We talk often about the security issues of a traditional copper-based network, but one vulnerability stands out – and it places every LAN at risk: the console port. This interface exists on nearly every managed switch and router for the purpose of directly configuring the device.
Switches and routers were originally designed with little thought for security of the console port. Over time, efforts have been made to secure the port via different password mechanisms, but it is impossible to eliminate all of the vulnerabilities of a port designed for direct configuration of the device. The only way to eliminate the vulnerability is to eliminate the console port, but that is too difficult as the devices require them for basic turn-up functionality.
How big is the risk? What is the impact? It’s bigger than you think. It drives up design and installation costs because you have to physically secure each device – each and every one. You also should be tracking physical access to each device for auditing purposes should a breach occur. Think you have all of that covered? Are you sure?
I was in Florida recently staying at a new, popular brand hotel. The buttons on the elevator were a little confusing, and an accidental press of the wrong button caused the wrong elevator doors to open, revealing a network room doubling as a storage closet.
I had inadvertent access to the room – big problem. The hotel staff also had access to the room for storage – another big problem! Both are bad situations because of the console port problem. How do you think this facility would fare in a cybersecurity audit? I would guess higher cybersecurity insurance rates are in their future.
The issue is that console ports can open up huge vulnerabilities and they are all over the place in your network – unless you have Optical LAN. Why? Because Optical LAN was designed from the start to be centrally managed – the distributed devices have no console port or local configuration capability. Physical access to the device is not a risk. Their configuration isn’t stored locally and only comes from our centralized Panarama PON Manager. Check out our Security Overview for details.
I’ll cover next week how this same room could be safely and securely used as a network and storage closet with no network vulnerability risk at all.