RE: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 13 May 2004, Dana Nowell wrote:

> Come on Paul that's a skewed comparison.  I don't know about you but I do

No, it's an observation...

> not let any traffic arriving at the external router adapter 'talk to' the
> router.  Sure it passes through but if 'you' go ahead and try telneting to
> my external address, the ACL says NO! and logs the attempt (and I
> frequently contact 'your' ISP).

Yes, but hundreds of thousands of Cisco routers allow connections from the
"inside."  Things like the "Poisonbox worm" are old history now- once
again, the ubiquity of the target means that success is hideously
powerful.

> Now in the case of a web server, yup, that external traffic sure does make
> a stop, at least on port 80.  So comparing a Cisco router's external public
> interface with a web server's public interface is not necessarily fair.
> The router is probably not exporting any services on the external interface
> and the web server has to export at least one.  So you are comparing the
> packet routing code in the router to all the code up through the web server
> on the NT box.

No, I accounted for vulnerability surface in at least one of my messages
in this thread.  I'm just saying that ubiquity doesn't equal targeting.

> The router high level 'data entry' OS functions (add/change ACLs, change
> router params, ...) are all frequently/usually ACL protected.  In THEORY
> the low level routing functions have minimal code involved (need to be
> fast) so the code base is MUCH smaller and MUCH more specialized and
> 'simpler' (no real input buffers to overflow as max TCP packet size is
> fixed by spec, etc.).

Which hasn't stopped all the exploits in services the router must expose
when certain configuration options are on.

> So while I agree that there are alot of Cicso boxes on the net, I think the
> exposed code base is small, special, and reasonably free of UI/entry things
> like buffer overflows and such due to function.  It is also unlikely that

They come with HTTP servers now...

> large amounts of the packet switch code get rewritten with each release.
> Given the small code base and the amount of 'unit hours' in the field, the
> current level of packet switch code SHOULD be pretty good.
>
> Comparisons to code related to web servers where the UI stuff is always
> changing and has more 'latest whizbang' toys in each release seems unfair.
> If Cisco routers had publically available web interfaces they too might get
> targeted more AND be broken more (for kudos).

Network available = public in the hands of a reasonably competent
attacker...

> I think that ubiquity DOES increase 'targetability' (for lack of a better
> term) but I agree that ubiquitousness alone is insufficient.  One of the
> reasons to target Windows boxes over Cisco routers is SPAM.  I hack a
> windows box (or linux, unix, or other desktop/server) I can eaisly use it
> to send SPAM, a Cisco router is a bit less useful (not impossible, just
> more complex) and lower usefulness lowers the 'targetability coefficient'.

Adding a SOCKS v4 proxy wouldn't take all that much code...

> I'd argue that boxes with equal 'ubiquity' start with an equal
> 'targetability coefficient' which is then adjusted based on end use (kudos,
> spam, intel, ...) and 'breakability'.  Since Windows scores high in all
> three categories, it becomes the 'industry leader'.  Cisco scores high in
> the first category but low in the remaining categories.  IMO, Linux scores
> a medium, medium-high, and a medium.  As Linux becomes more prevalent and
> is run more often by 'Joe Sixpack', its targetability will increase.

Solaris is less popular then Linux as a platform, and yet it's been used
for automatic malcode about as much (I'm discounting manual intrusions
because they rely more on the skillset or toolset of the attacker to
achieve targetability.)

We also could probably look at vulnerability surface and come to some
conclusions about automated malcode-- I've been saying for *years* that if
Microsoft took the equiv. of the "execute bit" away from attachments,
automatic malcode would go down by at least an order of magnitude- even
though we'd have the same ubiquity of the platform.

So, I'll argue that ubiquity doesn't necessarily increase the level of
targeting (re: Cisco,) nor the success of targeting (re: No
click-to-execute mail clients.)  Sure, it does have some impact on the
level, but it's not a given that "lots of things" means "lots of shot
things," and it certainly doesn't mean "the same number of dead things."
I do think it means "more shot things."

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards