RE: Worms, Air Gaps and Responsibility

[Dana Nowell <DanaNowell () cornerstonesoftware com>]

On Wed, 12 May 2004 13:51:55 -0400 (EDT) Paul D. Robertson opined:
> On Wed, 12 May 2004, Claussen, Ken wrote:
>
> > Paul,
> > Even Cisco is not immune to the exploits.
>
> My point was that given the platform's ubiquity, we hadn't seen a worm-
> that doesn't mean it's not possible to do one, it means that it's not a
> given that ubiquity equates to common and automatic malcode exploitation.
>
> In fact, the point that we've had Cisco exploits in the past simply
> underlines the fact that ubiquity isn't the only driver for mass malcode
> exploits.

Come on Paul that's a skewed comparison.  I don't know about you but I do
not let any traffic arriving at the external router adapter 'talk to' the
router.  Sure it passes through but if 'you' go ahead and try telneting to
my external address, the ACL says NO! and logs the attempt (and I
frequently contact 'your' ISP).  

Now in the case of a web server, yup, that external traffic sure does make
a stop, at least on port 80.  So comparing a Cisco router's external public
interface with a web server's public interface is not necessarily fair.
The router is probably not exporting any services on the external interface
and the web server has to export at least one.  So you are comparing the
packet routing code in the router to all the code up through the web server
on the NT box.  

The router high level 'data entry' OS functions (add/change ACLs, change
router params, ...) are all frequently/usually ACL protected.  In THEORY
the low level routing functions have minimal code involved (need to be
fast) so the code base is MUCH smaller and MUCH more specialized and
'simpler' (no real input buffers to overflow as max TCP packet size is
fixed by spec, etc.).  

So while I agree that there are alot of Cicso boxes on the net, I think the
exposed code base is small, special, and reasonably free of UI/entry things
like buffer overflows and such due to function.  It is also unlikely that
large amounts of the packet switch code get rewritten with each release.
Given the small code base and the amount of 'unit hours' in the field, the
current level of packet switch code SHOULD be pretty good.  

Comparisons to code related to web servers where the UI stuff is always
changing and has more 'latest whizbang' toys in each release seems unfair.
If Cisco routers had publically available web interfaces they too might get
targeted more AND be broken more (for kudos).  

I think that ubiquity DOES increase 'targetability' (for lack of a better
term) but I agree that ubiquitousness alone is insufficient.  One of the
reasons to target Windows boxes over Cisco routers is SPAM.  I hack a
windows box (or linux, unix, or other desktop/server) I can eaisly use it
to send SPAM, a Cisco router is a bit less useful (not impossible, just
more complex) and lower usefulness lowers the 'targetability coefficient'.
I'd argue that boxes with equal 'ubiquity' start with an equal
'targetability coefficient' which is then adjusted based on end use (kudos,
spam, intel, ...) and 'breakability'.  Since Windows scores high in all
three categories, it becomes the 'industry leader'.  Cisco scores high in
the first category but low in the remaining categories.  IMO, Linux scores
a medium, medium-high, and a medium.  As Linux becomes more prevalent and
is run more often by 'Joe Sixpack', its targetability will increase.


-- 
Dana Nowell     Cornerstone Software Inc.
Voice: 603-595-7480 Fax: 603-882-7313
email: DanaNowell_at_CornerstoneSoftware.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards