TP-Link Easy Smart Switch security question
-
For just a couple dollars more you can get a D-Link DGS-1100-08 that has a management VLAN setting and doesn't do all this VLAN 1 nonsense.
Not sure what the fascination with these TP-Link things is. They are garbage.
-
At least for me the fascination was the price. Also, before asking around in a forum like this they appear to be a great buy based on amazon reviews.
But I agree, better off getting something a little better.
-
I got one of these to play with since see a lot of threads about them.. You can not remove vlan 1 that is for damn sure, and there also seems to be a cosmetic issue with it reporting rxbadpkts on interface that tagged vlan traffic hits… But seems to just be cosmetic.
I have not had a chance to test the security if vlan 1 traffic is broadcasted out a port if you change the pvid to some other vlan. But pretty sure you can get to the management IP from any switch port.. When I get some play time do some testing. But for a home switch, that does vlans the price is attractive.
-
But pretty sure you can get to the management IP from any switch port.
How big of a security concern is this really? If the webgui is HTTP/S and you have a strong password on it then what is the security risk?
My setup is home use only so for me I'm not at all concerned about anyone on my network even caring to look for a switch or router on the network, I was just curious how much of an actual security vulnerability this would be on a larger network?
-
I have very little patience (read zero) for any flakiness in my layer 2 gear.
-
But pretty sure you can get to the management IP from any switch port.
If the webgui is HTTP/S
It's not, and I don't see any way to change it. I get it, these switches are basically the same price as a typical unmanaged switch. They're cheap and offer VLANs. That's about all I can say.
Right now all my ports are either trunk ports (two between switches, one to my AP, one to my ESXi box) or access ports on a single VLAN (not VLAN1) which uses a subnet that also happens to contain the management IP address. My other two VLANs / subnets are either wireless only or contained entirely in ESXi / pfSense. In other words, I don't have any wired devices on an access port in a VLAN / subnet that doesn't also contain the management IP.
As expected, my guest wireless network cannot access the management IP of the switch. It can access certain services on that subnet, but only because I explicitly allow that access in pfSense. In that regard, the switches behave exactly as I'd expect.
I suppose I should put a port into the VLAN for the guest network and test that way with a wired connection, but for my setup that test would be academic.
Next time I buy a switch for home use, I'll choose something different. If anyone can show me a 16 port fanless 1Gbps fully managed switch (with a proper CLI) I'd be ecstatic. For now, I'm not freaking out about it.
-
But pretty sure you can get to the management IP from any switch port.
How big of a security concern is this really? If the webgui is HTTP/S and you have a strong password on it then what is the security risk?
My setup is home use only so for me I'm not at all concerned about anyone on my network even caring to look for a switch or router on the network, I was just curious how much of an actual security vulnerability this would be on a larger network?
It's not, and I don't see any way to change it. I get it, these switches are basically the same price as a typical unmanaged switch. They're cheap and offer VLANs. That's about all I can say.
I just meant in general is it a security concern if you can force HTTP/S and put a good password on it.
I replaced my TP-Link with a Zyxel GS1900 and it allows you to force HTTP/S WebGUI. -
I just meant in general is it a security concern if you can force HTTP/S and put a good password on it.
I replaced my TP-Link with a Zyxel GS1900 and it allows you to force HTTP/S WebGUI.Yeah, got it. Sorry, my response was not entirely directed at you or the https question.
-
If anyone can show me a 16 port fanless 1Gbps fully managed switch (with a proper CLI) I'd be ecstatic.
It's 16 port, gigabit and fanless. But not quite fully managed, you might be interested though.
-
I have two of those and a DGS-1210-10P.
I have never seen them lose the config.
You do have to explicitly save it so maybe those donkeys weren't doing that.
-
Depend of VLAN configuration & PVID settings if TL-SG108E switch IP is allocated on different subnet than normal clients (vlan);
using a browser, web management interface can't be accessed by clients;
however it can be accessed with Easy Smart Configuration Utility program that allow you also to change the switch IP… for home use is almost ok but not for Office / Enterprise use.A page for Linux users about TL-SG108E:
https://shred.zone/cilla/page/383/setting-up-tp-link-tl-sg108e-with-linux.html -
@http://us.dlink.com/products/business-solutions/dgs-1100-08p/:
The DGS-1100-08P, 10MP, -24P and -26MP comply with the 802.3af/at PoE+ standards, supporting up to 30W on each PoE port, not to exceed the switches specific power budget.
@http://us.dlink.com/products/business-solutions/dgs-1100-08p/#tab-spec:
Power Budget 64W
-
UK market products might be different.
-
@ecfx:
Depend of VLAN configuration & PVID settings if TL-SG108E switch IP is allocated on different subnet than normal clients (vlan);
using a browser, web management interface can't be accessed by clients;
however it can be accessed with Easy Smart Configuration Utility program that allow you also to change the switch IP..FWIW there are 2 versions of the TL-SG108E. Both can be managed by the config utility but only V2 has a browser config interface. Source: I have one of each.
-
Please do not go off-topic as this thread is about security concerns of TP-Link switch series.
-
I tried to use my TP-Link "Easy Smart Switch" in a different deployment and the VLAN1/MGMT issue bothered me again so I submitted some security feedback to them via their "Submit Security Feedback" forum. I outlined the issue the best I could and even linked directly to this forum.
I sure hope they respond, because according to TP-Link:
At TP-Link, customer security comes first. That’s why we work diligently to ensure that our products include the highest level of security features, with firmware and hardware that protect customers and their devices from the very latest threats.
If anyone has some free time to submit similar security feedback, it might help the cause: http://www.tp-link.com/us/security
-
All these "Easy Smart Switch" models have this "feature". I think this is intentionally like this, for very basic home users. To be "easy" to use the GUI…
You have to buy products from their series called "Smart Switches" or "Managed Switches", not the "Easy Smart Switches" series."Smart Switches" and "Managed Switches" don't exhibit these problems. I just deployed a network consisting of about 60 such switches in various sizes, all interconnected with optics and offering 2 dozens of VLANs, no unwanted traffic passing between them. On top of this, 2 CARP-enabled pfSense boxes do all the inter-VLAN traffic.
-
I email their support and technical few times, gave them a link to this thread and never got a response, you get what you pay for I guess.
-
If anyone has some free time to submit similar security feedback, it might help the cause: http://www.tp-link.com/us/security
Ironically, that page isn't available over HTTPS, so the entire form contents are in the clear.
-
It is there via https - just BAD
The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net
Agree yet another example of not really getting it ;)
