Good morning, y'all. If a modem vendor sells an internet-facing device which has an HTTP interface that supports neither SSL nor TLS (only 80 or 8080), and HTTP is the only method of remotely accessing this device without going through several undocumented steps to crank up SSH... and if this is the only solution we can have before a go-live next week, what's a safe minimum number of characters for the admin password?
If you think it's weird that SSH isn't already configured, you'll really think it's strange knowing WAN-side HTTP can't be turned off.
thanks!
Uh.. buy a new modem?
Craig
There is no safe number. You are one packet away from a successful replay-attack.
I would use the longest string supported by the vendor until such time that the vendor can provide a better solution or I was able to switch vendors.
I called their support desk, and they understand the nature of my complaint. I'm hoping they know of a solution that wasn't spelled out in their Quick Start guide.
I would imagine the greater threat to be having always-on access to the HTTP interface, and therefore unlimited tries to guess the password. How would a replay attack work here? I think I've forgotten that... it's been a while.
@ericgeater wrote:If a modem vendor sells an internet-facing device which has an HTTP interface that supports neither SSL nor TLS (only 80 or 8080), and HTTP is the only method of remotely accessing this device without going through several undocumented steps to crank up SSH... and if this is the only solution we can have before a go-live next week, what's a safe minimum number of characters for the admin password?
Like @denbesten said, changing the length of your password isn't going to make any difference here.
@ericgeater wrote:... you'll really think it's strange knowing WAN-side HTTP can't be turned off.
If the ability to login via the network can't be disabled, it's a surprise & a big concern. If the vendor has been so lax with the security of this product, I'd suggest you also do an online lookup to see if it has other security concerns.
Information Security policies you set in your organization should dictate minimal security requirements, and state how to handle exceptions.
Treat this as a risk. Prepare a report portraying the impact & probability in a matrix, say that the vendor has offered no solution & there's nothing much to mitigate this, and finally, recommend that the modem be replaced.
Send the report to management, after which they will have to decide whether to accept the risk or treat it.
This is essentially a 'cover your a**' strategy --- if there's any negative impact due to this risk, you might end up taking the fall if you never brought it to management's attention.
(To play it absolutely safe, get them to give you a written confirmation about accepting the risk before the go-live.)
The vulnerabilities in this situation would be the inability to disable HTTP logins via the network, and the lack of support for SSH.
The threat is these being exploited to obtain the password by capturing the data in transit and re-using it, or simply initiating a new session for an unauthorized login to the device.
To supplement my previous post, you could implement deterrent & detective controls --- setting up a banner on the device, and configuring logging / alerts --- but I feel that if you can't use a preventive control in the 1st place, there's not much use in the others.
(Anyways, put it all in a report, and throw the ball in your management's court )
@ericgeater wrote:How would a replay attack work here? I think I've forgotten that... it's been a while.
I'm was being brief in my verbiage. I see three primary attack scenarios:
And as you identified, the best solution is to not expose admin interfaces to the Internet.
If your goal is internet-based out-of-band management, I would suggest some sort of filter/ACL that only allows connections from your own source IP addresses.
I appreciate your follow-up answer, btw, because I was thinking more along "password capture" than "replay attack". To that end, thanks for the added detail.
I am going to take @Shannon's advice and get management to sign off. I didn't mention, by the way, that the next (and ONLY) item behind the modem is a firewall appliance. The modem only NATs traffic, and has no role or participation in the overall security.
Thanks for the replies, everyone.