On Wed, Jan 6, 2010 at 1:12 PM, Jim Burwell <jimb@jsbc.cc> wrote: [snip]
Yeah. And for devices with no console, only network interfaces, a default IP address, no default password, and no default route (just in case they plug it into a real LAN instead of a laptop. :p ).
Ah... don't worry about default routes.. Proxy ARP will "fix it".. when combined with a suitable router that does it by default, and help make sure the default-pw'ed device can still be reached by the bad guys. As murphy would have it, default device IP happens to correspond to a valid LAN IP address formerly used by a server, that the neglected perimeter firewall still forwards port 80 traffic to... You know.. an extra port isn't so expensive these days. equipment vendors could just make one of the network ports be labelled "Manage", ship the units with management access disabled, except on that port. Don't allow normal traffic forwarding to/from that port by default. On first login, require a password change to be made before all other changes, such as enabling full management are even allowed, including turning the manage port into a normal port (if it's even necessary). Device should shutdown the manage port, until reboot, via "management port security".. when the first frame is received, memorize the MAC address, as long as carrier is still detected. If later a second MAC address is detected as the source on any frame, or any multicast frame at all is received, other than an ARP for switch's default IP. Light up an orange LED for "security violation" or a "user error" light. :) -- -J