1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Breach with RVS4000/WRVS4400N

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by HODROD69, Jul 27, 2007.

  1. HODROD69

    HODROD69 LI Guru Member

    Hello everyone,

    Maybe I'll get a better response on this Web site rather the one on the Linksys site!!

    I have tested with some Linksys Tech and Chat with them. I was trying to configure two Linksys models the WRVS4400N or the RVS4000.

    Equipments I am using : RVS4000 Router, Wireless Routers and a Mini local Hub.

    Here is the situation:

    I want to know how I can configure with these products with this type of situation. I have tried but do not get what I want.

    1. Isolate the local Network from the Wireless Routers by using the VLAN concept.

    VLAN 1 = Management Local Network and access the internet IP =172.112.12.1

    During our conference, it seems that VLAN 1 is the default by the router and uses this vlan to communicate with the WAN port. You can probably use this Vlan for router management.

    I have created two other VLAN to separate or Isolate them.

    VLAN 2 =Local user Domain with internet access. IP = 192.168.20.1
    VLAN 3 = Wireless Network only to the internet. IP = 192.168.120.1

    2. I only want to be able to manage my Linksys RVS4000 on VLAN 1 but not VLAN 2 and VLAN 3. By the concept of VLAN you need to do this for security reasons. (You don't want anybody trying to hack your routers management web page.)

    The problem with these Linksys product you can access to the management console web page and try to logon from any VLAN you created. That a big problem!!!!!

    Linksys needs to send out a new patch or find a solution to this problem.
    ******************************************************

    Do you think that a strong router login password (24 or more random characters including capital letters, small letters, and digits) would give you adequate security? Or do you think that that would still be a problem?

    ******************************************************
    A management console is something every important. Even if you put a strong password like the one you say, it will take that person a long-time to decrypt. And you are right about that. However, what do you need to decrypt? Is the question, you should ask to your self?

    1. The management console describes the model and type of router you are using.(Remember the internet is a humongous dictionary). Think of this like the option of enabling the console management from the WAN port with a port number you desire.

    In addition, more I think of this.

    1. Why did they put this option?
    2. Why do they put the option for the Wireless routers enable or disable Wireless name broadcast?

    If you can prevent that person from having information about the equipments you are using. That's even better!


    2. Linksys can fix the problem by enabling or disabling the view of the console management form other VLANs. It just needs a little bit of work like patchs they send.

    I think, this is an important thing that Linksys need to fix. As they say about this model, “it’s built to grow with your business.â€



    What do you think!!!!!!
     
  2. ifican

    ifican Network Guru Member

    I have to say you want what cisco offers on many other devices. Now that cisco is going to takeover the linksys brand we might start to see these types of changes, though i would anticipate firmware functionality will be first and foremost their plate.

    Linksys devices work as well in most cases an any other soho device. Let me pose this question. In your case so what if someone logs into your router interface, what do you think they can really accomplish? Do you think it will be lucrative enough for them to spend the time, to break 10^24th on a webgui interface not even a command line will take far to long to waste the time and resources.
     
  3. HODROD69

    HODROD69 LI Guru Member

    It's your information that counts!

    Well do not think that I do not like Linksys product I been working with these product for a long time. Why do you think Cisco bought the company?

    If you want to promote professional product theirs certain aspect that need to followed. Like you say Cisco wants these changes to take effect and why do they want it to take effect? They certainly faced this problem before.

    By login to your router, I am sorry to say this but there is a lot they can do for your business productivity. Lost money and time!!!!

    Did you ask your self the questions I wrote down?

    1. The management console describes the model and type of router you are using. (Remember the internet is a humongous dictionary). Think of this like the option of enabling the console management from the WAN port with a port number you desire. Why did they put this option?:confused:

    2. Why do they put the option for the Wireless routers enable or disable Wireless name broadcast?:confused:

    3. Build your self an automatic script that tries to login to your “WebGui†interface about 300 000 time? What do think will happen?:confused:

    4. If you can prevent that person from having information about the equipments you are using. Then that person does not know want to do or do not have a clues. The person that knows what you have then you know how it is! :thumbup:

    If this type router would be for home use, I would not be here talking about this. However, for business use, that another story. :frown:

    As they say, “it’s built to grow with your business.â€

    All I want is that Linksys be the best for thier product and if I can help them improve and be pro-active. I mite think this non since know, but ask your self the question I wrote down.

