On Sat, 17 May 2008, Suresh Ramasubramanian wrote:
On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft <mmc@internode.com.au> wrote:
If the way of running this isn't out in the wild and it's actually dangerous then a pox on anyone who releases it, especially to gain publicity at the expensive of network operators sleep and well being. May you never find a reliable route ever again.
This needs fixing. It doesnt need publicity at security conferences till after cisco gets presented this stuff first and asked to release an emergency patch.
I'd like to discuss: 1. What is it we are talking about. 2. Why it is serious. 3. What we can do to defend ourselves. I'll be brief as this is not a briefing. You are absolutely right on the sentiment, but miss the point on this particular issue. I agree with you that in most cases, software vulnerability issues should be resolved with the vendor first, especially where critical infrastructure is involved. This is not only about exploiting a vulnerability. In this case it the the very realization that these issues exist (namely being able to run Trojan horses on IOS systems AND/or hiding their presense) is what we are discussing. Router security as far as most operators are concerned includes the following issues: software version (now update), configuration, ACL and authentication (password) security. I include subjects such as BGP MD5 in configuration. These issues are indeed important and very neglected, after all, how many "0wned" routers can be found that respond to cisco/cisco? The main difference here is that we are now at a cross-roads where the face of router security changes, It is that the realization that: 1. A router is not an hardware device, it is an embedded device with a software operating system. As such it is as vulnerable to malware (wide-spreading--worm, or targeted--Trojan horse) as a Windows machine is.) 2. There are no real tools today for us to be able to detect such malicious activity on a router, listing processes doesn't cut it. 3. What tools exist, which I hope to secure permission to discuss later on, are only from third parties. This is not about fear mongering, it's about facing reality how about how Cisco handles security threats to their customer base before such an issue becomes a public concern--namely, ignoring its very existence, at least as far as the public can see. The point is, I don't want to rely on third parties for my router's security, even if I trust the said third party. Gadi.