Re: NSA able to compromise Cisco, Juniper, Huawei switches

[shawn wilson <ag4ve.us () gmail com>]

On Mon, Dec 30, 2013 at 1:17 PM, Lorell Hathcock <lorell () hathcock org> wrote:
> NANOG:
>
> Here's the really scary question for me.
>
> Would it be possible for NSA-payload traffic that originates on our private
> networks that is destined for the NSA to go undetected by our IDS systems?

Yup. Absolutely. Without a doubt.

> For example tcpdump-based IDS systems like Snort has been rooted to ignore
> or not report packets going back to the NSA?  Or netflow on Cisco devices
> not reporting NSA traffic?  Or interface traffic counters discarding
> NSA-packets to report that there is no usage on the interface when in fact
> there is?

Do you detect 100% of malware in your IDS? Why would anyone need to do
anything with your IDS? Craft a PDF, DOC, Java, Flash, or anything
else that can run code that people download all the time with payload
of unknown signature. This isn't really a network discussion. This is
just to say - I seriously doubt there's anything wrong with your IDS -
don't skin a cat with a flame thrower, it just doesn't need to be that
hard.

> Here's another question.  What traffic do we look for on our networks that
> would be going to the NSA?

Standard https on port 443 maybe? That's how I'd send it. If you need
to send something bigger than normal, maybe compromise the email
server and have a few people send off some 5 - 10 meg messages?
Depends on your normal user base. If you've got a big, complex user
base, it's not hard to stay under the radar. Google 'Mandiant APT1'
for some real good reading.