    Tell me how can we tell Linksys to fix this problem?

    Thank for your reply this could be contructive information about the product you are using in your environnement.
     
  4. t4thfavor

    t4thfavor Network Guru Member

    Did you try making an iptables rule to drop that traffic from the vlans you want to deny access from? I know its not an easy solution, but it will get you where you want to be.
    Oh wait, I just re-read the post and it seems you are not using systems that can provide telnet access, Sorry.

    Isn't there a ACL that can provide or deny access by subnet/ip address? I think I remember seeing something like that.
     
  5. HennieM

    HennieM Network Guru Member

    Surely there must be an ACL where you can just block port 80 (or whatever) by subnet, or perhaps allow certain hosts only to access that port?
     
  6. ifican

    ifican Network Guru Member

    Iptables is not an option on the rvs series. And true buisness productivity is important, but maybe its just because what i know or what i do, but i would never put my buisness behind anything that is not enterprise class equipment. Heck i dont put my home behind anything that is not enterprise class.
     
  7. HODROD69

    HODROD69 LI Guru Member

    I did not see this ACL option. Where did you see it?

    Blocking port 80 is not a good solution unless you don't want to use the internet on that LAN. You read this hole thread :confused: , if not here's wrote down the situation is:
    ********************************************************
    1. Isolate the local Network from the Wireless Routers by using the VLAN concept.
    During our conference, it seems that VLAN 1 is the default by the router and uses this vlan to communicate with the WAN port. You can probably use this Vlan for router management.

    I have created two other VLAN to separate or Isolate them.
    VLAN 1 = Management Local Network and access the internet IP =172.112.12.1

    VLAN 2 =Local user Domain with internet access. IP = 192.168.20.1
    VLAN 3 = Wireless Network only to the internet. IP = 192.168.120.1

    2. I only want to be able to manage my Linksys RVS4000 on VLAN 1 but not VLAN 2 and VLAN 3. By the concept of VLAN you need to do this for security reasons. (You don't want anybody trying to hack your routers management web page.)

    The problem with these Linksys product you can access to the management console web page and try to logon from any VLAN you created. That a big problem!!!!!
    ********************************************************
    Thanks
     
  8. t4thfavor

    t4thfavor Network Guru Member

    Guess enterprise price class is not always an option for everyone. And even though much can be had for little on ebay sometimes used doesn't cut it.


    I don't own a rvs series router, but I would think there was a place to block management access by ip, or at least subnet, but heh maybe thats something that they reserve for enterprise class stuff only.
     
  9. HODROD69

    HODROD69 LI Guru Member

    Your right ifican :thumbup: :biggrin: on that. That why I want Linksys to fix thier Bug or Security on there equipement. If not they should not write down this phrase As they say, “it’s built to grow with your business.â€

    And that's why I'm asking how can we tell Linksys to fix this problem?

    Thank ifican I think you get the point!:thumbup:
     
  10. t4thfavor

    t4thfavor Network Guru Member

    Submit a feature request with their online support page, they will ignore it, but thats because the EULA says its only valid until the company is out of business, which won't be very long. But heh maybe you will get lucky.
     
  11. Sfor

    Sfor Network Guru Member

    Other routers (as WRV200 is) do have the same problem. But, I do believe it was ment that way. The simplest solution would be to secure the important part of the LAN with another router, instead of VLAN.
     
  12. HODROD69

    HODROD69 LI Guru Member

    Then why buy the Linksys router then?
    Then why specify on the product bad information?

    What if, more then one person sends this request for this problem? Would it be better!

    If only one sends this request maybe no one will listen like you say.

    Do you think this could have an impact?
    Is any one on this forum willing to sent a request to fix this problem or you don't care?
     
  13. ifican

    ifican Network Guru Member

    It's not that anyone doesnt care, its a matter that no one here has the ability to get anything done. Granted some have influence and have sent emails with bugs, but this board is not run by or has anything directly to do with linksys. The fact of the matter is there isnt anything wrong, it might not be what you want but nothing is wrong.
     
