[104530] in North American Network Operators' Group
Re: [NANOG] IOS rootkits
daemon@ATHENA.MIT.EDU (Gadi Evron)
Sat May 17 07:10:45 2008
Date: Sat, 17 May 2008 06:10:23 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Suresh Ramasubramanian <ops.lists@gmail.com>
In-Reply-To: <bb0e440a0805170312t349574b0p2f7a685cd33e6a2@mail.gmail.com>
Cc: ivan.arce@coresecurity.com, topo@coresecurity.com, fx@recurity-labs.com,
nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Sat, 17 May 2008, Suresh Ramasubramanian wrote:
> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
> <mmc@internode.com.au> wrote:
>> If the way of running this isn't out in the wild and it's actually
>> dangerous then a pox on anyone who releases it, especially to gain
>> publicity at the expensive of network operators sleep and well being.
>> May you never find a reliable route ever again.
>
> This needs fixing. It doesnt need publicity at security conferences
> till after cisco gets presented this stuff first and asked to release
> an emergency patch.
I'd like to discuss:
1. What is it we are talking about.
2. Why it is serious.
3. What we can do to defend ourselves.
I'll be brief as this is not a briefing.
You are absolutely right on the sentiment, but miss the point on this
particular issue. I agree with you that in most cases, software
vulnerability issues should be resolved with the vendor first, especially
where critical infrastructure is involved. This is not only about
exploiting a vulnerability.
In this case it the the very realization that these issues exist
(namely being able to run Trojan horses on IOS systems AND/or hiding their
presense) is what we are discussing.
Router security as far as most operators are concerned includes the
following issues: software version (now update), configuration, ACL and
authentication (password) security. I include subjects such as BGP MD5 in
configuration.
These issues are indeed important and very neglected, after all, how many
"0wned" routers can be found that respond to cisco/cisco?
The main difference here is that we are now at a cross-roads where the
face of router security changes, It is that the realization that:
1. A router is not an hardware device, it is an embedded device with a
software operating system. As such it is as vulnerable to malware
(wide-spreading--worm, or targeted--Trojan horse) as a Windows machine
is.)
2. There are no real tools today for us to be able to detect such
malicious activity on a router, listing processes doesn't cut it.
3. What tools exist, which I hope to secure permission to discuss later
on, are only from third parties.
This is not about fear mongering, it's about facing reality how about how
Cisco handles security threats to their customer base before such an issue
becomes a public concern--namely, ignoring its very existence, at least as
far as the public can see.
The point is, I don't want to rely on third parties for my router's
security, even if I trust the said third party.
Gadi.
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog