[167843] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Mon Dec 30 21:00:50 2013
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
Date: Tue, 31 Dec 2013 02:00:17 +0000
In-Reply-To: <CAD7smbi63E2=+eRS4=dOAA8K5meFcS_eAn7WTRi_CMZY-hg60g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 30, 2013, at 11:28 PM, Marco Teixeira <admin@marcoteixeira.com> wrot=
e:
> i just wanted to say that any network professional that puts any equipmen=
t into production without securing it against the kind of
> issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and=
should be fired on the spot.
Yes, but keep in mind that with near-infinite resources, one can go after i=
nternal machines used by network operations personnel, etc.
There are multiple things that network operators can and should do to preve=
nt direct unauthorized configuration, to prevent tampering with configurati=
on-management systems, to securing jump-off boxes, to implementing AAA with=
per-command auth and logging, to monitoring for config changes, etc.=20
Unfortunately, many network operators don't do all these various things, an=
d so it's quite possible for an organization with time and resources to att=
ack via a side-channel.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
