Features of the embedded SMB and FTP servers
As it has already been said in excursus to settings, you can connect external data storage devices with USB or Firewire interfaces to USR8200. The storage devices at once appear (if detected) in Network map, where you can browse them, create partitions, format, or check for errors.
Unfortunately (this is noted on the web site of the manufacturer in the firmware comments), compatibility with USB 1.1 devices leaves much to be desired. Out of ten flash cards that I tried to connect, only two worked: Kingmax 16Mb and Easydisk 128Mb. I had no devices with USB2.0 or IEEE 1394 available, and so I didn't manage to check how USR8200 works with them.
Users will see such storage devices as shared disks (SMB resources) or via an FTP server. Access to both kinds of resources is granted only to users, who have logins and passwords in the corresponding section of USR8200. Besides, an ftp server can have a special anonymous user. This user can have read and write rights. You can also create a special directory, and this user will not be able to go any higher than that (chroot). But in Samba (this program serves as an SMB server) anonymous access is not provided.
Much to my regret, implementation of user access isolation is in germ. If you grant read access to a user, this user will be able to read all files from the medium. If you grant write rights – in much the same way, this user will be able to write and delete any files. You can see why it is so in the screenshot above: the files listed on the screenshot were created by different users via ftp and smb, but they all actually have one owner or group. This concerns the files created by anonymous users via ftp as well.
USR8200 security tests
The tests were carried out according to this technique.
The device has been scanned in two modes. The first mode featured the minimum security policy (all inbound and outbound connections were allowed) and the activated access to configuration interface on WAN:
Obviously, a lot of various problems are found as a result of full access (in reality, this configuration will hardly be chosen). But it should be noted that no serious vulnerabilities were found.
During scanning the device was operating all right, there were no reboots or freezes. But the security logs showed almost no signs of attack attempts or scanning.
Before the second scanning, we set the security policy to "block everything" and deselected all check boxes in Remote Administration (all possible access from outside was blocked). I will not publish Nessus reports, because there aren't any. That is nothing was found during scanning.
In other words, device security is on a high level.
Unfortunately, USR820 was not on sale when the review was written.
Secure Storage Router Pro (USR8200) from U.S.Robotics is a functional and a high-performance device. One can even say that it's a first device (in our lab), which possesses such an impressive set of functions, high performance, as well as a good security level.
If programmers corrected several bugs about access right isolation for users working with embedded SMB and FTP servers and some glitches in IPSec implementation, there would be practically nothing to nag at. Another obscurity – the device has the IPSec support and the console mode of control via telnet, why not add the ssh support?
Evgeniy Zaitsev (firstname.lastname@example.org)
24 August, 2004
Write a comment below. No registration needed!