Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

> On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote: > > > On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland > > > wrote: > > > > Which goes to show that they just really don't get it when it comes to > > > > security. ?Maybe they should look here at all the entries for 'default > > > >

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote: > > On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland wrote: > > > Which goes to show that they just really don't get it when it comes to > > > security. ?Maybe they should look here at all the entries for 'default > > > credentials': > >

Re: ASR1002

>From my research - I'd have to agree. There is VRF aware NAT that I may need in 2.5 - however I shouldn't need it right away. Perhaps give 2.5 a chance to mature a little. Thanks for the feedback. Kenny On Wed, Jan 6, 2010 at 7:08 PM, McDonald Richards < mcdonald.richa...@gmail.com> wrote: > I

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

> On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland wrote: > > Which goes to show that they just really don't get it when it comes to > > security.  Maybe they should look here at all the entries for 'default > > credentials': > > Roland, this isn't the home wi-fi market we're talking about. An

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland wrote: > Which goes to show that they just really don't get it when it comes to > security.  Maybe they should look here at all the entries for 'default > credentials': Roland, this isn't the home wi-fi market we're talking about. Anyone that's

Re: ASR1002

I'm finding this to be a fascinating thread as I am currently in the process of evaluating some M7i's vs. some ASR1002's. Seems the Jun's have settled into a less reflexive release schedule then the ASRs currently. At some point I'm sure the ASR's release schedule will settle into a trend more like

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

> -Original Message- > From: Dobbins, Roland > Sent: Wednesday, January 06, 2010 7:23 PM > To: NANOG list > Subject: Re: Default Passwords for World Wide Packets/Lightning Edge > Equipment > > > On Jan 7, 2010, at 10:19 AM, Dobbins, Roland wrote: > > > Which goes to show that they just

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, Jan 6, 2010 at 1:12 PM, Jim Burwell wrote: [snip] > Yeah.  And for devices with no console, only network interfaces, a > default IP address, no default password, and no default route (just in > case they plug it into a real LAN instead of a laptop.  :p  ). Ah... don't worry about default

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 7, 2010, at 10:19 AM, Dobbins, Roland wrote: > Which goes to show that they just really don't get it when it comes to > security. Maybe they should look here at all the entries for 'default > credentials': Actually, should be 'default password'. ---

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 7, 2010, at 10:12 AM, Joe Hamelin wrote: > they got quite a chuckle out of this thread. Which goes to show that they just really don't get it when it comes to security. Maybe they should look here at all the entries for 'default credentials':

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

I've been in training with the WWP folks for the last two days (VERY GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread. They say if a customer is willing to pay they can change the initialization method. But I'm guessing that anyone willing to pay would be the type to actually

Re: ASR1002

I'd recommend 2.4.x (XNDx) unless you REALLY need the BGP PIC features in 2.5. 2.4 was the first release to support L2VPNs and should be mature enough in it's general support of MPLS/VRFs. 2.5 is still VERY new and was only released publicly in December. 2.4.2 still has a few bugs but for the feat

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, Jan 06, 2010 at 08:41:14PM -0500, Joel Esler wrote: > On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin wrote: > > On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote: > > > An option I saw years ago (I forgot on whose equipment) was a default > > > password which was a function of the equ

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

At the end of the day, minimizing support costs for the vendor (not to mention likely annoyance for the customer) trumps providing "default" security for the folks who won't change the default password. The MyFi apparently does this. According to http://www.nytimes.com/2009/05/07/technology/per

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin wrote: > On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > An option I saw years ago (I forgot on whose equipment) was a default > > password which was a function of the equipment'

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > An option I saw years ago (I forgot on whose equipment) was a default > password which was a function of the equipment's serial number. So you > had to have the algorithm and you needed t

Re: ASR1002

I would run at least the 2.5 software (XNE). You don't mention if you have RP1 or RP2, if you're doing sw redundancy or hw redundancy or both, etc.. This will also have an impact. I've seen some 'odd' issues with BGP on the ASR1k, so you really do want to track the latest code. It's also recom

Re: ASR1002

2.10 has been solid on all my clients thus far and supports your below mentioned requirements. Mark Jackson, CCIE #4736 Sent from my iPhone. Please excuse spelling errors On Jan 6, 2010, at 4:36 PM, Kenny Sallee wrote: > Anyone have recommendations on solid IOS XE code for ASR 1002 that's > ju

ASR1002

Anyone have recommendations on solid IOS XE code for ASR 1002 that's just doing: - BGP - VRF's - Many sub-interfaces and ACL's It shipped with 02.04.02.122-33.XND2.bin Thanks, Kenny

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

I think the vendor you're thinking of was Cabletron (now Enterasys). I had to call them and give them the Serial Number for them to provide me with the default password to the system after a hard reset (this was for an ELS100-24TXG 'switch'). -NH -Original Message- From: Jeffrey I. Schi

RE: I don't need no stinking firewall!

