Home The Dangers of Open Web Management UIs

The Dangers of Open Web Management UIs

When you buy an enterprise product, you almost assume nowadays that its management interface is going to be via a Web browser to a built-in Web server on the device. This trend began almost as soon as the graphical Web was available in the mid-1990s, and today almost no one writes their own front-end management software. Well, that is both a blessing and a curse, as the folks from the InfoSec Institute have recently reminded me in their post here this week.

“Under no circumstances should these [Web interfaces] be open to the world and the Internet,” writes the author of the post, using a pseudonym. He goes on to cite a few egregious examples. The issue here is that someone can enter your network without upsetting any of your perimeter defenses, and this someone can use common search tools to find open interfaces using Google and shodanhq.com, a search engine specifically designed to locate web-connected devices. A quick search for open WatchGuard firewalls brings up more than 4,000 of them, for example.

Here is an example of a Cisco router that is open to the Net:

In the referenced blog post, the author shows numerous other examples of ways that hackers can access these open interfaces. Now, you’ll still need to figure out an admin user name and password, but in many instances people just use the default values, making these devices even more insecure.

So what can you do to beef up your Web UI security? Here are several suggestions:

  • Disable any optional Web UI if not required. Use SSH if available. Better yet, require that all management happen from a specific PC that is kept in a secure location.
  • Restrict access to the Web UI by IP address range or to specific admin IP addresses.
  • Restrict access to the Web UI by VPN and keep the device accessible only by private IP on the LAN side of its ports.
  • Use a good password. At the very least, use a 26 or longer character passphrase or password for critical network devices. Change it regularly.
  • Disable telnet on any Cisco devices, even if the device is only accessed internally.
  • Enable brute force prevention or rate limiting. Every layer of security helps.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.