When talking to IT and Security professionals, everyone seems to know they shouldn’t overly-expose management portals. And yet, every year we learn some new statistic showing tens of thousands of devices or software products with management portals exposed on the Internet. In hopes of changing this trend, this article talks about why management portals sometimes get exposed and what you can do to prevent it.
The NORAD Example
Let’s say you oversee the U.S. Government’s North American Aerospace Defense Command (NORAD), which is basically the agency that helps defend the country against nuclear attacks (among other things). Would you put the door to its central administrative network command center off a public street in the middle of Times Square, even if the door had a decent lock?
I hope your answer is “no freaking way!” That’s certainly not what the real leaders of NORAD did. They buried one of their command centers 2,000 feet under Cheyenne Mountain, with many gates and checkpoints that have military-grade authentication before you even get to that command center’s 25-ton blast doors. It is colloquially known as the most secure facility in the world. When you protect a critical system’s central administrative control, it’s generally obvious that you shouldn’t just expose it to the public.
I know that this is an overly extreme example. Most of us probably don’t need to go to the same security extremes that a critical and high-risk organization like NORAD needs. That said, I think most IT administrators, let alone security professionals, realize any “management” or “admin” portal is a high-value and high-risk target that shouldn’t be easy for everyone to access. However, despite this seemingly obvious best practice, we still see many administrators—perhaps unknowingly— overly expose management portals, often to all of the Internet.
It is important to know that malicious actors can see whether management ports are open. This port information is readily accessible for all types of devices on the Internet, and malicious actors are routinely scanning the Internet in search of open ports.
In fact, publicly exposed management interfaces have been at least in part responsible for several breaches and threats of the past. The recent Kaseya VSA mass ransomware attack that affected some managed service providers (MSPs) last year is the most obvious example. While the root cause was unpatched vulnerabilities in the Kaseya VSA software, these vulnerabilities were only exposed via the management interface. If Kaseya customers limited access to that management interface, attackers could not have exploited these flaws. Popular QNAP network access storage (NAS) devices suffered the same fate, again via management portals exposed online. Even the recent Cyclops Blink Botnet, which affected a variety of network devices, including Fireboxes, could have been easily avoided by not exposing the Firebox management interfaces to the Internet. These are just a few examples of many.
Now, on to some recommendations for preventing over-exposed management ports.
Admin portals everywhere
Nowadays, every dang thing seems to have a management portal. As a result, for some I think this extreme ubiquity has created a “fatigue” related blind spot to all these management portals. Back in the day, a product’s management connection was often proprietary and limited. Management might require special serial connections, or console cables, or special software. Over the past decade, however, web-based management has made embedding an administrative management portal into anything as simple as running an open-source web server. You might automatically assume your routers, switches, and firewalls have an embedded web management portal, but do you pay as much attention to your smart TVs, projectors, phone systems, printers, CCTV cameras, NAS devices, uninterrupted power supplies (UPS), and much more? Shoot, even that cheap dog feeder and web cam you have at home probably has a web portal waiting for anyone with access to log in.
Those are just hardware examples too. Many software products install and start their own management portals as well, whether running as services on some port, or at a specialized URL. In short, these web-portals are so omnipresent that some administrators may just forget they are there. While most smart vendors will at least try to only expose these portals locally, in some limited fashion, many are far too exposed.
So step one to solving this problem is knowing which of the products you have expose a management interface on a network, learning how those portal expose themselves (what ports or URLs they run on), and limiting access to those interfaces by not exposing those ports or URLs outside your organization.
Some Defaults are still silly
The second issue is bad defaults still exist, especially in newer internet of things (IOT) and operational technologies (OT). We’ve all heard the stories about wide open management portals that use publicly know default credentials. For a small period of time, IT security researchers had seemed to lessen this issue by helping mature software and hardware vendors realize the risk to insecure defaults, which eventually resulted in more traditional software and IT devices shipping with more secure default settings. Unfortunately, many newer IOT companies are also new to computing in general and didn’t grow up in tech as security was evolving over the past 20 years. Now many of these companies are making the same old mistakes that we thought we had worked past decades ago.
In short, make sure you check the default management settings and credentials for any new product’s management portal, because you never know when you might stumble upon one with some insecure defaults.
Remote management the new normal
It should go without saying, the new normal is remote, hybrid work; and that includes remote management for IT professionals to administer hardware and software. This makes remote management an absolute requirement, not just a nice-to-have feature. The good news you can remotely manage gear securely, without exposing management interfaces directly to the Internet. Between virtual private networking (VPN) or zero trust network access solutions (ZTNA), you can setup secured, private network access to management interfaces, as needed. Add multi-factor authentication to that remote access connection and you have a very strong way to allow only trusted users to gain access to the management portals inside your network. Even if you don’t go to this level of security (you should); making sure to only expose remote management interfaces to a very limited access control list (ACL) of IP addresses is way more secure than just opening it to the Internet.
So, what’s the problem? Why doesn’t everyone do it?
Time is the Enemy
IT and security pros are pulled in a million directions, and it can seem easier to save time by skipping the work required to properly manage ports. Finding all your management portal and the ports they use, learning how they work, and then setting up the secured VPN/ZTNA remote access to safely access these management ports requires some effort. It’s much easier just to open a port and allow anyone to access it. This thinking exposes your company to significant risk. While it does require some effort to plan limited, secure access to management interfaces, it’s not that hard, and there are many standardized solutions to help. We just need to take the time to implement them.
If it helps, just remember the work to have to deal with a company breach due to over-exposed management ports will require a hundred times the effort than just setting up the secure remote access in the first place.
This isn’t new
If you’ve been in IT or infosec for any period, none of this is new to you. I’m preaching to the choir… and yet, we still find these management exposures all over the place. Whether you follow my management portal advice, the UK NCSC’s, Stanford’s [PDF], or anyone else’s, spend some time this year auditing all your administrative management portals, and make sure you are not exposing them to any users or networks you don’t want managing your infrastructure. Sure, the management interface may have some of its own locks on its door, but hackers have been known to pick them. Finally, if you want to learn more about remotely managing a Firebox securely, see this KnowledgeBase post.