[NANOG] IOS rootkits
Deepak Jain
deepak at ai.net
Mon May 19 19:55:42 UTC 2008
Buhrmaster, Gary wrote:
>> I understand *why* we are worried about rootkits on
>> individual servers.
>> On essentially "closed" platforms this isn't going to be
>> rocket science.
>> It may seem odd by today's BCPs, but booting up from "golden"
>> images via
>> write-protected hardware or TFTP or similar is pretty
>> straightforward
>
> Since todays bootstrap codes are in EEPROM (or
> equivalent), if you get "root" once, you can
> have "root" forever. Faking file system content
> (and real time replacing of code) is the core
> of any current (good) Linux/Mac/Windows rootkit.
> Cisco/Juniper/Force10/whatever is just another
> platform to do the same if you can replace the
> bootstrap. Modular IOS might even make it
> easier to do dynamic code insertion.
>
> There are platforms (Xbox?, Tivo?, etc.) that try
> to do cryptographic validation of the code they
> are loading. Network devices are not yet doing
> a true cryptograhic validation as far as I know,
> although one could imagine that that might be a
> next step to protect against that specific threat
> (although I seem to recall that bypassing the Xbox
> validations only took a few months, so it is harder
> than it first appears to get right).
>
I think that is exactly the point. Once a box has been thoroughly
compromised, its almost impossible to bring it back to a "known, good"
state without a complete (reformat). In the case of embedded HW, that
may include wiping/rewriting the EEPROMs to a known good state.
I don't think this is going to be outside of the purview of Network
Operators for very long, no matter what the case.
Anti-virii and such are somewhat interesting in the end-system model,
but when downtimes need to be scheduled significantly in advance for
network operations you either a) prevent infection by much tighter
controls at the get-go or b) provide a high-trust way to keep the
systems in a known good-state. This, of course, assumes true "bugs" are
kept to a minimum.
It does raise significant security concerns for those networks that have
employees/contractors/etc with turn-over that could leave a parting
"gift" in their respective networks. Changing passwords isn't really
sufficient anymore.
DJ
More information about the NANOG
mailing list