Re: Web Based management for routers/switches [7:86453] posted 03/28/2004
- Subject: Re: Web Based management for routers/switches [7:86453]
- From: "nrf" <noglikirf@xxxxxxxxxxx>
- Date: Sun, 28 Mar 2004 05:55:04 GMT
""Ken Diliberto"" wrote in message
> nrf wrote:
> > ""Sam Sneed"" wrote in message
> > news:200403262030.i2QKUkwX007477@xxxxxxxxxxxxxxxxx
> >>Yes, it is the default. And it is the same as the telnet password. The
> > first
> >>thing I do is disable it. The interface sucks and I feel its pretty
> > useless
> >>if you ask my opinion.
> > And therein lies the fulcrum of the argument. People say that you
> > shouldn't enable the http-server because doing so is unsafe. That's a
> > pretty thin reed to rely upon. The fact is, the web-server is no more
> > unsafe than the telnet server of the router. If you really care about
> > security such that you'd turn off the web-server then, you should also
> > off' the telnet-server and only allow access through secure means, such
> > ssh or https.
> > Neither is that 3-year-old http security vulnerability a serious point
> > contention either. Let's be frank - if you haven't patched your Cisco
> > routers in 3 years, then whatever vulnerability is associated with your
> > web-server is probably not your biggest problem right now.
> > However, the lodestone-argument against the web-server is as Sam Sneed
> > the web-server interface is worthless. It's not really that the
> > is unsafe - like I said, it's no more unsafe than the telnet server, and
> > everybody always seems to have that thing open - it's that the
> > interface doesn't add any value.
> Enabling the web server on a router adds another point of attack.
Again, like I said, I don't see this as any more of a serious issue than
leaving telnet open to the world to bang upon. Is it 'another' point of
attack? Sure. But consider this. What's the difference between leaving
telnet open, but closing http, and leaving http open, but closing telnet?
>From an attack standpoint, basically there is no difference. And that's
why I find this discussion about the supposedly huge vulnerability of http
to be incongruous. Again, it's no more vulnerable than the telnet-server,
and people apparently don't seem too concerned with that.
> Access-lists controlling what addresses can get to the web server help,
> but people can still bang on it. Enabling the web server on a switch
> isn't as much of a problem as long as you protect the management VLAN
> from unauthorized traffic. I do agree with the last point that the web
> server is worthless.
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> FAQ, list archives, and subscription info:
Message Posted at:
**Please support GroupStudy by purchasing from the GroupStudy Store:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html