Safe access to Cisco (or any router)

  • SpinRite v6.1 is Released!
    Guest:
    That's right. SpinRite v6.1 is finished and released. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


MichaelRSorg

Well-known member
Nov 1, 2020
107
17
routersecurity.org
On the Oct 24th Security Now podcast Steve discussed the brutal flaws in Cisco routers and switches. The bug was in the web interface and Steve said, of course, not to leave the web UI open to the Internet. But, his alternative was to " use a VPN to connect to the private network behind the router"

I don't understand what this means.

What VPN server is he suggesting that someone connect to?

A server running on the router? If so, why would you assume the VPN server software is perfect while the web UI is buggy? And a VPN server on the router also opens a port to the Internet at large. A VPN server running on an internal device? This too would open a port in the router.

In general, limiting web admin access by source IP is a great idea, but depending on the bug in the web interface, it may not offer full protection.

Many, if not most routers can be administered via a cloud service. TP-Link has a few different cloud services. Peplink has one. Asus is rare in not offering one. Using a cloud service means no holes in the router firewall as the router itself phones home to the cloud. But, it means trusting every employee of the hardware manufacturer.

You could also remotely control an internal device using a remote control system that uses the cloud to make a connection. There are many such programs. Then, from the internal device get at the LAN side of the router.

On a related note, I track router bugs (RouterSecurity.org) and Cisco has a disgraceful security record. I would not use their hardware if they gave it away for free.
 
Um, I think it's self-evident what he meant. You put a VPN device with access to the inside of the network into the DMZ. You lock down the VPN device so that it only accepts key based authentication, so it should be impossible for an attacker to hack through it. This allows a client on the outside to connect to the VPN, authenticate, and then gain access to the inside network, which means when it connects to any device such as the Cisco router, it will be coming from the inside, and will be allowed, whereas a firewall will block any access from the outside.
 

Attachments

  • PHolder_2023Oct25_UsingVPNforAdmin.png
    PHolder_2023Oct25_UsingVPNforAdmin.png
    29.2 KB · Views: 57
Not self-evident to me.
So, Steve's point was that rather than trust the router web UI, we should trust VPN server software running on a dedicated VPN box? There have been many attacks against these types of devices. And a system that gives admins access to the full LAN can be considered more dangerous than a system that gives bad guys access to one router.
In your diagram, the path still goes thru the router so it still has an open port, so not the safest thing.
I could argue that cloud based remote admin (RealVNC, Anydesk, TeamViewer, Amy, etc) of a cheap dedicated computer in a VLAN is a safer way to get LAN side access to the router.
And switching terminology from router to firewall confuses things as diff people use the term firewall to mean diff things.
Not trying to give you a hard time, appreciate the response.