Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
5
Helpful
2
Replies

is it a security risk to plug internet router management port into the LAN?

Go to solution
tbitner01
Level 1
Level 1

‎03-14-2014 11:53 AM - edited ‎03-10-2019 12:12 AM

I have to install an ASR1001 on the internet for my company.  I noticed the ASR1001 has a dedicated managment port and I was wondering if it's a security risk to have this mangment port directly connected to my LAN, so I can mange it from my desk.

I only want to manage the ASR from this port and I won't be doing any management through its public IP address.  Is it possible for an attacker to compromise the router then have access to the network though this managment port?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎03-14-2014 01:28 PM

I would say it's a manageable risk.  If you intend to not allow any management sessions to come from the public side you're off to a good start implementing protection from attacks.  Combine that with some basic hardening, e.g. disable source routing, directed broadcast, ip proxy arp, finger, along with an acl on the management interface so that any traffic sourced from an untrusted interface on the router would not be able to receive return traffic.  Also, the management vlan should be a dedicated vlan.  I wouldn't drop it in the same vlan your desktop sits in.  Best design would be to drop it in a dmz (acl on the router management interface would be redundant in this case) and apply rules on the firewall.  However, if that's not possible, control access in routing on the ASR as well by only including a /32 route to your management station via the managment vlan interface.  Also, remove any redisribution or advertising of that management interface in your routing protocol.

View solution in original post

2 Replies 2

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎03-14-2014 01:28 PM

I would say it's a manageable risk.  If you intend to not allow any management sessions to come from the public side you're off to a good start implementing protection from attacks.  Combine that with some basic hardening, e.g. disable source routing, directed broadcast, ip proxy arp, finger, along with an acl on the management interface so that any traffic sourced from an untrusted interface on the router would not be able to receive return traffic.  Also, the management vlan should be a dedicated vlan.  I wouldn't drop it in the same vlan your desktop sits in.  Best design would be to drop it in a dmz (acl on the router management interface would be redundant in this case) and apply rules on the firewall.  However, if that's not possible, control access in routing on the ASR as well by only including a /32 route to your management station via the managment vlan interface.  Also, remove any redisribution or advertising of that management interface in your routing protocol.

Go to solution
tbitner01
Level 1
Level 1
In response to WILLIAM STEGMAN

‎03-17-2014 10:28 AM

Great, thanks for the ideas!

0 Helpful
Customers Also Viewed These Support Documents