I use them only as Bridge and run the PPPoE / DHCP on another device, preferrably Pfsense or Mikrotik.... Solves all issues :)
Silvan
----- Ursprüngliche Mail ----- Von: "Peter Rohrer" peter.rohrer@gmx.ch An: swinog@lists.swinog.ch Gesendet: Sonntag, 27. März 2016 19:57:45 Betreff: Re: [swinog] TR-069 & Security / Swisscom Router
Am Samstag, 26. März 2016 schrieb Nico Schottelius:
we've recently audited a small network and found that the customer configured devices were relatively secure configured. However the Swisscom Router/WiFi device (Zylex P-870HN-53b) seems to have the old uPNP exploit with a firmware that is not being updated anymore (upnp was disabled though - so this is hopefully not a big issue).
Be carefull with those Zyxels, the last firmware update I installed on the similar P-870H disabled the firewall and I ended up wit an open DNS resolver. It's not nice to get noticed about this by your ISP. Don't even think about using the IPv6-stack in those devices, the built- in "firewall" doesn't know anything about IPv6 and lets any traffic pass (and we are back at the open DNS resolver, it is just harder to find and exploit the device over IPv6). Unfortunately, I can't recommand any other brand or device. In general, don't disable NAT on those plastic devices, you are entering badly tested territory.
Greetings
Peter
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog