From: Darby Weaver (ccie.weaver@gmail.com)
Date: Mon Jan 26 2009 - 15:13:39 ARST
Ok - Nevertheless - The Cisco IOS can be made to crash.
Look -
As Network Admins, Engineers, and Architect - especially when in
consultant/contractor status - Network Managers need to be more responsible
and more accountable overall for their networks.
If they have an exploit that works on anything other than a 1700 or 2600,
kewl. Where did they actually say they could or did do this?
Show me the money!
I'm saying all they did was make a statement saying that somethin could
"theoretically" happen and if all the stars fall into alignment we'll have a
solar eclipse on the same day... who knows..
Right now - it's Fear, Uncertainty, and Doubt.
Otherwise who's to say every bug or system crash we are seein now is now
more of this "exploit".
Hmmm...
Look it's not Year 2000 anymore in a lot of places - A few still think
proctors tamper with their systems...
I'm saying that the minute these guys say "Eureka!" a short hwile later a
new generation of Cisco Anti-Malware would be born and an entire new
industry behind it.
In addition, Network Admin/ Jr. Admins job opening would skyrocket for the
demand for the new corp of troops required to help patch all these devices
weekly....
It's not uncommon for me or you to venture to new network and find it's
uptime to exceeed 1-5 years... Reading between the lines - the system has
not been patched/updated in that length of time.
Many excellent Network Admins believe it better not to update a Core
Switch's IOS more often than annually.
It is fight.
Kaminsky does rightfully state this should change before an exploit does
happen.
But which projects get pushed to the side to do this and to test it before
hand?
Here's a concept that seems foreign to many on this forum:
1. Install and configure a device and put it on the network.
2. Secure it.
3. Monitor it.
4. Manage it.
5. Update it regularly. (if you need more time to do it, your company has a
staffing problem).
There should be no reason why every command entered into a Cisco device for
maint/troubleshooting/etc. was not logged. How many of us work from the
Console except during install or emergencies?
Every change should have been logged to a Syslog Server over a secure
connection.
The changes, if any, should be able to be compared to any other change on
any other date - Cradle to Grave of the device in question.
Alerts should be sent if any device is not working withing specifications.
We can log a lot of activity. Who reads the logs? Maybe this is another
staffing/training problem.
Basically we can do the following:
1. Catch every command going to and from the device - Cradle to grave.
2. Log every access to the device - Cradle to grave.
3. Be able to compare any changes in any device we manage - Cradle to grave.
If you are not doing this or cannot do this - maybe you should be doing
this....
Finally a report should be delivered to the Network Manager regularly
(weekly or monthly at a minimum) detailing the status of these activities.
If there was a change - it's documented in a change control - how, what,
why, when, where.
If there was troubleshooting - it's documented in a help desk ticket, etc.
If this were the rule versus the exception, then articles like this would
have little impact on the professional community.
Did I forget everyone should have spreadsheets and updated network diagrams
that illustrate when anything changes?
Hell, I worked on a network this year that didn't even keep track of it's IP
Addressing...
That's the kind of things Kaminsky is talking about.
That's the kind of things that give the bad guys a hope that one day they
can find a cure to this "Nirvana" mentality we currently enjoy in the Cisco
world...
It only takes one time and everyone becomes "Once Bitten Twice Shy".
BTW - If machine code can pop, jmp, or, xor, etc.... it can be decompiled
and recompiled - but then it's got to get past the hash... not saying it
cannot be done but it won't be as easy as Adelph1 demonstrated so many years
before.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST