CISA bans remote management of network devices

The US Cyber and Infrastructure Security Agency (CISA) has decided that internet-facing management interfaces can’t be secured properly, and has told US government agencies to disable them.

In a newly-published binding operational directive, CISA is comprehensive, effectively banning remote management of any network-accessible device using any protocol.

The device types include: “routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo [integrated lights out management] and iDRAC [integrated Dell remote access card]).”

Protocol-wise, CISA leaves no stone unturned, listing HTTP, HTTPS, FTP, SNMP, Telnet, TFTP, RDP, rlogin, RSH, SSH, SMB, VNC and X11.

Some of these, like FTP and Telnet, are widely regarded as obsolete and have been deprecated in most environments.

Management interfaces, CISA’s directive stated, can only remain accessible from the internet if they implement a zero trust architecture “in alignment with OMB M-22-09, NIST 800-207, the TIC 3.0 capability catalog, and CISA's zero trust maturity model.”

Web-based management interfaces have been a vector for security vulnerabilities for years.

In the last 12 months alone, management interface patches have emerged from Aruba Networks, Cisco systems, Starlink terminals and more.

Earlier this year it emerged that even the venerable SNMP, created in the late 1980s, was still being exploited, with Fancy Bear threat actors exploting a 2017 bug in Cisco routers.

Given the close coordination between US and Australian cyber security agencies, it’s at least feasible that a similar directive will be given to Australian government agencies.