nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSA able to compromise Cisco, Juniper, Huawei switches

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 31 Dec 2013 02:00:17 +0000

On Dec 30, 2013, at 11:28 PM, Marco Teixeira <admin () marcoteixeira com> wrote:


i just wanted to say that any network professional that puts any equipment into production without securing it 
against the kind of
issues mentioned so far (cisco/cisco, snmp private, etc) is negligent and should be fired on the spot.


Yes, but keep in mind that with near-infinite resources, one can go after internal machines used by network operations 
personnel, etc.

There are multiple things that network operators can and should do to prevent direct unauthorized configuration, to 
prevent tampering with configuration-management systems, to securing jump-off boxes, to implementing AAA with 
per-command auth and logging, to monitoring for config changes, etc. 

Unfortunately, many network operators don't do all these various things, and so it's quite possible for an organization 
with time and resources to attack via a side-channel.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton
Previous By Date Next
Previous By Thread Next

Current thread: