[104576] in North American Network Operators' Group
Re: [NANOG] IOS rootkits
daemon@ATHENA.MIT.EDU (Deepak Jain)
Mon May 19 15:11:27 2008
Date: Mon, 19 May 2008 15:10:38 -0400
From: Deepak Jain <deepak@ai.net>
To: Dragos Ruiu <dr@kyx.net>
In-Reply-To: <3260A110-46FE-42E6-BB2B-1287476EF3C4@kyx.net>
Cc: fx@recurity-labs.com, Sebastian Muniz <topo@coresecurity.com>,
Ivan Arce <ivan.arce@coresecurity.com>, nanog@merit.edu
Reply-To: deepak@ai.net
Errors-To: nanog-bounces@nanog.org
Wouldn't this level of verification/authentication of running code be a
pretty trivial function via RANCID or similar tool?
I understand *why* we are worried about rootkits on individual servers.
On essentially "closed" platforms this isn't going to be rocket science.
It may seem odd by today's BCPs, but booting up from "golden" images via
write-protected hardware or TFTP or similar is pretty straightforward
-- especially for those of us who run large server farms.
A POP or node could certainly keep a few servers around that are a
permanent repository of these items for all the devices that get images.
If you can't trust the boot rom, well, that's an entirely separate matter.
I think the issue with rootkits whether server or embedded device is
more about infection vector than the maliciousness that could be caused
AFTER a compromise has occurred.
Deepak Jain
Dragos Ruiu wrote:
> The question this presentation begs for me... is how many of the folks
> on this list do integrity checking on their routers?
>
> You can no longer say this isn't necessary :-).
>
> I know FX and a few others are working on toolsets for this...
>
> I'll probably have other comments after I see the presentation.
> This development has all sort of implications for binary signing
> requirements, etc...
>
> cheers,
> --dr
>
> --
> World Security Pros. Cutting Edge Training, Tools, and Techniques
> London, U.K. May 21/22 - 2008 http://cansecwest.com
> pgpkey http://dragos.com/ kyxpgp
>
>
>
> _______________________________________________
> NANOG mailing list
> NANOG@nanog.org
> http://mailman.nanog.org/mailman/listinfo/nanog
>
>
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog