nanog mailing list archives
Re: [NANOG] IOS rootkits
From: Deepak Jain <deepak () ai net>
Date: Mon, 19 May 2008 15:55:42 -0400
Buhrmaster, Gary wrote:
I understand *why* we are worried about rootkits on individual servers. On essentially "closed" platforms this isn't going to be rocket science. It may seem odd by today's BCPs, but booting up from "golden" images via write-protected hardware or TFTP or similar is pretty straightforwardSince todays bootstrap codes are in EEPROM (or equivalent), if you get "root" once, you can have "root" forever. Faking file system content (and real time replacing of code) is the core of any current (good) Linux/Mac/Windows rootkit. Cisco/Juniper/Force10/whatever is just another platform to do the same if you can replace the bootstrap. Modular IOS might even make it easier to do dynamic code insertion. There are platforms (Xbox?, Tivo?, etc.) that try to do cryptographic validation of the code they are loading. Network devices are not yet doing a true cryptograhic validation as far as I know, although one could imagine that that might be a next step to protect against that specific threat (although I seem to recall that bypassing the Xbox validations only took a few months, so it is harder than it first appears to get right).
I think that is exactly the point. Once a box has been thoroughly compromised, its almost impossible to bring it back to a "known, good" state without a complete (reformat). In the case of embedded HW, that may include wiping/rewriting the EEPROMs to a known good state. I don't think this is going to be outside of the purview of Network Operators for very long, no matter what the case. Anti-virii and such are somewhat interesting in the end-system model, but when downtimes need to be scheduled significantly in advance for network operations you either a) prevent infection by much tighter controls at the get-go or b) provide a high-trust way to keep the systems in a known good-state. This, of course, assumes true "bugs" are kept to a minimum. It does raise significant security concerns for those networks that have employees/contractors/etc with turn-over that could leave a parting "gift" in their respective networks. Changing passwords isn't really sufficient anymore. DJ _______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog
Current thread:
- [NANOG] IOS rootkits Gadi Evron (May 16)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)
- Re: [NANOG] IOS rootkits Gadi Evron (May 16)
- Re: [NANOG] IOS rootkits Dragos Ruiu (May 16)
- Re: [NANOG] IOS rootkits Deepak Jain (May 19)
- Re: [NANOG] IOS rootkits Buhrmaster, Gary (May 19)
- Re: [NANOG] IOS rootkits Deepak Jain (May 19)
- Re: [NANOG] IOS rootkits Gadi Evron (May 20)
- Re: [NANOG] IOS rootkits Deepak Jain (May 19)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)
- Re: [NANOG] IOS rootkits Tony Varriale (May 16)
- <Possible follow-ups>
- Re: [NANOG] IOS rootkits Paul Ferguson (May 16)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)
- Re: [NANOG] IOS rootkits Matthew Moyle-Croft (May 17)
- Re: [NANOG] IOS rootkits Simon Lockhart (May 17)
- Re: [NANOG] IOS rootkits Matthew Moyle-Croft (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Re: [NANOG] IOS rootkits Matthew Moyle-Croft (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Re: [NANOG] IOS rootkits Paul Wall (May 16)