[AusNOG] How hard is it to protect/defend a router?

[Tim March]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I have to assume ASIO telling NBN Co. to disqualify Huawei from their
vendor selection process was probably based on specific intelligence,
rather than a random hunch. The Australian intelligence community sold
it's soul to the Americans years ago so running similarly back-doored
equipment from the US is probably less of an issue ;)

There's a couple of prolific problems I observe with router
implementations in the wild;

1. They're often implemented by "systems administration" folk who view
"networking" as some sort of dark voodoo. Because their organisation
doesn't have the scale / resources to warrant dedicated networking
punters they're left to do the job. They tend not to understand the
full feature-set of the device and as soon as they've got it doing the
specific thing they need it gets put in to prod.

2. They've often considered to be set-and-forget items and can sit for
years without any administration or maintenance input. Where servers
natively live on the inside of a firewall routers, by definition,
often sit on the outside and this can leave them more exposed.

3. Shipping with default user credentials and an administration
console exposed on a public interface has been and is a HUGE issue for
many vendors. Cisco forces you to update the admin credentials on
first configuration now but this wasn't the case for many, many years.
If you port scan the 'net for TCP/23 now you'll find millions of
routers with default passwords to play with.

In the late 90's a couple of massive network providers in the US had
(as far as, uhhh, "someone I know" could tell...) massive parts of
their backbone configured with user: cisco pass: cisco. There was a
cool article in Phrack 56 detailing a couple of things people were
doing with them at the time. I imagine with NSA scale resources and
technology it's probably open day right now.





T.

On 5/09/13 11:10 AM, George Fong wrote:
> I would have thought that the answer is not very hard. But there
> are some things that make you question your beliefs ....... has our
> vilgilence in trying to defend against what we thought to be the
> Bad Guys distracted us from something that we should be more
> worried about?
> 
> http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/?mbid=social11535834
>
>  /“No one updates their routers,” he says. “If you think people are
> bad about patching Windows and Linux (which they are) then they are
> … horrible about updating their networking gear because it is too
> critical, and usually they don’t have redundancy to be able to do
> it properly.”/
> 
> 
> Cheers g.
> 
> 
> -- Lateral Plains Logos
> 
> Just remember, wherever you go .... there you are.
> 
> 
> 
> _______________________________________________ AusNOG mailing
> list AusNOG at lists.ausnog.net 
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 

- -- 
PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)

iQQcBAEBAgAGBQJSJ/anAAoJEMnKnkyEmCbcagYf/iURgkJDPghSBANoNGjQB3FR
3Eato40Cd+Ne3Fkbc3MoCU0L2dD6JXHJoirDgWEp8e+Yz7NrjqANRXFeB/PizA6M
6GoLQTaeNE+xwj4VPaHiB96X1lLP2lHrvy7CTyFzRjsb5ybEUmKHc5DsqI0DWnaW
gpMhCUAIbhAOFLtV9daE5CUPS3Hf/wyrHNhfHfoi+fF3rf+gq78Cw+STMgNOqqW+
uD3Iiy3/dXRTMpqA1MVUTwtHp9zdA502DMpQgvqjLyUjn3Y4E30UzHKVYY2USmhV
Pwoo+gHASMyTytOA92D6aEL2niZLmjjDFl8rOxIfFaeNF1oVlX2h4WG24pOAlfGG
5ys2xHNcITL0bUtdQnR3f57RmbAtiI48YCIQrqgJuXPxlTHtcOzkDu1L4BI0qFZP
MEBgSM69IiY6qS9dfFQJb0eZElTW387XmwlIAvbO/XTqXgPiQQAwWYGI4C6R1493
1DUaE2mkn3E/CKUAP1zu5MadQwiJhrkBdXcocmuMv8VVp4VoyIwR4+yfLnA1CQ+K
Lpkk1aWaTj4F4g35mHcf8A1wKwAoRNIMvssltmwMzx7Ex8x4qRBtjInrM7rqiBst
gJ6zTsmUsOE4kBynWle2SgxLoBAVQ8XnytiOIi1CL2FZ4kEPDlyR3SX1OziHmOHA
XIbaVk/ylWmOX/vEbYS/suXSmzy5frFivWC3Q87t/U0bGFxBxeJFWZzOp0I1EdD9
RCr2NsbRuF0TLpdrg/2YKzIWrlOECoA/DcKph9TaLhaul40oNFEabauDtckiOBqt
NbuvTw7t7hYdn1Rx79wwPc/PDV1sdxsdyhXxUTvVjsXxHJd04CcEULr6Ps3EA3kO
uGY1lQqg3r8eag/8HL8lz92K6tw/uZ/64fSvSJB54xTX5sX8kMNIAxkPB3P/5DwK
wlO53yLx7f5k0NHGaS1PRaKcgNcmOlA3LgMR6aCp0vY+cPx//nJTTN84sehPofmd
Mz1k6LlZMEuBZzoI9wSYSYX5kYiVfvJTCq0R240bNyZMDPIil5KnRJrB9LZ44WHd
D5j0c4BTsHSjP42yMyBdO3eyR1+3QP3TQu4grZUPIec+PWIeMgYb7c3fSVboeAS9
YbCFi3uKXqkIZQoApSAMI4VNOBl/7nQSByWii7A4LFRHFUpot/Gu91IAto9wJy/Y
oUU0J86zkQ3ZRCFLmANr5tKEnZLWzaaLbcn3plEOKmBvMu2UhWpWvSbsVRZa/aI4
mUvFzvgBJwqnB4NjbC0xO6YvvuYeraJiXQ5QC1NK6T/FcETfg7f+ZlQ8JVdCTh2S
BkIiAiAoTBXVvlp3n0CyUZXaxse0t/TY0q7m4aRwEex0PtVTanzn+nqV7Y7IFDA=
=FsCZ
-----END PGP SIGNATURE-----