|
|
|
|
|
|
by kube-system
1781 days ago
|
|
|
Best practice for remote management of network devices is over a VPN or a remote access application designed for remote management, and it has been that way for decades. Web UIs on routers are designed for use on trusted networks, are notoriously full of vulnerabilities, and aren't typically hardened for exposure to the open internet. They often do not support any security features beyond a password. No fail2ban, no 2FA, no SSO, etc. Most router manufacturers will warn you against doing this for these exact reasons, even if they don't elaborate on why, and let you do otherwise. The businesses and universities you see in the list are likely: * a result of people hooking up rouge devices * organizations operating without competent IT management * honeypots |
|
|
As opposed to actually solving that problem? I mean, if GMail, Jira, GitHub and GitLab all manage to provide secure web UIs, then what's the excuse of routers?
Why should the manufacturers just offload the technical complexity to the end user, as opposed to supporting something like 2FA through TOTP or an equivalent? Sure, that's not to say that any piece of software doesn't need extensive security testing, but at the very least they should attempt to establish a perimeter of sorts for their web application and use whatever popular auth mechanisms have been widely used in the industry in the last 5 years.
As for the eventual "routers don't receive updates" counterpoint: if my Debian boxes can receive unattended security updates, what makes it so that my router couldn't? If lots of self-hosted software like GitLab is relatively secure, what's to prevent routers from receiving a similar treatment and attention?
Personally, i'm just writing this to bring the odd juxtaposition to light - that things we oftentimes take for granted in regards to typical web apps are somehow not only not often implemented but also are unthinkable for some reason when it comes to devices like routers. I don't believe that this is a good thing and some sort of a convergence should happen sooner or later - GNU/Linux or BSD based router software that all of the vendors could adopt and, ideally, an open source web UI alongside mechanisms to keep it up to date automatically.
Of course, for some odd business reasons, that's unlikely to happen. Looking at the current state of routers, i find it extremely odd that every vendor has their own piece of software that's so different from the others out there, even down to many of the terms that are used to configure the operation modes etc. Yet, when we want to purchase a personal computer, we don't buy one with DellOS or HP-OS or what have you...