[167814] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (shawn wilson)
Mon Dec 30 13:35:57 2013
In-Reply-To: <01e201cf058b$679dedb0$36d9c910$@hathcock.org>
From: shawn wilson <ag4ve.us@gmail.com>
Date: Mon, 30 Dec 2013 13:35:15 -0500
To: Lorell Hathcock <lorell@hathcock.org>
Cc: North American Network Operators Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell@hathcock.org> wrote:
> NANOG:
>
> Here's the really scary question for me.
>
> Would it be possible for NSA-payload traffic that originates on our private
> networks that is destined for the NSA to go undetected by our IDS systems?
>
Yup. Absolutely. Without a doubt.
> For example tcpdump-based IDS systems like Snort has been rooted to ignore
> or not report packets going back to the NSA? Or netflow on Cisco devices
> not reporting NSA traffic? Or interface traffic counters discarding
> NSA-packets to report that there is no usage on the interface when in fact
> there is?
>
Do you detect 100% of malware in your IDS? Why would anyone need to do
anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything
else that can run code that people download all the time with payload
of unknown signature. This isn't really a network discussion. This is
just to say - I seriously doubt there's anything wrong with your IDS -
don't skin a cat with a flame thrower, it just doesn't need to be that
hard.
> Here's another question. What traffic do we look for on our networks that
> would be going to the NSA?
>
Standard https on port 443 maybe? That's how I'd send it. If you need
to send something bigger than normal, maybe compromise the email
server and have a few people send off some 5 - 10 meg messages?
Depends on your normal user base. If you've got a big, complex user
base, it's not hard to stay under the radar. Google 'Mandiant APT1'
for some real good reading.
