Federal U.S. government agencies have been ordered to take offline all management interfaces of routers, switches, firewalls, VPN’s, load balancers and proxies that can be accessed from the Internet. The order comes from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). That states that attackers are increasingly managing to compromise organizations via misconfigured network devices.
In recent months, a variety of vulnerabilities have been found in network devices that can be exploited through the management interface, for example. It also happens that the devices are misconfigured or otherwise poorly secured.
“The risk is further increased if management interfaces can be accessed directly from the public Internet. Most management interfaces are designed to be accessed from separate physical interfaces or management networks and should not be accessible from the public Internet,” CISA said.
CISA has the ability to require federal government agencies to take certain actions through a “Binding Operational Directive.” The latest Binding Operational Directive, numbered “23-02,” aims to eliminate the risks of “Internet exposed management interfaces.” These include management interfaces for routers, switches, firewalls, vpn servers, proxies, load balancers and out of band server management interfaces, such as iLo and iDRAC.
As examples, CISA lists interfaces accessible via http, https, ftp, snmp, telnet, tftp, rdp, rlogin, rsh, ssh, smb and vnc. In the event CISA or other agency notifies a government agency about such interfaces, they are given 14 days to take the interface offline so that it can only be accessed through an internal enterprise network, with CISA recommending the use of a separate management network.
The U.S. government agency says it will scan federal government agencies for accessible interfaces. Further, agencies themselves must make all their existing and new interfaces accessible only from the internal network and secure the interface as part of a Zero Trust Architecture.
About the author: Matthew Johnson
Matthew Johnson, a small tech business owner retired and found his passion in journalism.