  14. Toxic

    Toxic Administrator Staff Member

    If you buy a business class linksys router from a Linksys VAR (not every retailer is a linksys VAR) you then get extra support (ie level 2 support) if you have not bought your linksys product from a VAR, then you will need to contact linksys youself via phone, email, online or post and ask the customer support agent to forward your concerns to the powers that be. this is the only way I know how to get your concerns rasied to a higher level. when do do so, please do in in a no aggressive manor explaining exactly your problem and how to replicate the issue.


    Technical Support is available 24 hours a day, 7 days a week.

    Phone: (800) 326-7114 [​IMG]

    Unresolved/Escalated Cases: Please click here.
     
  15. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Wow. I didn't even know that you could put each of the VLANs into different subnets on these boxes. That's a very neat feature.

    The VLAN feature on the WRV200, for example, just allows you to separate combinations of wired ports and wireless ports (SSIDs actually) independently into different VLANs to keep them from talking to one another while simultaneously being able to connect to the Internet.

    Your device on the other hand is more sophisticated. I don't see the fact that IP hosts on these VLANs that you created being able to access the device's web interface as being a big deal. I would even suggest that while VLAN 1 is the default "management" VLAN in most layer 2 switches that "management" is a figure of speech anyway and I wouldn't get my knickers in a knot just because these non-management VLANs can also access the GUI.

    Besides, the fact that the device, by default, does inter-VLAN routing is kinda cool. You know this is true because the WAN interface will be in a different VLAN than the other SSIDs and wired ports and for there to be any communication between the built-in switch/WAP and the WAN interface, the underlying (Linux?) router firmware has to move packets inter-VLAN.

    Fundamentally this is a router and not a switch. It doesn't do any trunking, for example (AFAIK) and the VLANs are therefore locally significant only. They are largely a figment of the router/switch's imagination.

    I'm not being sarcastic when I ask, "What do you expect of a device at this price point?"

    If, on the other hand, you had a bought a layer 2 switch and found that people could talk to VLAN1 from any other VLAN without the benefit of a router then Houston, we've got a problem!

    Bottom line:
    ==========
    (1) a router routes;
    (2) routers-on-a-stick route between VLANs;
    (3) switches switch and don't route.
    You bought item number (2) so don't be surprised that it do what it do dawg.

    Capiche?
     
  16. Sfor

    Sfor Network Guru Member

    There is something I do not understand in this case. VLAN should work on a lower level then router. So, the router should not be needed to route the traffic between VLANs. In other words VLAN interconnections should work on the Ethernet level with any protocol, not just the TCP/IP stack.
     
  17. DocLarge

    DocLarge Super Moderator Staff Member Member

    (Said Eric Stewart): "Do what it do, dawg?"

    "Good Lawd, y'all," Eric Stewart has gone "Krunk" on us!! *RoFL and LMAo....*

    (Doc laughs hysterically in the background because this has made his day...)

    *Sniff* Wooooooooooooo, I needed that... :) :)

    Jay
     
  18. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    [Sfor, At the risk of offending you here's the low down. I'm only going into detail because there might be others listening in on this conversation that are a bit fuzzy on how this works...]

    A VLAN is a virtual broadcast domain. You take a 16-port switch and put 4 ports in each of 4 VLANs and you have 4 virtual 4-port switches. How do you get them talking to each other? You don't at least not at layer 2...that defeats the purpose of VLANs. Each of these 4-port VLANs (virtual switches) is an island. If you want traffic to go between the islands (ie: inter-VLAN) you need a layer 3 device.

    Historically, the original purpose of a router was to separate (ie: segment) a network into different broadcast domains (another name for a LAN, actually). Broadcast, multicasts and unknown unicast traffic is free to ping-pong around in its own broadcast domain without sucking bandwidth and creating congestion in other parts of the network. The router uses logical addressing at layer 3 to give these different broadcast domains a name. A "network" from a router's perspective is just a "name for a wire". Routers route between network (or subnetworks). A router is needed to connect these different VLANs together....exerting control between layer 2 inter-VLAN traffic based on its layer 3 picture of the network. The router's routing table *is* this layer 3 picture. It is the only device that will allow traffic between VLANs. We often think of routers as devices that connect networks over vast geographical distances so it's a bit odd to think about them in the context of their original, more mundane role of bandwidth cop between LANs.

