Dangers of an Open Web Management Interface

More often than not, the management interface of enterprise products is through a Web browser that connects to a built-in Web server on the device. This trend began almost as soon as the graphical Web was available in the mid-1990s, and today almost no one writes front-end management software because of it. This is both a blessing and a curse, as the folks from the InfoSec Institute recently reminded me.

“Under no circumstances should these [Web interfaces] be open to the world and the Internet,” writes the author of the post, using a pseudonym. He cites a few egregious examples. The issue here is that someone can enter your network without upsetting any of your perimeter defenses and use common search tools to find open interfaces through Google and shodanhq.com, a search engine specifically designed to locate web-connected devices. A quick search for open WatchGuard firewalls brings up more than 4,000, for example.

Here is an example of a Cisco router that is open to the Internet:

In the referenced blog post, the author shows numerous other examples and ways that hackers can access these open interfaces. While hackers still need to figure out an admin user name and password, in many instances people use the default values, making these devices even more insecure.

So what can you to beef up your Web UI security? Here are several suggestions:

  • Disable any optional Web UI if not required. Use SSH if available. Better yet, require that all management happen from a specific PC that is kept in a secure location.
  • Restrict access to the Web UI by IP address range or to specific admin IP addresses.
  • Restrict access to the Web UI by VPN and keep the device accessible only by private IP on the LAN side of its ports.
  • Use a good password. At the very least, use a 26 or longer character passphrase or password for critical network devices. Change it regularly.
  • Disable telnet on any Cisco devices, even if the device is only accessed internally.
  • Enable brute force prevention or rate limiting. Every layer of security helps.

Related Sources

Security Dangers of Web Management Interfaces [InfoSec Institute]

Comments

  1. I was just discussing this. The web server is partitioned into internal web-server and external web server. The internal depending on permissions might or might not be accessed by everyone. The pathways that can be restricted and offer the most protection is the pathway to external traffic and traffic from external sites in.

    Watchguard for sure can either block all or none. seniority of scenarios will have an effect on the routing pattern but from the looks of it, the idea that your projecting for the problem might be atypical and require a specially configured protocol.

    I feel like these issues have been addressed before and are coming back to the table with the same answers that were either forgotten or are still pending.

    http://articlesbykaminikandicaabdool.wordpress.com/2012/04/22/running-out-of-technology/
    http://articlesbykaminikandicaabdool.wordpress.com/2012/04/08/the-new-advance-in-it-yesterdays-resource/

    I’ve been discussing redundancy and compliance. Maybe that has an impact.

    Kamini Kandica Abdool

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>