nanog mailing list archives
Re: NSA able to compromise Cisco, Juniper, Huawei switches
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 31 Dec 2013 19:40:04 +0100
* Randy Bush:
Clay Kossmeyer here from the Cisco PSIRT.shoveling kitty litter as fast as you can, eh?http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel"The article does not discuss or disclose any Cisco product vulnerabilities." this is disengenuous at best. from the nsa document copied in der spiegel and now many other places: "JETPLOW is a firmware persistence implant for Cisco PIX series and ASA firewalls ..."
There's a limit to what can reasonably be called a *product* vulnerability. If you physically plant a bug in a phone, does it exploit a vulnerability in the phone? I don't think so. Theoretically, the manufacturer could have filled it completely with glue. But the next step up is drilling out some of that to place the bug, and then you're looking at tamper evidence, and that's an extremely difficult matter. Routers are expected to be modular, so it's difficult to avoid that they have exposed buses with something that approaches DMA capability. On-site debugging hooks through JTAG ports or similar might be essential to reduce downtime in case of severe problems, so I doubt one can get rid of them. Same for firmware downgrade and recovery options. In the end, the defense has to be political, not technical. "We don't want to do this because it's wrong", and not "we can't do this because it's impossible". After all, what's possible can change very quickly. Appeasement in the form of lawful intercept turned out to be failure: even if you comply, it's likely that your own, domestic intelligence agencies consider your infrastructure, you and your colleagues legitimate targets.
Current thread:
- Re: NSA able to compromise Cisco, Juniper, Huawei switches, (continued)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Warren Bailey (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Jay Ashworth (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches William Waites (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 30)
- RE: NSA able to compromise Cisco, Juniper, Huawei switches Warren Bailey (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Jeremy Bresley (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Warren Bailey (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Jeremy Bresley (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Clay Kossmeyer (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Sharif Torpis (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Florian Weimer (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Warren Bailey (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Jonathan Greenwood II (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches sthaug (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Paul Ferguson (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 30)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Warren Bailey (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Dobbins, Roland (Dec 31)
- Re: NSA able to compromise Cisco, Juniper, Huawei switches Randy Bush (Dec 31)