Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Sabri Berisha <sabri () cluecentral net>]

Hi Roland.

> I don't know much about Juniper
> gear, but it appears that the Juniper boxes listed are similar in nature,
> albeit running FreeBSD underneath (correction welcome).

With most Juniper gear, it is actually quite difficult to achieve wire-tapping on a large scale using something as 
simple as a backdoor in the BIOS.

Assuming M/MX/T series, you are correct that the foundation of the control-plane is a FreeBSD-based kernel. However, 
that control-plane talks to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per platform 
and sometimes per line-card). In general, transit-traffic (traffic that enters the PFE and is not destined to the 
router itself), will not be forwarded via the control-plane. This means that whatever the backdoor is designed to do, 
simply can not touch the traffic. There are a few exceptions, such as a carefully crafted backdoor capable of altering 
the next-hop database (the PFEs forwarding table) and mirroring traffic. This however, would mean that the network 
would already have to be compromised. Another option would be to duplicate target traffic into a tunnel (GRE or IPIP 
based for example), but that would certainly have a noticeable affect on the performance, if it is possible to perform 
those operations at all on the target chipset. 

However, attempting any of the limited attacks that I can think of would require expert-level knowledge of not just the 
overall architecture, but also of the microcode that runs on the specific PFE that the attacker would target, as well 
as the ability to partially rewrite that. Furthermore, to embed such a sophisticated attack in a BIOS would seem 
impossible to me with the first reason being the limited amount of storage available on the EEPROM to store all that 
binary code. 

An attack based on corrupted firmware loaded post-manufacturing would also be difficult due to the signed binaries and 
microcode. If someone were to embed a backdoor it is extremely difficult without Juniper's cooperation. And the last 
time I looked at the code (I left Juniper a few months ago), I saw nothing that would indicate a backdoor of any kind. 

-- 
Thanks,

Sabri