Buhrmaster, Gary wrote: >> I understand *why* we are worried about rootkits on >> individual servers. >> On essentially "closed" platforms this isn't going to be >> rocket science. >> It may seem odd by today's BCPs, but booting up from "golden" >> images via >> write-protected hardware or TFTP or similar is pretty >> straightforward > > Since todays bootstrap codes are in EEPROM (or > equivalent), if you get "root" once, you can > have "root" forever. Faking file system content > (and real time replacing of code) is the core > of any current (good) Linux/Mac/Windows rootkit. > Cisco/Juniper/Force10/whatever is just another > platform to do the same if you can replace the > bootstrap. Modular IOS might even make it > easier to do dynamic code insertion. > > There are platforms (Xbox?, Tivo?, etc.) that try > to do cryptographic validation of the code they > are loading. Network devices are not yet doing > a true cryptograhic validation as far as I know, > although one could imagine that that might be a > next step to protect against that specific threat > (although I seem to recall that bypassing the Xbox > validations only took a few months, so it is harder > than it first appears to get right). >
I think that is exactly the point. Once a box has been thoroughly compromised, its almost impossible to bring it back to a "known, good" state without a complete (reformat). In the case of embedded HW, that may include wiping/rewriting the EEPROMs to a known good state. I don't think this is going to be outside of the purview of Network Operators for very long, no matter what the case. Anti-virii and such are somewhat interesting in the end-system model, but when downtimes need to be scheduled significantly in advance for network operations you either a) prevent infection by much tighter controls at the get-go or b) provide a high-trust way to keep the systems in a known good-state. This, of course, assumes true "bugs" are kept to a minimum. It does raise significant security concerns for those networks that have employees/contractors/etc with turn-over that could leave a parting "gift" in their respective networks. Changing passwords isn't really sufficient anymore. DJ _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog