North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: password stores?

  • From: Sean Donelan
  • Date: Tue Jul 23 13:49:53 2002


On Tue, 23 Jul 2002, Daniska Tomas wrote:
> i'm wondering how large isps offering managed cpe services manage their
> password databases.

Slovakia, that's an interesting one for NANOG.

Key management is still a hard problem.  It would be nice if the NSA
published how they do it, but I suspect they don't have a cost-effective
way either. Vendors/providers are all over the board.  For the most part,
if you are concerned about security you should view it as any other vendor
default password.

On the other hand, people sometimes latch onto small vulnerabilities. If
the only way the password can be used is at the local console, it may be
considered only a slightly increased security risk.  If someone has
physical access to your console, you're usually toast anyway.  You might
configure things so the local password only works when the network
authentication is not available.  This reduces the window of opportunity.
Its still a risk.  But it may be an acceptable risk, such the fire
department requiring a master key kept in a lockbox outside the front door
of a office building.

The broadband forums have started talking about this.  But the solution
they came up with isn't that great, disable local access.  I suspect
eventually we'll see PK smartcard addressible CPE, much like
satellite/cable set-top boxes, and customers will no longer be able to
(easily) access the  box.