TL-SG105PE - No HTTPS protocol available to login.
TL-SG105PE - No HTTPS protocol available to login.
Dear all,
I bought 3 TL-SG105PE switches because they are manageable.
I tried to access them with the https protocol with no luck.
Only http is accepted by the switches and this is unacceptable: the user and passwords are sent in clear text over the network, it's very dangerous.
The bad thing is that I didn't find any option to enable (and force) the https protocol.
Could you please tell me how to enable it?
I searched the forum but what i found is a message without any answer and this is a bit scary....
https://community.tp-link.com/en/business/forum/topic/503876
Thanks
Regards
Daniele
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hey
While I am not familiar with this specific switch, this doesnt seem like an issue as its a LAN switch and not something that is outside your network. Namely as its IP is a class C private address it wont be accessable outside any LAN and will be filtered out via the router, therefore can only be connected to via the LAN network. Do you really need HTTPS on your LAN segment? HTTPs also requires a secure certificate to be installed else you will get a certification error; such features are generally not included in this price point.
If you deem this an issue perhaps securing the LAN to block access to the switch itself may be an option? This should be done for all users outside admin anyways as part of a good security posture.
- Copy Link
- Report Inappropriate Content
Hi @Philbert,
Following your thought, every device inside a LAN should not need to be accessed with a secured protocol.
So let's remove SSH, SFTP, HTTPS, IPsec and any encryption in general.
Maybe we could also remove the passwords...hey, it's a LAN, no one will hurt you inside it, right?!
I will propose it to CISO of my company, I'm curious to listen to his "answer". Probably I would be fired....hahahah
Speaking seriously, if any device inside the network has been compromised by a software (or by a person), it could "sniff" all the traffic inside the LAN (wired and wifi), intercepting any clear user and password, and compromising other devices. I don't think it is a good idea to communicate without a secured protocol, even inside a LAN.
What do you exactly mean with "securing the LAN to block access to the switch itself"? How would you do that?
I should be able to access the switch
Thanks.
Regards.
Daniele
- Copy Link
- Report Inappropriate Content
Hey
OK I was trying to give you a polite answer to your query, but since you arent happy with that then here goes.
1. This is a $50 switch, if you expect it to anything outside the basics, then you don't have a clue what network hardware costs. At this price im actually surprised it even has the features it does. Perhaps you shouldnt have skimped out on the price..
2. Be serious. no-one is suggesting removing SSL, HTTPs etc.. just dont expect a cheap switch to have them supported. If you bought this switch for your CISO I hope you would be fired, its for basic home use only.
3. If a device inside your LAN has been compromised, access to a switch interface shouldnt be possible. Clients should be VLANed away from management networks and all protocols / ports connecting to the network hardware locked out to only very specific VLANs. This is simple network security, they should have no access to switches. At the most basic level this can be done via Group Policy on the Windows Firewall, block the IP and Port.... on more expensive fully manageable switches (something like the JetStream range) this is usually an option to configure.
4. In terms of "securing the LAN to block access to the switch itself". ACLs, Firewalls and VLANs will stop normal users getting anywhere near this, they simply shouldn't know it even exists much less be able to access it. Move the switches to "out of band" or "private" VLANs that are only accessible when jacked in and leave this unplugged unless in use. Serial / USB only connections are very secure as they require physical access to the switch.
Really there are a number of options for this, sadly at this price point a lot wont be available to you. If security is an issue for you, which it appears it is; I would recommend you return this device and look at the JetStream business range.
- Copy Link
- Report Inappropriate Content
Hi @Philbert,
thanks for your detailed reply. Now I'm happy or at least, happier.
1 & 2)
I thought that HTTPS should be part of "basics" but maybe I was wrong.
For example, I have the TL-R605 router that costs about the same, 50-55 euros, and it supports the https authentication.
That's why i thought it should be present on the SG105PE as well.
Moreover, https is supported by nearly every site of the World, so it is part of our life, like a good habit.
That's why it is difficult for me to step back and think a network product without it.
I know that network hardware could cost even thousands dollars.
I bought these 3 switches for my home, I won't be fired by my CISO, hahaha
I attached some POE IP cameras to them.
