Question
Why do people have switches facing the Internet, shouldn't they be firewalled off?
Cisco's Smart Install software has become the vector for a series of infrastructure attacks and politically-motivated defacements. Cisco's own Talos security limb reports that bad actors, some likely state-supported, have been scanning Switchzilla devices to see if they run Smart Install. The tool is insecure-by design because …
I'm glad that was the first question, exactly what I was going to ask, although ISP switches are, by necessity, on the internet (although their management IP's should not be).
El Reg is slightly behind the curve on reporting this as I saw it on RT yesterday (I know the vultures are at their watering holes at the weekend ;)) - RT did report that this hit a number of ISP's - I can't imagine why any ISP would have to rely on such an install process in the first place, not withstanding that their management IP's are exposed.
Why do people have switches facing the Internet
Smart Install isn't only used by switches. Cisco Routers also support Smart Install.
I've been using Smart Install for years and all the switches it has built have "no vstack" in them (even before the first Cisco Security Vulnerability was announced).