A this stage, par default remote web login and SSH is allowed on NethSec 8. Also, the change of default password is not mandatory for the first web or SSH login.
Currently network devices are required to change default password at first login, and a “open” configuration for management from WAN is not default. I don’t know if for network devices like routers this is mandatory by law or EU rules, I’m gonna spend some time during the weekend for finding if there’s any specific legal detail that I can link under this topic.
On one hand, this setup is quite comfortable for the first setup, allowing more or less to connect to the same switch both adapters and try to fish the correct ip and start deploying configuration. On the other hand, unless a sysadmin takes care to do homework, WAN-source SSH and web management is on by default, and on public networks AFAIK is not considered best practice.
It’s always a balance between security and easy of use.
We choose the easy of use in this case to avoid hundreds of the support tickets.
We already have a mockup for a first configuration wizard to guide the user on a more secure configuration. I do not know when, and if, it will be ever implemented.
I just want to point out the manual already documents some security suggestions:
Issue comes, IMVHO, from having remote admin available from WAN and non mandatory password change at first login: the installation might be WAN-accessible with default password unitil the sysadmin will change it.
By design, unfortunately is not secure having both “by default” well known password and WAN SSH and HTTPS access. As current laws and best practice, i cannot define this as pure personal opinion.
Mandatory default password change comes from consumer grade devices, IT grade devices.
This does not exonerate the Sysadmin from doing the correct thing
I’m sorry, I was not able to retrieve other info about the rules for network devices during this weekend.