Hi Roland.

> I don't know much about Juniper
> gear, but it appears that the Juniper boxes listed are similar in nature,
> albeit running FreeBSD underneath (correction welcome).

With most Juniper gear, it is actually quite difficult to achieve wire-tapping 
on a large scale using something as simple as a backdoor in the BIOS.

Assuming M/MX/T series, you are correct that the foundation of the 
control-plane is a FreeBSD-based kernel. However, that control-plane talks to a 
forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which differ per 
platform and sometimes per line-card). In general, transit-traffic (traffic 
that enters the PFE and is not destined to the router itself), will not be 
forwarded via the control-plane. This means that whatever the backdoor is 
designed to do, simply can not touch the traffic. There are a few exceptions, 
such as a carefully crafted backdoor capable of altering the next-hop database 
(the PFEs forwarding table) and mirroring traffic. This however, would mean 
that the network would already have to be compromised. Another option would be 
to duplicate target traffic into a tunnel (GRE or IPIP based for example), but 
that would certainly have a noticeable affect on the performance, if it is 
possible to perform those operations at all on the target chipset. 

However, attempting any of the limited attacks that I can think of would 
require expert-level knowledge of not just the overall architecture, but also 
of the microcode that runs on the specific PFE that the attacker would target, 
as well as the ability to partially rewrite that. Furthermore, to embed such a 
sophisticated attack in a BIOS would seem impossible to me with the first 
reason being the limited amount of storage available on the EEPROM to store all 
that binary code. 

An attack based on corrupted firmware loaded post-manufacturing would also be 
difficult due to the signed binaries and microcode. If someone were to embed a 
backdoor it is extremely difficult without Juniper's cooperation. And the last 
time I looked at the code (I left Juniper a few months ago), I saw nothing that 
would indicate a backdoor of any kind. 

-- 
Thanks,

Sabri

Reply via email to