Yes, it’s for sure a huge security hole if you let the API wide open, but you don’t need an authentication system on the GenieACS NBI service in order to secure it.
You can use a proxy as akcoder suggested but you can also simply use firewall. The purpose of the API is integrate GenieACS to other services of your company, so make sure that only the IP address of those services have access to it.
Agreed. This is why we are doing auth, SSL and firewalls even on our private CPE management network. The number one rule of security is trust no one, especially not equipment that has a connection to the internet.
akcoder your setup is very cool. Security is never too much
On my company, we chose not to have authentication because we use NBI on a very simple way. Instead, 7557 input is closed for everyone, so no one excepts the own machine has full access to it. Then, I wrote a little daemon on the same machine that pulls “tasks” from our private API.
What is cool about our implementation, is that even if someone hacks a priveleged server, like our private API, they won’t have full control over all CPE devices because they can only fire specific tasks and query for specific parameters. And that’s a big part of it.
Not only GenieACS does not have authentication, but doesn’t have any kind of ACL. So this is a very primitive way for us to limit not only WHO can make changes on CPEs but also WHAT KIND of changes they are alllowed to do.