    There are some exceptions to this rule of routers being needed to allow inter-VLAN traffic. Some smart switches will allow you to allow some traffic inter-VLAN but this is usually when the VLANs are so-called "private VLANs"....ie: on the same IP subnet. If they are on the same IP subnet (or Appletalk cable range or IPx network...) there is no need for a router to move the traffic between the VLANs. Private VLANs are often described as wiring closet VLANs because they are most often used to segregate devices on the same subnet from one another on the same switch.

    /Eric
     
  19. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    You laughing at me?
     
  20. Sfor

    Sfor Network Guru Member

    Ooops! I made a mistake, indeed. The VLANs are seperated and there is no possibility of connecting them on the Ethernet level. Only a routable protocol like TCP/IP can do it.

    My mind got a bit mixed up, I guess.

    I took a wrong turn, but, do the RVS4000 series routers allow to keep VLANs in different IP adressing space?

    The VLANs in a WRV200 router have a common DHCP and Internet gateway and there is no way to exclude them from any VLAN possible. So, keeping VLANs in different IP subnets has no sense, at all. Is the VLAN functionality of the RVS4000/WRVS4400 more sophisticated than in the WRV200? Is it possible to diconnect VLAN from the gateway in any of those routers? Because the WRV200 can not do it, for sure.
     
  21. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Apparently it can put the VLANs in different subnets. I'm going to download and check out the manual. Sounds pretty sophisticated doesn't it?

    /Eric
     
  22. vpnuser

    vpnuser LI Guru Member

    15. DHCP Server (in the Setup->LAN page) supports multiple subnets, once multiple VLANs are created.
    This is the only description about the support for multiple subnets I can find -- in the release note of firmware 1.1.09.
     
  23. Sfor

    Sfor Network Guru Member

    I've checked the prices on the local market. WRVS4400N-EU is about 3 times more expensive than WRV200. RVS4000-EU about 2 times, only.

    Returning to the topic. The VLAN management ability seems to be impressive, indeed. It is advertised as a "security router". According to the firewall abilities it is a much more advanced device than WRV200, as well. But, it's security function seems to be targeted towards the WAN/LAN traffic. I found nothing about VLAN (except for the fact it is supported) in the marketing data. I would never expect for the device to have advanced security functions directed towards the VLAN operations. The ability to keep VLANS in different subnets is quite a nice and unexpected bonus, already. But, possibility to set what device functions are available to what VLAN is something I would never expect in such a device.
     
  24. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I got an email from a Linksys engineer who is closely involved with Linksysinfo.org He indicated that the RVS4000 supports IEEE 802.1Q trunking. How it supports it and how it's set up I don't know since I don't have one. Could someone illuminate us? DocLarge? Toxic?

    /Eric
     
  25. deathscythebjorn

    deathscythebjorn Network Guru Member

    Eric,

    I think there is an option on the UI to set the port to Trunk. Just make sure that, all VLANs you want to passthrough the the VLAN trunk are Tagged.
     
  26. ifican

    ifican Network Guru Member

  27. Toxic

    Toxic Administrator Staff Member

    sorry eric I can't since i dont have one either, however have a look here:

    http://www.linksysdata.com/ui/WRVS4400N/1.00.12/switch_vlan.htm
     
  28. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Very neat! Note that there are settings that allow you to enable RSTP (Rapid Spanning Tree Protocol) as well as RADIUS authentication on a per port and (probably) per VLAN basis. I wonder if it works?

    /Eric
     
  29. DocLarge

    DocLarge Super Moderator Staff Member Member

    I couldn't say at the moment because I'm trying to find out if it's possible to trunk the wrvs4400n with an actual cisco switch that supports vlans...

    jay
     
  30. ccbadd

    ccbadd Network Guru Member

    Just FYI, but the RVL200 has multiple subnets with multiple dhcp scopes and the trunk line features also. This is true with the 1.1.X beta fw, not sure about the 1.0.X series.
     
  31. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Can't do that yet (read the email from the Linksys dude). The RVS4000 supports it right now but not the WRVS4400N.

    /Eric
     

Share This Page