Firewall Wizards mailing list archives
RE: Worms, Air Gaps and Responsibility
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 13 May 2004 16:46:17 -0400 (EDT)
On Thu, 13 May 2004, Dana Nowell wrote:
Come on Paul that's a skewed comparison. I don't know about you but I do
No, it's an observation...
not let any traffic arriving at the external router adapter 'talk to' the router. Sure it passes through but if 'you' go ahead and try telneting to my external address, the ACL says NO! and logs the attempt (and I frequently contact 'your' ISP).
Yes, but hundreds of thousands of Cisco routers allow connections from the "inside." Things like the "Poisonbox worm" are old history now- once again, the ubiquity of the target means that success is hideously powerful.
Now in the case of a web server, yup, that external traffic sure does make a stop, at least on port 80. So comparing a Cisco router's external public interface with a web server's public interface is not necessarily fair. The router is probably not exporting any services on the external interface and the web server has to export at least one. So you are comparing the packet routing code in the router to all the code up through the web server on the NT box.
No, I accounted for vulnerability surface in at least one of my messages in this thread. I'm just saying that ubiquity doesn't equal targeting.
The router high level 'data entry' OS functions (add/change ACLs, change router params, ...) are all frequently/usually ACL protected. In THEORY the low level routing functions have minimal code involved (need to be fast) so the code base is MUCH smaller and MUCH more specialized and 'simpler' (no real input buffers to overflow as max TCP packet size is fixed by spec, etc.).
Which hasn't stopped all the exploits in services the router must expose when certain configuration options are on.
So while I agree that there are alot of Cicso boxes on the net, I think the exposed code base is small, special, and reasonably free of UI/entry things like buffer overflows and such due to function. It is also unlikely that
They come with HTTP servers now...
large amounts of the packet switch code get rewritten with each release. Given the small code base and the amount of 'unit hours' in the field, the current level of packet switch code SHOULD be pretty good. Comparisons to code related to web servers where the UI stuff is always changing and has more 'latest whizbang' toys in each release seems unfair. If Cisco routers had publically available web interfaces they too might get targeted more AND be broken more (for kudos).
Network available = public in the hands of a reasonably competent attacker...
I think that ubiquity DOES increase 'targetability' (for lack of a better term) but I agree that ubiquitousness alone is insufficient. One of the reasons to target Windows boxes over Cisco routers is SPAM. I hack a windows box (or linux, unix, or other desktop/server) I can eaisly use it to send SPAM, a Cisco router is a bit less useful (not impossible, just more complex) and lower usefulness lowers the 'targetability coefficient'.
Adding a SOCKS v4 proxy wouldn't take all that much code...
I'd argue that boxes with equal 'ubiquity' start with an equal 'targetability coefficient' which is then adjusted based on end use (kudos, spam, intel, ...) and 'breakability'. Since Windows scores high in all three categories, it becomes the 'industry leader'. Cisco scores high in the first category but low in the remaining categories. IMO, Linux scores a medium, medium-high, and a medium. As Linux becomes more prevalent and is run more often by 'Joe Sixpack', its targetability will increase.
Solaris is less popular then Linux as a platform, and yet it's been used for automatic malcode about as much (I'm discounting manual intrusions because they rely more on the skillset or toolset of the attacker to achieve targetability.) We also could probably look at vulnerability surface and come to some conclusions about automated malcode-- I've been saying for *years* that if Microsoft took the equiv. of the "execute bit" away from attachments, automatic malcode would go down by at least an order of magnitude- even though we'd have the same ubiquity of the platform. So, I'll argue that ubiquity doesn't necessarily increase the level of targeting (re: Cisco,) nor the success of targeting (re: No click-to-execute mail clients.) Sure, it does have some impact on the level, but it's not a given that "lots of things" means "lots of shot things," and it certainly doesn't mean "the same number of dead things." I do think it means "more shot things." Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 07)
- Message not available
- RE: Worms, Air Gaps and Responsibility Marcus J. Ranum (May 07)
- Re[2]: Worms, Air Gaps and Responsibility Jean-Denis Gorin (May 07)
- RE: Worms, Air Gaps and Responsibility Mike McNutt (May 10)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Victor Williams (May 11)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 10)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Claussen, Ken (May 12)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 12)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 13)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 17)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 17)
- RE: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 13)