Or, hear me out, maybe we don’t expose network management interfaces to untrusted networks? Sure, shit can still get breached by very deep intrusions, but at least you don’t show up on shodan!?
This is the way. It baffles me how often I have to have ‘the talk’ with IT people. Don’t be lazy, create a secure tunnel into the LAN!
I’ve discovered interfaces left behind on lan vlans - and they’re all set up with separate mgmt network, so why make one on LAN for some quick test and leave it behind. With web, cli and api open….
At least have a source IP access list only allowing trusted IP ranges. Ideally it would only be reached from an internal IP range or bastion host, but not all companies have a security hat to wear.
but not all companies have a security hat to wear.
This is the barest of minimalistic security. It’s a router. You don’t allow external admin access to the router. Period. End of story.
I dont disagree with you if a company has a competent employee configuring them.
It shouldn’t even be allowed by the router software.
