[NANOG] IOS rootkits

• Previous message (by thread): [NANOG] IOS rootkits
• Next message (by thread): [NANOG] IOS rootkits
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Buhrmaster, Gary wrote:
>> I understand *why* we are worried about rootkits on 
>> individual servers.  
>> On essentially "closed" platforms this isn't going to be 
>> rocket science.
>> It may seem odd by today's BCPs, but booting up from "golden" 
>> images via 
>> write-protected  hardware or TFTP or similar is pretty 
>> straightforward 
> 
> Since todays bootstrap codes are in EEPROM (or
> equivalent), if you get "root" once, you can
> have "root" forever.  Faking file system content
> (and real time replacing of code) is the core
> of any current (good) Linux/Mac/Windows rootkit.
> Cisco/Juniper/Force10/whatever is just another
> platform to do the same if you can replace the
> bootstrap.  Modular IOS might even make it
> easier to do dynamic code insertion.
> 
> There are platforms (Xbox?, Tivo?, etc.) that try
> to do cryptographic validation of the code they
> are loading.  Network devices are not yet doing
> a true cryptograhic validation as far as I know,
> although one could imagine that that might be a
> next step to protect against that specific threat
> (although I seem to recall that bypassing the Xbox
> validations only took a few months, so it is harder
> than it first appears to get right).
> 

I think that is exactly the point. Once a box has been thoroughly 
compromised, its almost impossible to bring it back to a "known, good" 
state without a complete (reformat). In the case of embedded HW, that 
may include wiping/rewriting the EEPROMs to a known good state.

I don't think this is going to be outside of the purview of Network 
Operators for very long, no matter what the case.

Anti-virii and such are somewhat interesting in the end-system model, 
but when downtimes need to be scheduled significantly in advance for 
network operations you either a) prevent infection by much tighter 
controls at the get-go or b) provide a high-trust way to keep the 
systems in a known good-state. This, of course, assumes true "bugs" are 
kept to a minimum.

It does raise significant security concerns for those networks that have 
employees/contractors/etc with turn-over that could leave a parting 
"gift" in their respective networks. Changing passwords isn't really 
sufficient anymore.

DJ

• Previous message (by thread): [NANOG] IOS rootkits
• Next message (by thread): [NANOG] IOS rootkits
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]