[AusNOG] How hard is it to protect/defend a router?

[Julien Goodwin]

On 05/09/13 13:12, Tim March wrote:
> 
> I have to assume ASIO telling NBN Co. to disqualify Huawei from their
> vendor selection process was probably based on specific intelligence,
> rather than a random hunch. The Australian intelligence community sold
> it's soul to the Americans years ago so running similarly back-doored
> equipment from the US is probably less of an issue ;)

Simply their recent security history I suspect, compared to the
old-guard they were having some fairly trivial holes found quite
recently. I've been told their processes are much improved over the last
year or two, but have no experience either way (the only vendor I've
reported a hole to had already "fixed" it by the time I found it and
disagree with me that the fix is sufficient).

As for not upgrading, I know many Australian SP's that (several years
back at least) had to run old IOS trains, or even fully custom builds,
and when their contact inevitably left Cisco often couldn't get a new
IOS even for major security issues, again I've heard this isn't as bad
these days. Many router holes can be mitigated with control plane ACLs
which helps a lot, but every now and again there's nasty ones like the
Cisco 256-length AS-path bug that can (essentially) be triggered by an
untrusted third party.