The Latest in IT Security

The Matryoshka Router

05
Oct
2011

I had an unpleasant surprise when I connected a new Cisco 887W router I had just configured to the Internet via its ADSL interface.

As it was the first time I worked with a 887, I did an nmap scan of its ADSL interface to check that I had closed all ports. Surprise: ports 2002, 4002, 6002 and 9002 were open. Even bigger surprise: I could logon via telnet to these ports with the default password, although I had changed it.

I’m omitting the details of how I figured out what went wrong, so here is the explanation.

The 887W has a wireless interface. But in this particular router, the wireless interface is not integrated in IOS (that’s Cisco’s IOS, not Apple’s iOS) like in other wireless routers like the 877W. In the 887W, the wireless interface is a service module with its own IOS and configuration. Both devices communicate with each other via a Gigabit interface.

The router IOS can be accesses via the serial console. The wireless IOS not (at least not directly).

To list the installed service modules, you issue the service-module ? command on the router CLI:

  wlan-ap  Service module interface to embedded AP

To access the wireless CLI, you issue the command service-module wlan-ap0 session command on the router CLI, and you get a telnet session on the wireless CLI. After I configured and hardened the wireless IOS, the ports were still open. The service-module wlan-ap0 status command displays the following information:

Service Module is Cisco wlan-ap0Service Module supports session via TTY line 2Service Module is in Steady stateService Module reset on error is disabledService Module heartbeat-reset is enabledGetting status from the Service Module, please wait..  Image path       = flash:/ap801-k9w7-mx.124-21a.JA1/ap801-k9w7-mx.124-21a.JA1  System uptime    = 1 day, 6 hours, 0 minutes, 51 seconds

Notice that the session is accessible via the router’s TTY line 2. After I put an ACL on this tty (with the router CLI) to deny all traffic not originating from the internal network, all 4 ports were closed on the ADSL interface.

Another detail good to now: when you are connected to tty2, all ports are closed (because you can have only one session on tty2).

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments