GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Web Based management for routers/switches [7:86453] posted 03/28/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


""Ken Diliberto""  wrote in message
news:200403271608.i2RG8nEO007202@xxxxxxxxxxxxxxxxx
> nrf wrote:
> > ""Sam Sneed""  wrote in message
> > news:200403262030.i2QKUkwX007477@xxxxxxxxxxxxxxxxx
> >
> >>Yes, it is the default. And it is the same as the telnet password. The
> >
> > first
> >
> >>thing I do is disable it. The interface sucks and I feel its pretty
> >
> > useless
> >
> >>if you ask my opinion.
> >
> >
> > And therein lies the fulcrum of the argument.   People say that you
> > shouldn't enable the http-server  because doing so is unsafe.  That's a
> > pretty thin reed to rely upon.  The fact is, the web-server is no more
> > unsafe than the telnet server of the router.  If you really care about
> > security such that you'd turn off the web-server then, you should also
> 'turn
> > off' the telnet-server  and only allow access through secure means, such
as
> > ssh or https.
> >
> > Neither is that 3-year-old http security vulnerability a serious point
of
> > contention either. Let's be frank -  if you haven't patched your Cisco
> > routers in 3 years, then whatever vulnerability is associated with your
IOS
> > web-server is probably not your biggest problem right now.
> >
> > However, the lodestone-argument against the web-server is as Sam Sneed
> said,
> > the web-server interface is worthless.  It's not really that the
web-server
> > is unsafe - like I said, it's no more unsafe than the telnet server, and
> yet
> > everybody always seems to have that thing open - it's that the
web-server
> > interface doesn't add any value.
> >
>
> Enabling the web server on a router adds another point of attack.

Again, like I said, I don't see this as any more of a serious issue than
leaving telnet open to the world to bang upon.  Is it 'another' point of
attack?  Sure.  But consider this.  What's the difference between leaving
telnet open, but closing http, and leaving http open, but closing telnet?
>From an attack standpoint, basically there is no difference.   And that's
why I find this discussion about the supposedly huge vulnerability of http
to be incongruous.  Again, it's no more vulnerable than the telnet-server,
and people apparently don't seem too concerned with that.

> Access-lists controlling what addresses can get to the web server help,
> but people can still bang on it.  Enabling the web server on a switch
> isn't as much of a problem as long as you protect the management VLAN
> from unauthorized traffic.  I do agree with the last point that the web
> server is worthless.
>
> Ken
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=86520&t=86453
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html