Archive > DCE Router Developers

Network security of the Gateway

(1/2) > >>

archived:
I was reviewing some PHP code of the 'pluto-admin' interface which is enabled on the gateway for external access.

I would like to know how secure is the code?  Has anyone performed and audit on it, or was it written with security in mind.

I am reluctant to have the gateway facing the external network without knowing anything about its security model.  I was not able to find any info in the documentation regarding this issue.

Can anyone can shed some light on this grey area or point in the right direction?

archived:
Web interface is supposed to be used externally only for debug, and by default there won't be open ports susceptible to an atack.
We are still under development, at this point there are some known issues already reported in Mantis, but feel free to fill Mantis reports if you consider  necessary.

archived:
After reviewing some of the previous posts os security concerns it seems that there are a number of ports open to the outside.  However, my concern was with the actual PHP code of 'pluto-admin'.

If people want to remotely control everything from, say sitting at the office, one would need to use this web interface (correct me if I'm wrong).

If that's the case then the documentaion regarding code security is missing.  If one was to find a security bug then I don't think it should be posted in bugtracker since it will allow people to exploit it.

archived:
Hi Dave

I think that if you want to control your home when sitting in the office you may want to use a remote orbiter, not the pluto admin web interface.

Orbiters use port TCP 3456 (if I remember well) but they exchange data with core/hybrid in "clear mode" i.e. not encrypted.

In this case I use SSH tunnelling, and from my laptop I can connect safely to my house from wherever I am.

You may also want to use the WebOrbiter, that uses port 8080 (if I remember well). Here there is the same issue related to security, that can be solved exactly in the same way with SSH tunnels.

So the idea is (whichever may be the open ports on your core) to close all your sensitive ports on your router, and open only SSH.
This of course prevents you to connect to your house via a mobile phone when you are away (via wap protocol), but it is up to you to decide what is "safe" and what is not.

HTH
Regards
Marco

archived:

--- Quote from: "MarcoZan" ---
I think that if you want to control your home when sitting in the office you may want to use a remote orbiter, not the pluto admin web interface.

--- End quote ---

MarcoZan is correct, Pluto admin is designed to configure everything in your Pluto system, but not to use it as a orbiter.

Regarding puting security holes in bugtracking software, I think it's something beneficial from more reasons:
- any bug marked with priority "urgent" must be fixed in 48 hours;
- the bug can be marked as "private" so only devs and the reporter will see it.

Navigation

[0] Message Index

[#] Next page