NR5101 Nebula GUI Login, Suggestion.

Gelphyn
Gelphyn Posts: 12
First Anniversary Friend Collector SurveyFeedback-2022-Dec First Comment
edited August 2023 in Nebula
Have Zyxel considered improving access security for the GUI web page? The 2FA system used with Nebula and My Zyxel would provide a massive upgrade.
Alternatively, enabling Users to choose their UserName and Password would also improve matters.
Best regards, G.
«1

All Replies

  • Gelphyn
    Gelphyn Posts: 12
    First Anniversary Friend Collector SurveyFeedback-2022-Dec First Comment
    A few hours after posting the above, my PM was updated. I immediately checked the situation reported here:
    https://community.zyxel.com/en/discussion/15745/nr5101-nebula-gui-login-problem#latest
    Unfortunately, this update has not enabled improved access.

    While retesting, I noticed a Red coloured Exclamation Mark within a Red Circle.
    Clicking on the circle opened this:



    This PM always encourages improvements of this type, but in this situation, there is little that Users can do.

    I would further suggest that the GUI web page access should be placed within Nebula and/or My Zyxel.

    This will shroud the GUI with existing security at minimal cost and improve navigation to this essential feature.

    Best regards, G.
  • Zyxel_Judy
    Zyxel_Judy Posts: 875  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Gelphyn said:
    Have Zyxel considered improving access security for the GUI web page? The 2FA system used with Nebula and My Zyxel would provide a massive upgrade.
    Alternatively, enabling Users to choose their UserName and Password would also improve matters.
    Best regards, G.

    Hi @G@Gelphyn,


    Username is default as admin for router device to get the highest privilege, and users can choose their password by themselves by editing at Nebula > Site-wide > Configure > General settings > Device configuration.


    Judy

  • Zyxel_Judy
    Zyxel_Judy Posts: 875  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Gelphyn said:
    A few hours after posting the above, my PM was updated. I immediately checked the situation reported here:
    https://community.zyxel.com/en/discussion/15745/nr5101-nebula-gui-login-problem#latest
    Unfortunately, this update has not enabled improved access.

    While retesting, I noticed a Red coloured Exclamation Mark within a Red Circle.
    Clicking on the circle opened this:



    This PM always encourages improvements of this type, but in this situation, there is little that Users can do.

    I would further suggest that the GUI web page access should be placed within Nebula and/or My Zyxel.

    This will shroud the GUI with existing security at minimal cost and improve navigation to this essential feature.

    Best regards, G.
    Could you share with us about your idea as the GUI web page access should be placed within Nebula and/or My Zyxel?
    Is there something like the user can use Nebula to login and do configuration on Nebula like AP, Switch and Firewall? If yes, we'll 
    create a feature request for evaluation.

    Judy

  • Gelphyn
    Gelphyn Posts: 12
    First Anniversary Friend Collector SurveyFeedback-2022-Dec First Comment
    Hi Zyxel_Judy.

    From this page:



    At the top right, see:



    The GUI Access Web Page would drop neatly into the Applications area.  Job done.

    UserName + Password + 2FA is required to access Nebula.  The choice is open regarding access to the GUI:

    1.  Is it necessary to protect it further? For example, accessing Community from the same point requires my credentials.

    2.  If additional protection is essential, I would enable the User to choose a UserName + Password.

    3.  In this location, the GUI is lodged where it can intuitively be located. It is an essential component of this system.

    Best wishes, G.


  • Zyxel_Judy
    Zyxel_Judy Posts: 875  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Gelphyn,

    Applications area is the place to let Zyxel account navigate between Zyxel platforms such as myZyxel, Nebula, Education, Community, etc. 

    Besides, the way login to GUI Access Web Page is using the device’s IP. In the case of using private IP, even if there is a hyperlink as the GUI Access Web Page on Nebula CC but your laptop/ computer is not connected to the same LAN network, you still can’t access to the GUI Access Web Page. 

    Moreover, there might be many devices like Access points, Switches, Firewalls, Mobile Routers in one org/site, so it is not suitable to add all device’s GUI Access Web Page to the Applications area. 

    Judy

  • HI @Zyxel_Judy

    I am a software-hardware user and not a technical computing expert. Usually, I overcome issues without recourse to approaching experts. However, experts are constantly stating the need for security using strong credentials. Here it seems that if anyone discovers the Router IP Address, they only need to hack a short and straightforward Password.

    If the system cannot provide the protection required, then the GUI Access MUST be better protected.
    The UserName is too well known, and the Password is only eight characters - digits in length. This weak Password unnecessarily renders the Router access liable for breaches.

    What are the reasons for not enabling Users to provide a UserName and Password of their choosing?
    Nebula is all about security, but Zyxel is almost offering the key to access the Router and create mayhem.

    Best wishes, G.
  • Zyxel_Judy
    Zyxel_Judy Posts: 875  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Gelphyn,

     

    Users can go to Maintenance > Remote Management > MGNT Services to configure the interfaces through which services can access the router.

    When uncheck box at WAN that means you don’t allow access to the router from all WAN connection. Note that: The default configuration is uncheck box. 

    You also can refer to the User Guide page 277&278 to more about this feature.



    Regarding to the password, in case router is managed by Nebula, so user can go to Nebula > Site-wide > Configure > General settings > Device configuration to choose the password by themselves. Password is not only eight characters - digits in length. Users can choose the password must be at least 8 characters in length and consists of letters and numerals. The valid characters are letters, numerals and symbols as follow: ~ ! @ # $ % ^ & * ( ) _ + ` - = { } : ; < > .


    Judy

  • Hi again.
    I am not interested in remote access to my Zyxel NR5101 Nebula Router.
    This is about the entirely divorced process of accessing this router by using its IP Address and compromised UserName and Password. As you have pointed out the Zyxel System is incapable of preventing navigation to the GUI Access web page. Given that it is accessible via the Internet it NEEDS adequate protection against intruders.

    The report includes "This password was found to be on a list of known breached credentials." and the UserName is as well known as " 1 2 3 4 ", etc.
    I am VERY concerned that after reporting this serious security breach that Zyxel are not taking any action to correct the matter.

    If the information I have provided is considered to be in anyway irrelevant please explain why or how Zyxel have concluded that no action is necessary to improve access security to this router.

    Regards, G.
  • Zyxel_Judy
    Zyxel_Judy Posts: 875  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2023

    Thank you for sharing with us your concern.


    As we mentioned above, when unchecking box at WAN that means there is no access to your router from the Internet. The users can only access to the device login web GUI from local LAN network. 

     

    Related to the password issue, we used the same password apply for Nebula and NR5101 login web GUI, and set up at RoboForm. The result shows the different appearance for two websites, the Red Exclamation Mark within a Red Circle just happens at NR5101 login web GUI, not Nebula.


    You might need to contact the support team of RoboForm to verify the reason that led to this difference.

    Judy

  • Zyxel_Judy
    Thank you for your reply.

    When I said:
    Hi again.
    I am not interested in remote access to my Zyxel NR5101 Nebula Router.
    It did not alter my stance regarding the security of GUI Access, and your response did not directly convey that it bolsters security by changing the Password.

    Regarding

    However, I have used the information to change my Password for GUI Access.
    Would it be appropriate for new users to be directed to do this when setting up their hardware?

    Below is a screenshot as it has always been, i.e., without any input from me:

Nebula Tips & Tricks