nanog mailing list archives
Re: [NANOG] IOS rootkits
From: Gadi Evron <ge () linuxbox org>
Date: Sat, 17 May 2008 06:10:23 -0500 (CDT)
On Sat, 17 May 2008, Suresh Ramasubramanian wrote:
On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft <mmc () internode com au> wrote:If the way of running this isn't out in the wild and it's actually dangerous then a pox on anyone who releases it, especially to gain publicity at the expensive of network operators sleep and well being. May you never find a reliable route ever again.This needs fixing. It doesnt need publicity at security conferences till after cisco gets presented this stuff first and asked to release an emergency patch.
I'd like to discuss: 1. What is it we are talking about. 2. Why it is serious. 3. What we can do to defend ourselves. I'll be brief as this is not a briefing. You are absolutely right on the sentiment, but miss the point on this particular issue. I agree with you that in most cases, software vulnerability issues should be resolved with the vendor first, especially where critical infrastructure is involved. This is not only about exploiting a vulnerability. In this case it the the very realization that these issues exist (namely being able to run Trojan horses on IOS systems AND/or hiding their presense) is what we are discussing. Router security as far as most operators are concerned includes the following issues: software version (now update), configuration, ACL and authentication (password) security. I include subjects such as BGP MD5 in configuration. These issues are indeed important and very neglected, after all, how many "0wned" routers can be found that respond to cisco/cisco? The main difference here is that we are now at a cross-roads where the face of router security changes, It is that the realization that: 1. A router is not an hardware device, it is an embedded device with a software operating system. As such it is as vulnerable to malware (wide-spreading--worm, or targeted--Trojan horse) as a Windows machine is.) 2. There are no real tools today for us to be able to detect such malicious activity on a router, listing processes doesn't cut it. 3. What tools exist, which I hope to secure permission to discuss later on, are only from third parties. This is not about fear mongering, it's about facing reality how about how Cisco handles security threats to their customer base before such an issue becomes a public concern--namely, ignoring its very existence, at least as far as the public can see. The point is, I don't want to rely on third parties for my router's security, even if I trust the said third party. Gadi. _______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog
Current thread:
- Re: [NANOG] IOS rootkits, (continued)
- Re: [NANOG] IOS rootkits Tuc at T-B-O-H.NET (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Re: [NANOG] IOS rootkits Joel Jaeggli (May 17)
- Re: [NANOG] IOS rootkits Florian Weimer (May 17)
- Re: [NANOG] IOS rootkits Jack Bates (May 19)
- Re: [NANOG] IOS rootkits michael.dillon (May 17)
- Re: [NANOG] IOS rootkits Paul Wall (May 19)
- Re: [NANOG] IOS rootkits Suresh Ramasubramanian (May 17)
- Re: [NANOG] IOS rootkits Jon Kibler (May 17)
- Re: [NANOG] IOS rootkits n3td3v (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Message not available
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Re: [NANOG] IOS rootkits Dragos Ruiu (May 18)
- Re: [NANOG] IOS rootkits Suresh Ramasubramanian (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits Dragos Ruiu (May 18)
- Re: [NANOG] IOS rootkits Joel Jaeggli (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits Joel Jaeggli (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits Marc Manthey (May 18)