On Tue, Dec 31, 2013 at 5:38 AM, Sabri Berisha <sabri@cluecentral.net>wrote:
Hi Roland.
I don't know much about Juniper gear, but it appears that the Juniper boxes listed are similar in nature, albeit running FreeBSD underneath (correction welcome).
With most Juniper gear, it is actually quite difficult to achieve wire-tapping on a large scale using something as simple as a backdoor in the BIOS.
Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel. However, that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the router itself), will not be forwarded via the control-plane. This means that whatever the backdoor is designed to do, simply can not touch the traffic. There are a few exceptions, such as a carefully crafted backdoor capable of altering the next-hop database (the PFEs forwarding table) and mirroring traffic. This however, would mean that the network would already have to be compromised. Another option would be to duplicate target traffic into a tunnel (GRE or IPIP based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform those operations at all on the target chipset.
From my experience with Juniper, you can actually tell the PFEs to do quite a lot to the packets that flow through the router, I would imagine that
You would just need an entry-point into the system, nothing fancy at first. programmatically you can tell the router to mirror packets which match a certain criteria (source, destination, ports, protocol) to a chosen destination and it would not get noticed by the NOC monitoring systems (it may not even blip on the throughput graphs)
However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target, as well as the ability to partially rewrite that. Furthermore, to embed such a sophisticated attack in a BIOS would seem impossible to me with the first reason being the limited amount of storage available on the EEPROM to store all that binary code.
All you need is a hook into the system and load your code, the main payload can be easily downloaded from the internet.
An attack based on corrupted firmware loaded post-manufacturing would also be difficult due to the signed binaries and microcode. If someone were to embed a backdoor it is extremely difficult without Juniper's cooperation. And the last time I looked at the code (I left Juniper a few months ago), I saw nothing that would indicate a backdoor of any kind.
Who checks the binaries when they are loaded when the OS boots up ? :)