Buhrmaster, Gary wrote:
I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforward
Since todays bootstrap codes are in EEPROM (or equivalent), if you get "root" once, you can have "root" forever. Faking file system content (and real time replacing of code) is the core of any current (good) Linux/Mac/Windows rootkit. Cisco/Juniper/Force10/whatever is just another platform to do the same if you can replace the bootstrap. Modular IOS might even make it easier to do dynamic code insertion.
There are platforms (Xbox?, Tivo?, etc.) that try to do cryptographic validation of the code they are loading. Network devices are not yet doing a true cryptograhic validation as far as I know, although one could imagine that that might be a next step to protect against that specific threat (although I seem to recall that bypassing the Xbox validations only took a few months, so it is harder than it first appears to get right).
I think that is exactly the point. Once a box has been thoroughly compromised, its almost impossible to bring it back to a "known, good" state without a complete (reformat). In the case of embedded HW, that may include wiping/rewriting the EEPROMs to a known good state. I don't think this is going to be outside of the purview of Network Operators for very long, no matter what the case. Anti-virii and such are somewhat interesting in the end-system model, but when downtimes need to be scheduled significantly in advance for network operations you either a) prevent infection by much tighter controls at the get-go or b) provide a high-trust way to keep the systems in a known good-state. This, of course, assumes true "bugs" are kept to a minimum. It does raise significant security concerns for those networks that have employees/contractors/etc with turn-over that could leave a parting "gift" in their respective networks. Changing passwords isn't really sufficient anymore. DJ