[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft status, BoF, replies to issues
> > > but not having default
> > > passwords would not be popular with many customers because
> > > it increases the burden of configuring a new device.
> > Again, back to target audience + scope. I believe that for "large IP
> > networks" provisioning will be done according to a defined process
> > and/or by skilled network engineers. Adding a step to the process
> > vs. having core networking elements compromised seems like a fair
> > tradeoff. If we're talking about SOHO devices ("why do I need
> > password ?"), I could see your point.
> I'm not talking about SOHO devices. SOHO is easy because there are so
> few devices involved.
> I'm talking about large enterprises that want to use, say, an SNMP
> application like HPOV to "discover" their network using default
> passwords, or applications to zero-config out-of-the-box devices using a
> default password designed for that purpose (which might be eliminated as
> part of the zero-config process). Being able to discover/identify and/or
> autoconfig devices coming into your network can be critical for security
> When SNMPv2 was first designed by security geeks who liked the "party
> model", they made it impossible to autodiscover a network; the keys for
> each device needed to be entered manually at both the agent and the
> manager before the manager could detect the presence/identity of the
> device. Hiding a device's identity seems prefectly reasonable if you're
> only thinking about security, but disabling autodiscovery greatly
> reduces ease-of-use, and hides rogue devices added to the network.
> After months (years) of debate, the SNMP community realized they would
> never be able to convince people to use the protocol if they took away
> autodiscover capabilities for the sake of security, and the result would
> be a less secure management environment. Autodiscovery of new
> out-of-the-box devices depends on having some standard pre-configured
> passwords (or lack of passwords). The SNMP community defined a way to
> keep autodiscovery but to limit what could be accessed during a
> discovery process.
But discovery without first creating a "secret" or "password" at a
new device gets you VERY VERY little, basically only that a SNMP
agent exists. That is if you follow recommendations/rules in RFC3414.
See appendix A in RFC3414.
> Standardizing the default passwords across vendors and standardizing
> rigorous security surrounding their use is a better approach than not
> allowing any standard/default passwords at all.
I am not sure I fully agree with this. I understand your motivation, but
I also have VERY BAD experinces with such initial and (defacto) standard
passwords on systems. They often still exists many many years after
installation and are exploited very often in attacks.