[104578] in North American Network Operators' Group
Re: [NANOG] IOS rootkits
daemon@ATHENA.MIT.EDU (Deepak Jain)
Mon May 19 15:55:57 2008
Date: Mon, 19 May 2008 15:55:42 -0400
From: Deepak Jain <deepak@ai.net>
To: "Buhrmaster, Gary" <gtb@slac.stanford.edu>
In-Reply-To: <D0D0330CBD07114D85B70B784E80C2F20234C455@exch-mail2.win.slac.stanford.edu>
Cc: fx@recurity-labs.com, Sebastian Muniz <topo@coresecurity.com>,
nanog@merit.edu, Ivan Arce <ivan.arce@coresecurity.com>
Reply-To: deepak@ai.net
Errors-To: nanog-bounces@nanog.org
Buhrmaster, Gary wrote:
>> I understand *why* we are worried about rootkits on
>> individual servers.
>> On essentially "closed" platforms this isn't going to be
>> rocket science.
>> It may seem odd by today's BCPs, but booting up from "golden"
>> images via
>> write-protected hardware or TFTP or similar is pretty
>> straightforward
>
> Since todays bootstrap codes are in EEPROM (or
> equivalent), if you get "root" once, you can
> have "root" forever. Faking file system content
> (and real time replacing of code) is the core
> of any current (good) Linux/Mac/Windows rootkit.
> Cisco/Juniper/Force10/whatever is just another
> platform to do the same if you can replace the
> bootstrap. Modular IOS might even make it
> easier to do dynamic code insertion.
>
> There are platforms (Xbox?, Tivo?, etc.) that try
> to do cryptographic validation of the code they
> are loading. Network devices are not yet doing
> a true cryptograhic validation as far as I know,
> although one could imagine that that might be a
> next step to protect against that specific threat
> (although I seem to recall that bypassing the Xbox
> validations only took a few months, so it is harder
> than it first appears to get right).
>
I think that is exactly the point. Once a box has been thoroughly
compromised, its almost impossible to bring it back to a "known, good"
state without a complete (reformat). In the case of embedded HW, that
may include wiping/rewriting the EEPROMs to a known good state.
I don't think this is going to be outside of the purview of Network
Operators for very long, no matter what the case.
Anti-virii and such are somewhat interesting in the end-system model,
but when downtimes need to be scheduled significantly in advance for
network operations you either a) prevent infection by much tighter
controls at the get-go or b) provide a high-trust way to keep the
systems in a known good-state. This, of course, assumes true "bugs" are
kept to a minimum.
It does raise significant security concerns for those networks that have
employees/contractors/etc with turn-over that could leave a parting
"gift" in their respective networks. Changing passwords isn't really
sufficient anymore.
DJ
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog