Network - Firewall Version Comparison

There are 2 differences between versions v8 r23 (July 28, 2017) (the "left" version) and v8 r25 (Jan. 26, 2018) (the "right" version).

Check NET0740 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

Network devices must have HTTP service for administrative access disabled.

Check Content

Review the device configuration to determine that HTTP is not enabled for administrative access. The HTTPS server may be enabled for administrative access. If the device allows the use of HTTP for administrative access, this is a finding.

Discussion

The additional services that the router is enabled for increases the risk for an attack since the router will listen for these services. In addition, these services provide an unsecured method for an attacker to gain access to the router. Most recent software versions support remote configuration and monitoring using the World Wide Web's HTTP protocol. In general, HTTP access is equivalent to interactive access to the router. The authentication protocol used for HTTP is equivalent to sending a clear-text password across the network, and, unfortunately, there is no effective provision in HTTP for challenge-based or one-time passwords. This makes HTTP a relatively risky choice for use across the public Internet. Any additional services that are enabled increase the risk for an attack since the router will listen for these services. The HTTPS server may be enabled for administrative access.

Fix

Configure the device to disable using HTTP (port 80) for administrative access.