3 & 4)
I will try to follow your precious advices using VLANs that seem to be supported both by my router TL-R605 and TL-SG105PE.
I hope you don't feel offended by my words. It wasn't my goal, sorry.
Thanks again for your prompt reply.
Regards.
Daniele
- Copy Link
- Report Inappropriate Content
Hey
Yeah no worries, its all cool all good here :)
Suppose a lot of the design in these are to do with their placements. Switches are purely LAN based hardware and therefore are on the trusted side of the network, the threat against them is internal from users and for that reason they are not as security conscious, well at this price point anyways. This switch is designed to be fast and offers some basic VLANs, thats about it really. From a security standpoint I think this switch just assumes that the LAN is you safe zone, not ideal but not again $$
The R605, despite being roughly the same price is a different beast, its designed to sit on the edge of your safe zone and face the big bad world, therefore it will have certificates and security for HTTPs etc.. however its downfall is its slowness, when compared to a switch they are VERY slow (Layer 3 vs Layer 2 devices) so are not used for the local LAN traffic. The R605 is also designed to be part of the Omada ecosystem so the cost you save on that one device gets swollen up when you realise you need a Controller, Switch and APs just to have simple VLANs.. the cheap switch does it in one..
Basically switches are fast, cheap and assume you place them in secure areas. They can (and do) operate for YEARS with no issues. Routers, slow, tad more expensive, have more features but face the bad world and require upgrading / replacing every 2-3 years for safety.
If you want more security and are willing to part with a bit of money, look at buying an TL-SG2008P for around $100, if you have a old PC somewhere (or a raspberry Pi) set yourself up a controller and manage the switch and 605 from it. That will take you into the next step up away from home grade, you will get VLANs, Access Control Lists, Certificates, Filters.. the lot
Might be worth a play
- Copy Link
- Report Inappropriate Content
I don't have this switch but I tried to search manual of this model. It seems like all tp-link Easy Smart level switches do not support HTTPS login.
You may consider TL-SG2008
- Copy Link
- Report Inappropriate Content
Hi, thanks for your detailed and interesting reply.
I should have met you before buying the 3 TL-SG105PE switches...
I like your solution and i have a Raspberry Pi 3 and a Mini PC both with linux installed.
The problem is that I cannot send my switches back to Amazon because 30 days are already gone.
So I should throw those 3 new switches in the trashcan and buy 3 more for 300+ euros.
Actually, if the TL-SG2008P would have just one POE more, I could buy only 2 of them.
I bought 3 switches because on the floor 1, i have 5 POE IP cams (so 4 + 1), and the floor 0 i have 3 more POE IP cams.
In total they actually would fit in 4 + 4 POE ports, so two TL-SG2008P, but It's a pain to lay down the cable from floor 1 to 0 and the cable itself would be 12-13 m longer.
If there is a switch similar to TL-SG2008P with more POE ports, I could get one for the floor 1 that has 5 IP cameras.
I have 3 new TL-SG105PE to sell, do you want to buy them? hahah
Thanks for your time Philbert.
Regards.
Daniele
- Copy Link
- Report Inappropriate Content
Hi, thanks a lot for your research.
Yes, maybe the TL-SG2008P because I need POE ports.
Regards.
Daniele
- Copy Link
- Report Inappropriate Content
I also have another trouble with the TL-SG105PE: https://community.tp-link.com/en/business/forum/topic/581990
Do you know if the TL-SG2008P is able to really disable completely a port (traffic + POE) by configuration?
What do you mean exactly with a controller?
Is it a software running on Linux that connects to switches and send commands to enable/disable any feature?
Has it a name? Any example?
Thanks.
Regards.
Daniele
- Copy Link
- Report Inappropriate Content
Hey
Ah thought you only had one of these! There is a larger model, namely the Tl-SG2210MP which is 8 ports POE and 2x SFP and price wise its not a great deal more.
Up to yourself really, if you feel you can ebay the older switches then go for it, sadly I done the same as you years ago when setting up my first home network.. The new SG3xyz range are out now, but the prices are higher as these come with 10G and 2.5G ports..
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1759
Replies: 12
Voters 0
No one has voted for it yet.