Hello,
I created a DNS entry for Copernicus test firewall we have on the network so I can do a soft move-over in our test environment and I noticed that I could access the admin console without https. By defaulting to http, I decided to do a packet trace and see what happened and it was what I expected, the username and password used to log in are sent in plaintext through standard http GET and POST.
Setup configuration is as follows:
DNS entry on our existing UTM v9.3 to point to cpncs.domain.co.uk
Corpernicus firewall is set up on same network and is pretty much a fresh configuration post installation with some minor changes.
I've checked UTM V9 and you can't poke the firewall via http, it kicks you out with a message saying to go to https.
If I browse directly to the IP on http, i'm rejected with the https requirement message, but accessing via a DNS entry means I can ignore https. If I don't put in the default port of :4444 it goes straight to the webconsole (i.e. http://cpncs.domain.co.uk/). But if I put port as a suffix, it will error and ask me to move to https.
My question is this: Is this a feature or a bug?
To me, it would be a bug, I would under no circumstances want administrative access driven to the firewall via http plaintext, this is just asking for trouble. And if it is a feature, why is enabled on by default? A malicious entity could flip a users connection to http and if they didn't notice they'd literally hand the firewalls console access to them on a silver platter.
I notice in System>Administration>Settings you can change the admin http port, but can this be disabled? I would not want any unsecured access to the firewall under any circumstances.
Emile
Guest User!
You are not Sophos Staff.