Don't think anyone has mentioned this yet, so I will All this debate over the pros and cons of firewalls brings the words "Jericho Forum" to mind.and their "principles for de-perimeterization (perimeter erosion)" http://www.opengroup.org/jericho/ Just my 2 worth !

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 An option I saw years ago (I forgot on whose equipment) was a default password which was a function of the equipment's serial number. So you had to have the algorithm and you needed the serial number which was not related to the MAC. So if you didn't h

RE: I don't need no stinking firewall!

> -Original Message- > From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] > Sent: Wednesday, January 06, 2010 3:46 PM > To: nanog@nanog.org > Subject: Re: I don't need no stinking firewall! > > On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said: > > > Everyone needs to listen

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 6, 2010, at 4:43 AM, George Bonser wrote: >> -Original Message- >> >>> having physical access pretty much trumps any other security > measure. >> >> The fact that there's a factory default means that lots of folks won't >> change it when they configure the unit with an IP address

RE: I don't need no stinking firewall!

> -Original Message- > From: Brian Keefer [mailto:ch...@smtps.net] > Sent: Wednesday, January 06, 2010 3:12 PM > To: Brian Johnson > Cc: NANOG list > Subject: Re: I don't need no stinking firewall! > > It's quite possible to flood the state table on a device with a > fraction of the pip

Re: I don't need no stinking firewall!

On Tue, 05 Jan 2010 23:14:05 CST, Ryan Brooks said: > Everyone needs to listen to Roland's mantra: "stateless ACLs in hardware > than can handle Mpps". It's more than just a hint. I suspect that more than a few need to be reminded that "stateless ACLs in switch hardware" is just another name fo

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 11:29 AM, Brian Johnson wrote: > If your point is given unlimited inbound bandwidth that a stateful > firewall will fail (not work correctly), I can say that about any piece > of equipment. And even if it does fail, does it matter if your > connection is full of useless traf

RE: I don't need no stinking firewall!

- Brian > -Original Message- > From: Brian Keefer [mailto:ch...@smtps.net] > Sent: Wednesday, January 06, 2010 11:38 AM > To: Brian Johnson > Cc: NANOG list > Subject: Re: I don't need no stinking firewall! > > > On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote: > > > Like Roland, I'

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On 1/6/2010 01:23, Dobbins, Roland wrote: > On Jan 6, 2010, at 4:18 PM, Matthew Palmer wrote: > > >> The closest I can come to a solution is to set a random password and flash >> it using a front-panel LED using morse. >> > heh > > No password at all, operator prompted at the console dur

Re: I don't need no stinking firewall!

As long as you raise the level of CAIN (Confidentiality, Availability, Integrity, Non-Repudiation) that your mission requires and funding permits, you can do it anywhere you like, with whatever you like, and call it whatever you like. David On Wed, Jan 6, 2010 at 9:38 AM, Brian Keefer wrote: >

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 6:51 AM, Brian Johnson wrote: > Like Roland, I've been doing > this for over a decade as well, and I have seen some pretty strange > things, even a statefull firewall in front of servers with IPS actually > work. > What do you mean by "work"? If you mean "all three pieces

RE: I don't need no stinking firewall!

-Original Message- From: David Hiers [mailto:hie...@gmail.com] Sent: Wednesday, January 06, 2010 10:50 AM To: Brian Johnson Cc: nanog@nanog.org Subject: Re: I don't need no stinking firewall! >Poking the dragon a bit, aren't you? Fun. >If you really look at it, there is no quantitative

Re: D/DoS mitigation hardware/software needed.

On 6 Jan 2010, at 15:00, Hank Nussbacher wrote: > At 13:19 05/01/2010 +, Rob Shakir wrote: > >> If you're an SP who has some existing NetFlow solution, and don't really >> justify a spend for traffic intelligence within your network (or have >> something home-grown), is there an alternativ

Re: I don't need no stinking firewall!

Poking the dragon a bit, aren't you? Fun. If you really look at it, there is no quantitative difference between statefull and non-statefull. A non-stateful firewall can prevent a TCP session from entering the SYN_RECEIVED state by blocking the SYN packet, so it strongly impacts session state wit

Re: Data Centre - Advice? (Shenzhen, China)

Wow, missed this one reply. Sorry Benjamin. 1) Define "tier one". Let's go with this definition: http://en.wikipedia.org/wiki/Tier_1_network I hope the definition helps? NTT got some IDC in China (Beijing, Guangzhou, Hong Kong, Shanghai

Re: D/DoS mitigation hardware/software needed.

