0

At home I have a connection to my provider via glass fiber that provides two VLANs: IPTV and Internet.

The structure of the network is exactly as shown in the following image, except for the phone connection, that I don't have. The router I use (in the image the one with antennas) is based on OpenWRT and kept updated.

enter image description here

As switch in front of the glass fiber I use a Netgear GS108Ev2 switch, that has no web access, but only access through the Netgear ProSafe utility with a simple password.

I set a password and I gave the router a static IP address in the local network, but I'm not aware of any setting that can restrict the access to the configuration to a specific VLAN, therefore I guess it would be possible to brute force the password from Internet and then change the IP settings of the router, to allow configuration via Internet side.

What are the risks I'm exposed to? Is there something malicious an attacker could do besides scrambling the settings and causing headaches/loss of service until I restore everything? I consider this alternative of no interest for attackers, especially since it requires brute forcing a password (assuming no other vulnerabilities in the router).

I think there are no workarounds, but please mention them, if they are simple (otherwise I'll open a new question). I also have a Netgear GS105E v2, in case it helps.

FarO
  • 313
  • 2
  • 7
  • 1
    I would configure your switch’s management IP address to use RFC1918 (IPv4) and link-local (IPv6) space. That way it cannot be accessed from the internet. Label the switch and make sure to have a port on the management vlan (also labeled). You may already be safe because your switch is probably managed on vlan 1 which is not trunked to your ISP. – Darrell Root Jan 12 '20 at 17:38
  • The switch can be managed on any VLAN but I'm not sure that the Netgear utility uses packets that the provider would route through – FarO Jan 12 '20 at 19:34

1 Answers1

0

Your setup doesn't look unusual to me from a security perspective. At the end of the day something has to outward facing if you are connected to the Internet, right?

To your question of further hardening techniques, most small office/home routers and switches I've encountered have an option in the administrative settings to force only local management of the device, meaning you have to be plugged into the LAN to authenticate and change anything. All other login attempts from outside IPs would be bounced. Perhaps your setup has something similar.

I would also look at ways to layer your defenses. For example, configuring additional, physically separate, routers behind it to filter the traffic going to each leg of your network. Perhaps your network has some of this already, but it seems to me like most everything was coming from one box rather than being broken out. The idea is adding layers of both logical and physical complexity for an attacker to overcome before getting to anything really sensitive, giving you some time to detect and mitigate the issue.

Besides that, generate some hard passwords and rotate them out periodically.

warybyte
  • 36
  • 3
  • 1
    Exactly, my switch GS108Ev2 does not allow any restriction to a specific VLAN or port for the configuration. I would need a GS108T for that that can better restrict access to the configuration and I was wondering what are the implications of the lack of said feature. Can it be exploited? – FarO Dec 18 '18 at 14:09
  • Well, anything can be exploited generally speaking. I would check and see if you can access the switch login of your sw using your public IP. If you can, I'd maybe be more nervous about a bruteforce attack. If you can't, then odds are its only open to internal connections. – warybyte Dec 18 '18 at 15:55