Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Remote access saga
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-07-21
03:47 AM
2011-07-21
03:47 AM
Remote access saga
When netgear support need telnet access to a device inside a private network, they should be able to inform the customer of which IP address they will be connecting from. It's not a big demand: I'm telling you my IP address, you should be able to tell me yours. The reason that this information is needed is so that when I poke a hole in my firewall, I can do it specifically for your IP, rather than opening it up so that anybody could connect. This is especially important when the device is running a factory default password.
Malicious people can and do scan around for open ports, and try some well known default usernames/passwords on them. If you think I'm being paranoid, I'm not -- my firewall logs show malicious attempts to connect to port 23 (amongst others) on a regular basis.
I can't seem to get the netgear support rep I'm dealing with to understand this -- he insists that their IP address is somehow unknowable and that I must open the port without restricting by IP. It's one thing for netgear to suggest an insecure practice. It's quite another for them to outright demand it. I understand that an L2 rep probably don't know offhand what IP an L3 rep is going to connect from. But would it be so hard to pick up the phone and ask?
I expect I'm going to get a response telling me that this is standard procedure -- what I'm suggesting is that it's a *bad* procedure and it should be changed.
Malicious people can and do scan around for open ports, and try some well known default usernames/passwords on them. If you think I'm being paranoid, I'm not -- my firewall logs show malicious attempts to connect to port 23 (amongst others) on a regular basis.
I can't seem to get the netgear support rep I'm dealing with to understand this -- he insists that their IP address is somehow unknowable and that I must open the port without restricting by IP. It's one thing for netgear to suggest an insecure practice. It's quite another for them to outright demand it. I understand that an L2 rep probably don't know offhand what IP an L3 rep is going to connect from. But would it be so hard to pick up the phone and ask?
I expect I'm going to get a response telling me that this is standard procedure -- what I'm suggesting is that it's a *bad* procedure and it should be changed.
Message 1 of 2
Labels:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-07-21
04:06 AM
2011-07-21
04:06 AM
Re: Remote access saga
Given how corporate networks are setup, and engineers being in different parts of the world, it may actually be extremely difficult for Netgear support to give you the specific IP address they will use. The L2 engineer probably doesn't know who will pick up the case so suggesting they call and find out the info you request hits an immediate hurdle.
As you are already willing trusting an unknown Netgear employee to access your NAS, as a compromise, perhaps you could limit access to the Netgear.com domain? That should contain the source IP
As you are already willing trusting an unknown Netgear employee to access your NAS, as a compromise, perhaps you could limit access to the Netgear.com domain? That should contain the source IP
Message 2 of 2