Page 4 of 4 FirstFirst ... 234
Results 31 to 33 of 33

Thread: user access to switch

  1. #31
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    There may be some argument that the IT dept. needs to be able to manage the device from the outside (on-call or whatever), if this is really necessary then I'd suggest:
    • Disable telnet and use SSH
    • Create an ACL which limits the IPs (or IP ranges) that can connect to SSH
    • Ensure the devices are hardened (don't use default accounts [even if the passwords are changed])
    • Ensure that passwords used for the device follow a strong process/policy (i.e.: complexity, age, history, etc.)
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  2. #32
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Quote Originally Posted by thorin View Post
    There may be some argument that the IT dept. needs to be able to manage the device from the outside (on-call or whatever), if this is really necessary then I'd suggest:
    • Disable telnet and use SSH
    • Create an ACL which limits the IPs (or IP ranges) that can connect to SSH
    • Ensure the devices are hardened (don't use default accounts [even if the passwords are changed])
    • Ensure that passwords used for the device follow a strong process/policy (i.e.: complexity, age, history, etc.)
    Agreed, I do not know the extent of the company's needs and the above would certainly reduce the risk at least.

    I was taking this more from the perspective that the company doesn't seem to either have a structured IT department or security policy in place (this is only an assumption from the posts).

    They hired an inexperienced person (again nothing wrong with that) to conduct a pentest on their company. The OP mentioned that they used to consult outside for services. To me, this seems like a small company that probably doesn't need much in IT "upkeep" or complex maintenance on a regular basis since they turned the OP for help. That being said, the easiest and best thing to do would be lock this stuff down if there isn't a real need for remote management over the internet. Again, I am just basing this off what I read, I could be completely wrong.

    To OP, I guess the question is what role do you have at the company? Can you address these issues? Was this just a risk assessment, or are you going to make changes to the network?

  3. #33
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by humbleman View Post
    Lupin or anybody else,
    So if risk is high, but probability is low, would you still give it a high rating? What would an experienced, seasoned hacker or attacker do with a public switch if they were able to sniff traffic and get admin privs on the device? There is obviously DOS. They could span the traffic to another device they own and sniff all company traffic coming in and out the network? What else?
    There's the potential for an experienced hacker to intercept, redirect, or modify traffic flowing through the device as well as to use the switch as a pivot point to access other systems, or to use the administrative interfaces to attack administrators client machines (which can in turn be used as pivot points). An attacker installing a modified IOS image on the switch (giving the potential for arbitrary code execution from the switch) is also not out of the question.

    As to determining risk we are back to looking at what that switch can access what traffic flows through it and what other systems it can communicate to. Without the benefit of business knowledge of your environment I would put both impact and probability of this at a medium to high level, making the overall risk high as well.

    In determining the risk I'd also agree with thorin's point that just because you haven't been able to demonstrate a proof of concept of a full blown attack on this yourself it doesn't mean that someone else wont be able to. Because of the limited time that you have to perform any penetration test, I think that under the circumstances you would be justified in making some educated assumptions about what an attacker could do with this switch admin interface and rating the risk accordingly.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Page 4 of 4 FirstFirst ... 234

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •