NSA able to compromise Cisco, Juniper, Huawei switches

Dobbins, Roland rdobbins at arbor.net
Tue Dec 31 02:00:17 UTC 2013


On Dec 30, 2013, at 11:28 PM, Marco Teixeira <admin at marcoteixeira.com> wrote:

> i just wanted to say that any network professional that puts any equipment into production without securing it against the kind of
> issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and should be fired on the spot.

Yes, but keep in mind that with near-infinite resources, one can go after internal machines used by network operations personnel, etc.

There are multiple things that network operators can and should do to prevent direct unauthorized configuration, to prevent tampering with configuration-management systems, to securing jump-off boxes, to implementing AAA with per-command auth and logging, to monitoring for config changes, etc. 

Unfortunately, many network operators don't do all these various things, and so it's quite possible for an organization with time and resources to attack via a side-channel.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the NANOG mailing list