Firewall rules for MGMT ip

#1

I would like to have firewall rules so I can put an ACL on my management Interface to only allow access from specific subnets or IPs to the MGMT IP. When the next zero-day comes out, I’d perfer these things to drop any MGMT traffic, then have another bot net on my hands.

Thanks.

0 Likes

#2

Good idea.

In the mean time…

Why not just firewall at the router/at your internet edge? You could also just make a management VLAN and keep everything separated that way…

1 Like

#3

Ever heard of defense in Depth. It only takes one device to get infected with the next Bot net. There need to be ACLs to prevent this. I should only be allowing a specific MGMT host access to these systems. Not having ACLs is crazy. I guess these should be deployed on the back end using MGMT VLans and private nets then. Hard part is how to do OSPF over that?

0 Likes

#4

Yes.

“It only takes one device to get infected…” That is why you should follow good password policy and have strong unique passwords for devices in your network. While I know it’s hard to implement, (we have been working on it for the last year) there are ways of going about it that can make it easier. I would recommend a password vault, Last Pass gives you the ability to share passwords in your business so then you have access control. Personally, I use KeePass and we have the file shared between us techs.

“Management Host ACL…” The feature has been discussed in the forms and asked for. No one from Mimosa has said anything about a timeline for implementation. If it is a big worry for you because of your network layout I would look at changing your management control system (VLANs) or setting up internal firewalls to implement ACLs outside of the radios.

“How to do OSPF over that” https://community.cisco.com/t5/routing/ospf-and-vlans/m-p/2508084/highlight/true#M237883 VLANs are completely separate from OSPF, most every router that can do both will have a way to do it.

0 Likes

#5

I do computer security for a living. I’ve seen some of the worst coding jobs for Embedded devices. Buffer overflows because the programer wanted to save some lines of code, and not check the buffer bounds before copying a string. Passwords are not how someone is going to create a bot net out of this hardware. Shitty code is. Someone will find a way to bypass the web interface controls (or whatever interface is put out there), and compromise the hardware. It is not an if, it is when. However, if you have ACLs on the outside of the device for the MGMT interface, your risk of that happening goes WAY down- to almost zero. Putting ACLs on the outside of your egress is only one of the defense in depth steps people need to take. It only takes one bad actor inside the egress to ruin your day, and take over these systems due to code flaws.

0 Likes

#6

And I am just suggesting solutions to the problem you have raised.

I am not against ACLs, I think they would be a nice feature. But ACLs are no a be all end all either, bugs can happen anywhere.

Also, most of the recent Wireless radio viruses used default, simple or discovered passwords to spread. As well as piggybacking old bugs that had already been discovered and patched months/years before.

I am not saying Mimosa is completely secure, just that there are ways to use the already available tools to achieve similar results.

It is quite doable to VLAN each of your devices back to a firewall/router and only allow your management IP to access them. No intercommunication between devices if you use separate VLANs. Then as long as your management IP is secure there isn’t much that can happen.

That or surround your radios with firewalls so they can only talk to your management IPs.

Mimosa has been set back a while on new features by the AirSpan reshuffling, if you want to secure your stuff I would recommend solving the issue with tools available and good network security.

0 Likes

#7

I just double checked, and the A5 line has ACLs already implemented, so it is possible that the B Line will get them as well. May come sooner then I would have thought…

1 Like