On Wed, 2010-01-06 at 17:00 +0200, Hank Nussbacher wrote: > In that case, how do you run your current service: > http://www.vialtus.com/en/Solutions/Hosting-and-Datacentre-Services/Security-Solutions/Distributed-Denial-of-Service-Protection.aspx It says how, right on that page. Not Arbor. Graeme

Re: I don't need no stinking firewall!

> > (4) Rate limiting. The ability to rate limit incoming and outgoing data > > can prevent certain sorts of DoSes. > > I am not sure what makes you believe that. The ability to rate limit > incoming data at the server level would definitely not prevent a DoS. > > The ability to rate limit ou

Re: D/DoS mitigation hardware/software needed.

At 13:19 05/01/2010 +, Rob Shakir wrote: If you're an SP who has some existing NetFlow solution, and don't really justify a spend for traffic intelligence within your network (or have something home-grown), is there an alternative scrubber that one might be able to use in a more standalone

RE: I don't need no stinking firewall!

I will not argue the more complete statement about the architectural premise that statefull firewalls are being produced under. That would be fruitless and I would concede to Roland and his statements on that. It appears that the real argument is whether statefull inspection is useful, and whether

Re: I don't need no stinking firewall!

On Wed, 6 Jan 2010 04:53:17 + "Dobbins, Roland" wrote: > > On Jan 6, 2010, at 11:43 AM, George Bonser wrote: > > > Yes, you have to take some of the things that were done in one spot and do > > them in different locations now, but the results are an amazing increase > > in service capacity

Re: I don't need no stinking firewall!

On Tue, 5 Jan 2010, Kevin Oberman wrote: > > I suspect at least part of this will soon get fixed due to DNSSEC. > Blocking tcp/53 and packets over 512 bytes will cause user complaints > and, after enough education, the problem will get fixed. Yes. Remember the root zone is due to be signed within

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 8:42 PM, Jared Mauch wrote: > The reality is they just have not been attacked yet, and hence have no > experience in what to do about the problem... And they've been bombarded with misinformation for years by 'security' vendors, wildly unrealistic certification training cour

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 3:12 AM, Dobbins, Roland wrote: > Wrong. The attacker just programmatically generates semantically-valid > traffic which is indistinguishablle from real traffic, and crowds out the > real traffic. > > All those fancy timers and counters and what-not don't matter. > > I've

Re: I don't need no stinking firewall!

On Jan 5, 2010, at 4:24 PM, Robert Brockway wrote: > Do you have any evidence to support this assertion? You've just asserted > that all firewalls have a specific vulnerability. It isn't even possible to > know the complete set of architectures (hardware & software) used for > firewalls so I

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 8:25 PM, juttazalud wrote: > How do you define "firewall"? This threat was about stateful firewalls in particular. --- Roland Dobbins // Injustice is relatively easy to be

Re: I don't need no stinking firewall!

am Mittwoch, 06. Jänner 2010 um 13:43 schrieb Roland Dobbins: > On Jan 6, 2010, at 5:38 PM, William Waites wrote: >> A properly configured firewall will prevent latter. > So will stateless ACLs, running in hardware capable of handling mpps. How do you define "firewall"? I remember something li

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 5:38 PM, William Waites wrote: > A properly configured firewall will prevent latter. So will stateless ACLs, running in hardware capable of handling mpps. ;> --- Roland Dobbins //

RE: dark fiber and sfp distance limitations

The best OTDR data I have ever gotten prior to signing an agreement for strands is the readings from another pair on the same route.That being said most dark fiber agreements have some sort of minimum performance specifications in them. John van Oppen Spectrum Networks LLC Direct: 206.973.8

Re: I don't need no stinking firewall!

Le 10-01-05 à 21:29, Dobbins, Roland a écrit : Stateful firewalls make absolutely no sense in front of servers, given that by definition, every packet coming into the server is unsolicited (some protocols like ftp work a bit differently in that there're multiple bidirectional/omnidirection

Re: Blocking only Facebook Apps

Well, if you can filter by some URL pattern, then block apps.facebook.com. All the applications are served from that domain. On Wed, Jan 6, 2010 at 5:38 AM, Xaver Aerni wrote: > Hello, > We have differents company here, they would only block the Apps from > Facebook. Facebook self could be open.

