Hi Paul, that�s what I definitely will mention in my article, none of the routers tested forced the admin to change the default PW. To me, it would be a good idea to force people to pick a PW when they use the admin-tool the first time. That�s why I like to test the out-of-the-box-security, because I assume, that most people install the router and when it�s running, they think, there done.
> Albert - Nessus is a good approach. > > But consider "the ease of setup". And remember > easy setup = easy hack. Most people who buy > SOHO's enjoy the easy setup and leave the default > settings in place for things like admin password, > snmp, remote admin etc...which naturally is public knowledge since > it's clearly written in the user manual (always downloadable from the > vendors web site). That may not show up in your NESSUS audit. It show�s up - some people have written plugins, that test for that - and it�s clearly marked as a no-no by Nessus. > Poor default rules and filters will certainly > show up with NESSUS. > > SOHO's that force / prompt people to change default > settings, SOHO's that have security "chapters" not > paragraphs / appendices in their user manuals should > score higher simply because they make people think > about what they are getting into... you can't > eliminate the people factor. Albert
