

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

MichaelRSorg

MichaelRSorg

Well-known member
Nov 1, 2020
114
19
routersecurity.org
On the Oct 24th Security Now podcast Steve discussed the brutal flaws in Cisco routers and switches. The bug was in the web interface and Steve said, of course, not to leave the web UI open to the Internet. But, his alternative was to " use a VPN to connect to the private network behind the router"

I don't understand what this means.

What VPN server is he suggesting that someone connect to?

A server running on the router? If so, why would you assume the VPN server software is perfect while the web UI is buggy? And a VPN server on the router also opens a port to the Internet at large. A VPN server running on an internal device? This too would open a port in the router.

In general, limiting web admin access by source IP is a great idea, but depending on the bug in the web interface, it may not offer full protection.

Many, if not most routers can be administered via a cloud service. TP-Link has a few different cloud services. Peplink has one. Asus is rare in not offering one. Using a cloud service means no holes in the router firewall as the router itself phones home to the cloud. But, it means trusting every employee of the hardware manufacturer.

You could also remotely control an internal device using a remote control system that uses the cloud to make a connection. There are many such programs. Then, from the internal device get at the LAN side of the router.

On a related note, I track router bugs (RouterSecurity.org) and Cisco has a disgraceful security record. I would not use their hardware if they gave it away for free.
 
Um, I think it's self-evident what he meant. You put a VPN device with access to the inside of the network into the DMZ. You lock down the VPN device so that it only accepts key based authentication, so it should be impossible for an attacker to hack through it. This allows a client on the outside to connect to the VPN, authenticate, and then gain access to the inside network, which means when it connects to any device such as the Cisco router, it will be coming from the inside, and will be allowed, whereas a firewall will block any access from the outside.
 

Attachments

  • PHolder_2023Oct25_UsingVPNforAdmin.png
    PHolder_2023Oct25_UsingVPNforAdmin.png
    29.2 KB · Views: 171
Not self-evident to me.
So, Steve's point was that rather than trust the router web UI, we should trust VPN server software running on a dedicated VPN box? There have been many attacks against these types of devices. And a system that gives admins access to the full LAN can be considered more dangerous than a system that gives bad guys access to one router.
In your diagram, the path still goes thru the router so it still has an open port, so not the safest thing.
I could argue that cloud based remote admin (RealVNC, Anydesk, TeamViewer, Amy, etc) of a cheap dedicated computer in a VLAN is a safer way to get LAN side access to the router.
And switching terminology from router to firewall confuses things as diff people use the term firewall to mean diff things.
Not trying to give you a hard time, appreciate the response.
 
MichaelRSorg said:
Not self-evident to me.
So, Steve's point was that rather than trust the router web UI, we should trust VPN server software running on a dedicated VPN box? There have been many attacks against these types of devices. And a system that gives admins access to the full LAN can be considered more dangerous than a system that gives bad guys access to one router.
In your diagram, the path still goes thru the router so it still has an open port, so not the safest thing.
I could argue that cloud based remote admin (RealVNC, Anydesk, TeamViewer, Amy, etc) of a cheap dedicated computer in a VLAN is a safer way to get LAN side access to the router.
And switching terminology from router to firewall confuses things as diff people use the term firewall to mean diff things.
Not trying to give you a hard time, appreciate the response.
Click to expand...
I really value the argument made here, but I would think an internal interface after accessing a VPN is still safer than leaving the web UI open to the open internet to be scanned by Shodan or whatever other service an attacker would use to try to break in.
It's like putting your vault or phone lines right next to the lobby entrance of a business. While a VPN is akin to you having a direct line to someone inside the vault. Also, it adds to the logging process that a bad actor would have to remove to cover their tracks. The VPN access can be logged and the access to the web ui should be logged. If someone gains admin access to the firewall, they could easily purge the logs of their login after the fact.

While there have been plenty of attacks against those types of boxes, you're providing another 'layer' of protection before someone can have the keys to the kingdom.
 
Frankdatank said:
Also, it adds to the logging process that a bad actor would have to remove to cover their tracks. The VPN access can be logged and the access to the web ui should be logged. If someone gains admin access to the firewall, they could easily purge the logs of their login after the fact.
Click to expand...
The solution to that is to have your border device ( router/firewall) copy it's log files to a seperate syslog server in real time. Then the attacker has to get admin access to both devices to remove any log traces.
 
  • Like
Reactions: Frankdatank
You must log in or register to reply here.

Similar threads

B
Thought experiment to replace government Organization
Replies
3
Views
269
Security Now Podcast
jlee
J
S
  • Contains 1 staff post(s)
Any discussion of the recent and current United Healthcare attack?
Replies
2
Views
569
Security Now Podcast
stevesr0
S
Duckpaddle
How to Deploy BIMI for free (only works with some providers)
Replies
0
Views
403
Security Now Podcast
Duckpaddle
Duckpaddle
Mike Legatt
Fun Human and Organizational Performance (HOP) Images
Replies
6
Views
227
Security Now Podcast
Badrod
B
Duckpaddle
SN 882 mentioned 32 bit access in 16 bit real mode
Replies
2
Views
874
Security Now Podcast
Duckpaddle
Duckpaddle
Top Bottom
Back