RE: Blocking only Facebook Apps

hm.. have you tried to analyze how facebook implements those apps and just filters them out by some URL filters or so? -steven > -Original Message- > From: Xaver Aerni [mailto:xae...@pop.ch] > Sent: Wednesday, January 06, 2010 11:38 AM > To: nanog@nanog.org > Subject: Blocking only Facebo

Blocking only Facebook Apps

Hello, We have differents company here, they would only block the Apps from Facebook. Facebook self could be open. It give a methode to block only the Apps by firewall. If we haven't a methode we must block facebook in difference bigger companies... Greetings Xaver Xariffusion Informatik & Tele

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

> Right - what I'm saying is the fact that there are default passwords at > all is horribly insecure, and that the vendor in question should be > prodded to change this dangerous practice. I don't see how there's a security problem with equipment coming from the factory with factory default passw

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

> -Original Message- > > > having physical access pretty much trumps any other security measure. > > The fact that there's a factory default means that lots of folks won't > change it when they configure the unit with an IP address; they follow > this with failing to implement iACLs, and

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 6, 2010, at 4:24 PM, George Bonser wrote: > having physical access pretty much trumps any other security measure. The fact that there's a factory default means that lots of folks won't change it when they configure the unit with an IP address; they follow this with failing to implement

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 6, 2010, at 4:18 PM, Matthew Palmer wrote: > The closest I can come to a solution is to set a random password and flash it > using a front-panel LED using morse. heh No password at all, operator prompted at the console during startup unless/until he sets one. No IP address, et. al.

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

> Right - what I'm saying is the fact that there are default passwords at > all is horribly insecure, and that the vendor in question should be > prodded to change this dangerous practice. How is that a risk in any way? Considering that one must have physical access to reset the unit to factory d

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Wed, Jan 06, 2010 at 08:26:25AM +, Dobbins, Roland wrote: > > Does anyone know the default passwords for World Wide Packets 427 and 311v > > switches? > > One should think the fact that there are default passwords at all should be a > cause for alarm, in and of itself. As much as they're

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

Did you try to get in touch with Ciena people? I'm sure they will be comprehensive about how you get their products (not being exactly a customer). You could maybe even get an access to products' documentation without providing S/N: https://portal.ciena.com/AccountRequest/index.aspx?mode=MgsZFb

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 6, 2010, at 3:44 PM, Nathan Eisenberg wrote: > I must not have been very clear. I'm resetting these switches to factory > defaults using the hardware reset button, and attempting to log in using > whatever the factory default passwords are. Right - what I'm saying is the fact that the

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

After weeks on banging my head on this, I figure it out within an hour of posting it to NANOG. You guys are good luck! For future reference/Google, the factory default password for (at least the LightningEdge 427 - not sure about the 311v yet) these switches is: su/wwp. Obviously, you should

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

> One should think the fact that there are default passwords at all > should be a cause for alarm, in and of itself. I must not have been very clear. I'm resetting these switches to factory defaults using the hardware reset button, and attempting to log in using whatever the factory default pas

Re: Bonded SDSL

> > It's being done by Actelis, Hatteras, and Zhone. More exactly SHDSL or > > similar variants. The market is being well-served. > ^ > > The highlighted sentence is precisely the difference between what they > are doing and what I am doing. The SHDSL folks seem to live in som

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

On Jan 6, 2010, at 3:17 PM, Nathan Eisenberg wrote: > Does anyone know the default passwords for World Wide Packets 427 and 311v > switches? One should think the fact that there are default passwords at all should be a cause for alarm, in and of itself. ---

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 3:03 PM, William Pitcock wrote: > So, in fact, all incoming packets should > be considered unsolicited until proven otherwise. Concur - it works this way, as well. At one extreme, completely pathological, at the other extreme, perfectly normal - just faux. ;> > It should

Default Passwords for World Wide Packets/Lightning Edge Equipment

Greetings, LONG VERSION: I have recently inherited the management of an undocumented network (failed FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 port GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches. We've swapped out a 427 so that we can rebuild it,

Re: I don't need no stinking firewall!

On Jan 6, 2010, at 2:47 PM, James Hess wrote: > "Overflowing the state table" then becomes only a possible > outcome that has some acceptable level of probability, assuming > that your other protections have already failed... Wrong. The attacker just programmatically generates semanti

Re: I don't need no stinking firewall!

On Wed, 2010-01-06 at 01:47 -0600, James Hess wrote: > On Tue, Jan 5, 2010 at 11:41 PM, Dobbins, Roland wrote: > > On Jan 6, 2010, at 11:52 AM, Jonathan Lassoff wrote: > > DDoS attacks are attacks against capacity and/or state. Start reducing > > DDoS, by its very nature is a type of attack tha