Maformed SNMP Packet log/trace

Eric Brandwine ericb at UU.NET
Wed Feb 27 03:44:04 UTC 2002


>>>>> "sd" == Sean Donelan <sean at donelan.com> writes:

sd> On Tue, 26 Feb 2002, Richard A Steenbergen wrote:
>> A lot of those protocols have people looking at them on a regular basis,
>> and they still manage to come up with obscure exploits noone else noticed
>> (ex: 23mb of buffer overflows to exploit telnetd).

sd> So what is the solution for a public network operator.  I attended
sd> a presentation last week where a Checkpoint reseller suggested the
sd> client needed to buy eight Checkpoint firewalls to protect a
sd> single web server.  I was impressed, what about the undercoating
sd> and scotchguard fabric protector.

That's actually a possibility, soon as they support OC-192 interfaces
;)

Stay away from the undercoating, but the ScotchGuard(tm) is definitely
worth it!

sd> Is it time to fall back in punt?  How would you architect a backbone if
sd> you could do it over?

Security is not about making things foolproof.  They'll always be able
to break you, no matter what you do.  Security is about assuming
acceptable risk, and mitigating unacceptable risk.

This whole recent mess has actually gone over fairly cleanly.  The
vast majority of public infrastructure seems to have been patched with
a fair amount of speed, and nobody's noticed any serious outages due
to it.  Apparently, the risk we assumed was acceptable, and when it
became unacceptable, it was mitigated quickly enough.

If I could do it over?  I'd get in my Tardis, and go back to 1969.
I'd teach everyone at DARPA how to spell security.  Loose source
route, IP options in general, ICMP address mask requests, all these
things should go away.

sd> Is the complexity  of SSH code worth the protection?  Or is it better
sd> never to access your routers through VTY ports, and always use an
sd> reverse-terminal server to the console from an out-of-band management
sd> LAN?

Console is slow, logs can easily DoS a 9600 baud line.  It only allows
one connection.  Good fallback point, operationally does not scale.

SSH is worth the protection, as reference implementations are
available, and it requires very little in the way of system support.
As long as in-band access to routers is required, SSH (or HTTPS or
IPSec) will be with us.  As time passes, the quality of the tools that
we have to work with improves, and our trust in them can grow.

The official answer is control plane separation.  This worked for the
PSTN, and it's the way the Internet will go, eventually.

ericb
-- 
Eric Brandwine     |  Things should be as simple as possible, but not simpler.
UUNetwork Security |
ericb at uu.net       |
+1 703 886 6038    |      - Albert Einstein
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E



More information about the NANOG mailing list