Wifi AC
-
Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.
-
I studied for my CCNA back in 2003, so I have a pretty good idea what RS232 is for. I'm saying that if you're using legacy COM ports then you're using dinosaurs.
Try configuring a Cisco router or switch out of the box. You need to use the serial console to do that, though some models now have a built in USB converter.
That’s exactly what I’m talking about. Older Cisco devices have serial ports, and they did for some time. But eventually with the catalyst 2900+s and up, they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days. That’s what I to do my startup configs and flash based stuff, which btw, can be mitigated too...
BTW, I first started working with RS-232 back in the early '70s.
Just a word of advisement, if you're using these devices, then you're essentially opening up a can of worms when it comes to security. All it would take to crack your network is to plug in a device that captures your input
In my work, a serial port is only used when network access is not available, that is when configuring equipment from scratch, though it could also be used if locked out of the network connection due to misconfiguration. It is not used for normal management, in the manner one would use SSH.
BTW, ever use Wireshark to look at network traffic? Unless encrypted protocols are used, it's all plain text. Several years ago, I showed my manager how I could plug into the network and read ID's and passwords (this was on a network that used hubs, not switches).
Yes, I use PKI encryption whenever possible and even harden the permissions with either radius, mac filter lists, or simply wds if and when I can use them. I’m still experimenting between things like ruckus, tp link, zyxel, and others to be able to get these different platforms to be cohesive, but generally speaking, I’ve had a lot of luck getting Cisco and sense to.. make a lot of sense. XD
Pfsense even has captive portal and works like a wap. That’s hella useful. It’s also one of the things I overlooked at first when using it, but, I’d more readily say that pfsense goes even further than a lot of Cisco’s capabilities , especially the older devices... but yes wireshark and solarwinds,they’re definitely useful but I rarely ever need to unless I’m doing some grey hat type stuff.
-
Serial is still kind of dead simple OOB/console access. Just because it's "old" doesn't mean it's bad in this case. You can never rely on a network stack being functional for configuration, period. That's how you end up with braindead things like having to reset the firmware completely to work around a simple network setting glitch. If you are worried about serial port access, then fix your physical security.
Not saying it’s bad in and of itself, but unless you’ve saved your router configs (like most smart engineers do..), there’s a way to short the pins and get a readout, so if you go to use that port and don’t physically check your cable, then you’re allowing a physical keylogger to watch your entry... then there goes the hierarchy of security you set up. What makes this far more difficult to do on a network with strictly lan ports is the Mac based filtering. Even if you use a certificate over db9 you’re still basically able to pretty easily recreate those entries.
Any network admin or engineer worth his salt should be able to make sure they will never need to use it and then straight up disable any com ports they have, that’s just my dead honest opinion.
-
they use an RJ 45 type console cable and even fat usb micro or various other “light blue” interfaces these days.
And those are all variations of serial. The USB especially is just an easy way to hit a hosted USB/Serial bridge.
As for the other points, again, if you are worried about that then your physical security is shit. If someone got to that point they could do far worse than sniff keystrokes.
-
@jimp of course they could. Physical security isn’t just a matter of locking a premises, it’s about closing ports that don’t need to be used. The point of it is, sometimes security also means protection from the people that have physical access. You could be working with someone who has malicious intentions, you never know if they’re gonna try to pretend they’re you later on cause they logged your creds and saved that information for later... OR... let’s say you do a job for a client and when you’re 99% done, the client has someone else finish the job and refuses to pay you what you’re owed... trust me, I’ve had that happen before and it has made me pretty unwilling to provide any access whatsoever until the bills are paid.
-
On one hand you are worried about security, on the other you post stuff like this:
The whole point is that I should be able to integrate as many services into one device as I see fit that don’t require virtualization, more equipment, other software packages, or another monetary investment.
I see a way to have the sense box run Apache or web server for other sites not just the config panel, since it has the software libraries for it and happens to be deadly in security... using that in combination with vpn tunnels and everything else, I see no reason why it couldn’t be a hell of a lot more than it already is.
-
And if you have physical access you could still remove power, cut cables, etc. A physical serial port is the least of your worries and makes administration much easier.
If you are worried about that kind of access then lock the cage, lock the room, lock the floor, lock the building, guard the campus, etc.
You've picked a weird hill to die on, but if you want to keep going off on that tangent, feel free. I'm out.
-
they use an RJ 45 type console cable
That's still RS-232, but with a different connector. You can get adapters that convert from that to DB-25 or DE-9 connectors. Cisco provides console cables that are RJ-45 on one end and DE-9 on the other.
I expect the gear with a USB connector has a built in USB-serial port converter.
-
@grimson heh. Not saying I wanted to do all of that on the same box. Just wanted the option.
-
@jimp well I guess it’s a matter of opinion. Always learning things from what people say, can’t say it’s a loss hearing how other engineers do their work.
Wanted to use AC and was curious why it can’t easily be implemented, but after all this time thinking about it, I have to concur that it’s prolly not worth the effort if n band is available.
Idk, I tend to learn a lot more practical uses for things when I have some very specific requirements, and not that really anyone was wrong with their responses, I just think having examples of what I’m doing with the equipment would help.
I do a bit of physical security as well as surveillance, intrusion detection, monitoring, and alarms, so having a box somewhere that I could use a WiFi connection with my phone, without really hooking up some fancy adapter, would make life a lot easier. Sometimes when I do a job I give up the keys to the locks, and all I have if I go onsite for a follow up is remote access.
Wasn’t trying to contradict myself, just trying to support the brand and thought it was worthy of investigation/inquisition.
-
@jknott yes those usb->rj45 cables do com port emulation, so you’re absolutely right now that I think of it... I use putty quite a bit and I didn’t make the correlation. I wasn’t aware that it was emulating old school rs232, since I’ve always associated it with db9 or like token ring?
-
since I’ve always associated it with db9
That's DE-9. People often make that mistake. In one job I had years ago, I'd often order connectors by the 1000's. If I ordered DB-9, the order would be sent back unfilled. With those connectors, the first letter refers to the connector series. The 2nd, the shell size and the number refers to the number of pins.
https://en.wikipedia.org/wiki/D-subminiature
-
Hey, that's good to know n def pretty cool. Much appreciated
-
That's DE-9. People often make that mistake.
Woops, now it's getting interesting again!
I didn't even know of the D-sub naming convention and until today referred to those 9-pin serial connectors (wrongly) as DB-9.This happens more often than one might think. The audio industry pretty much always uses 3-Pin "XLR" connectors for symmetrical analog audio today. Fun part is that Cannon named them XLR with the trailing "R" for a rubber version. But no-one knows that and if I told a colleague to use the XL connector he would think I'm completely nuts now.
https://en.wikipedia.org/wiki/XLR_connector#History_and_manufacturers