More often than not, the management interface of enterprise products is through a Web browser that connects to a built-in Web server on the device. This trend began almost as soon as the graphical Web was available in the mid-1990s, and today almost no one writes front-end management software because of it. This is both a blessing and a curse, as the folks from the InfoSec Institute recently reminded me.
“Under no circumstances should these [Web interfaces] be open to the world and the Internet,” writes the author of the post, using a pseudonym. He cites a few egregious examples. The issue here is that someone can enter your network without upsetting any of your perimeter defenses and use common search tools to find open interfaces through Google and shodanhq.com, a search engine specifically designed to locate web-connected devices. A quick search for open WatchGuard firewalls brings up more than 4,000, for example.
Here is an example of a Cisco router that is open to the Internet:
In the referenced blog post, the author shows numerous other examples and ways that hackers can access these open interfaces. While hackers still need to figure out an admin user name and password, in many instances people use the default values, making these devices even more insecure.
So what can you to beef up your Web UI security? Here are several suggestions:
- Disable any optional Web UI if not required. Use SSH if available. Better yet, require that all management happen from a specific PC that is kept in a secure location.
- Restrict access to the Web UI by IP address range or to specific admin IP addresses.
- Restrict access to the Web UI by VPN and keep the device accessible only by private IP on the LAN side of its ports.
- Use a good password. At the very least, use a 26 or longer character passphrase or password for critical network devices. Change it regularly.
- Disable telnet on any Cisco devices, even if the device is only accessed internally.
- Enable brute force prevention or rate limiting. Every layer of security helps.
Security Dangers of Web Management Interfaces [InfoSec Institute]