Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: Dana Nowell <DanaNowell () cornerstonesoftware com>
Date: Thu, 13 May 2004 14:38:56 -0400
On Wed, 12 May 2004 13:51:55 -0400 (EDT) Paul D. Robertson opined:
On Wed, 12 May 2004, Claussen, Ken wrote:Paul, Even Cisco is not immune to the exploits.My point was that given the platform's ubiquity, we hadn't seen a worm- that doesn't mean it's not possible to do one, it means that it's not a given that ubiquity equates to common and automatic malcode exploitation. In fact, the point that we've had Cisco exploits in the past simply underlines the fact that ubiquity isn't the only driver for mass malcode exploits.
Come on Paul that's a skewed comparison. I don't know about you but I do not let any traffic arriving at the external router adapter 'talk to' the router. Sure it passes through but if 'you' go ahead and try telneting to my external address, the ACL says NO! and logs the attempt (and I frequently contact 'your' ISP). Now in the case of a web server, yup, that external traffic sure does make a stop, at least on port 80. So comparing a Cisco router's external public interface with a web server's public interface is not necessarily fair. The router is probably not exporting any services on the external interface and the web server has to export at least one. So you are comparing the packet routing code in the router to all the code up through the web server on the NT box. The router high level 'data entry' OS functions (add/change ACLs, change router params, ...) are all frequently/usually ACL protected. In THEORY the low level routing functions have minimal code involved (need to be fast) so the code base is MUCH smaller and MUCH more specialized and 'simpler' (no real input buffers to overflow as max TCP packet size is fixed by spec, etc.). So while I agree that there are alot of Cicso boxes on the net, I think the exposed code base is small, special, and reasonably free of UI/entry things like buffer overflows and such due to function. It is also unlikely that large amounts of the packet switch code get rewritten with each release. Given the small code base and the amount of 'unit hours' in the field, the current level of packet switch code SHOULD be pretty good. Comparisons to code related to web servers where the UI stuff is always changing and has more 'latest whizbang' toys in each release seems unfair. If Cisco routers had publically available web interfaces they too might get targeted more AND be broken more (for kudos). I think that ubiquity DOES increase 'targetability' (for lack of a better term) but I agree that ubiquitousness alone is insufficient. One of the reasons to target Windows boxes over Cisco routers is SPAM. I hack a windows box (or linux, unix, or other desktop/server) I can eaisly use it to send SPAM, a Cisco router is a bit less useful (not impossible, just more complex) and lower usefulness lowers the 'targetability coefficient'. I'd argue that boxes with equal 'ubiquity' start with an equal 'targetability coefficient' which is then adjusted based on end use (kudos, spam, intel, ...) and 'breakability'. Since Windows scores high in all three categories, it becomes the 'industry leader'. Cisco scores high in the first category but low in the remaining categories. IMO, Linux scores a medium, medium-high, and a medium. As Linux becomes more prevalent and is run more often by 'Joe Sixpack', its targetability will increase. -- Dana Nowell Cornerstone Software Inc. Voice: 603-595-7480 Fax: 603-882-7313 email: DanaNowell_at_CornerstoneSoftware.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Worms, Air Gaps and Responsibility, (continued)
- RE: Worms, Air Gaps and Responsibility Melson, Paul (May 07)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 07)
- Message not available
- RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
- RE: Worms, Air Gaps and Responsibility Melson, Paul (May 07)
- Re[2]: Worms, Air Gaps and Responsibility Jean-Denis Gorin (May 07)
- RE: Worms, Air Gaps and Responsibility Mike McNutt (May 10)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Victor Williams (May 11)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 12)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 13)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 17)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)