[NANOG] IOS rootkits

• Previous message (by thread): [NANOG] IOS rootkits
• Next message (by thread): [NANOG] IOS rootkits
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 17 May 2008, Suresh Ramasubramanian wrote:
> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
> <mmc at internode.com.au> wrote:
>> If the way of running this isn't out in the wild and it's actually
>> dangerous then a pox on anyone who releases it, especially to gain
>> publicity at the expensive of network operators sleep and well being.
>> May you never find a reliable route ever again.
>
> This needs fixing. It doesnt need publicity at security conferences
> till after cisco gets presented this stuff first and asked to release
> an emergency patch.

I'd like to discuss:
1. What is it we are talking about.
2. Why it is serious.
3. What we can do to defend ourselves.

I'll be brief as this is not a briefing.

You are absolutely right on the sentiment, but miss the point on this 
particular issue. I agree with you that in most cases, software 
vulnerability issues should  be resolved with the vendor first, especially 
where critical infrastructure is involved. This is not only about 
exploiting a vulnerability.

In this case it the the very realization that these issues exist 
(namely being able to run Trojan horses on IOS systems AND/or hiding their 
presense) is what we are discussing.

Router security as far as most operators are concerned includes the 
following issues: software version (now update), configuration, ACL and 
authentication (password) security. I include subjects such as BGP MD5 in 
configuration.

These issues are indeed important and very neglected, after all, how many 
"0wned" routers can be found that respond to cisco/cisco?

The main difference here is that we are now at a cross-roads where the 
face of router security changes, It is that the realization that:

1. A router is not an hardware device, it is an embedded device with a 
software operating system. As such it is as vulnerable to malware 
(wide-spreading--worm, or targeted--Trojan horse) as a Windows machine 
is.)

2. There are no real tools today for us to be able to detect such 
malicious activity on a router, listing processes doesn't cut it.

3. What tools exist, which I hope to secure permission to discuss later 
on, are only from third parties.

This is not about fear mongering, it's about facing reality how about how 
Cisco handles security threats to their customer base before such an issue 
becomes a public concern--namely, ignoring its very existence, at least as 
far as the public can see.

The point is, I don't want to rely on third parties for my router's 
security, even if I trust the said third party.

 	Gadi.

• Previous message (by thread): [NANOG] IOS rootkits
• Next message (by thread): [NANOG] IOS rootkits
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]