10 Comments so far

• sigsegv

  November 5th, 2007 9:44 am

  I think I’m going to have to disagree with you here. Router security is still an interesting growing topic, and not just in reverse engineering IOS or developing the “next-gen” overflows against Cisco devices. There are still unexplored proprietary routing protocols (or previously explored) that could do from some mainstream security attention.

• Thomas Ptacek

  November 5th, 2007 1:28 pm

  You really think so?

  It seems like there’s a couple basic facts to deal with in router security (and switch security, switches and routers being essentially the same thing).

  1. If you can bring up an adjacency with another device (ie, make a BGP4 connection, do the OSPF handshake, deliver RIP messages, etc) you can poison route tables in every mainstream routing protocol.

  2. Every mainstream routing protocol therefore defends against unauthorized adjacencies with a combination of filtering and authentication.

  The trouble with doing research into routing security is that once you get past the authorization layer, no matter what features the system claims to have, everything is fragile and brittle and breaking it isn’t a real accomplishment.

  I spent many years in very close proximity to this field and even in BGP4, where route security is perhaps most developed, I don’t get the sense that there’s any findings to be had once you can bring up an unauthorized session. Game over is game over.

• sigsegv

  November 5th, 2007 7:14 pm

  I agree with your points about being able to bring up an unauthenticated session. Poisoning the routing table is relatively simple once that has been accomplished.

  But I think I’m looking at this from a different angle than you are (I think). In the type of scenarios that I’m thinking of, the attacker is a remote attacker, on a completely different network from the target. As far as I know, the only way to exert any influence over a router’s routing table from that perspective is to break into an adjacent device and reconfigure it. There are also the protocols that nobody uses and thus have received little to no security attention at all. Perhaps I didn’t convey my point; what I was intending to say is that older routing protocols need to under go the scrutiny that protocols like BGP have had. I’ve seen more than one case of the “We use protocol X and there are no public attacks against X documented, therefore it must be secure”.

  Really, I was more thinking about stable (and thus advanced), generalized stack and heap overflows against IOS when I posted that comment. I just threw in the bit about routing protocols because I haven’t really seen anyone do hardcore research into the area since FX and co released IRPAS. “Slipping in the Window” was interesting of course.

  What we really need is for there to be a concentrated effort into modern IOS vuln dev and *not* have Cisco and other companies try and squash the findings.

• FX

  November 6th, 2007 4:39 am

  I tend to agree with sigsegv here (don’t we all love sigsegv anyway?
  There is at least potential for high risk vulnerabilities that don’t require peering with the target. Think IPv6 headers that get parsed and inspected while the traffic is routed through, not terminated at the router. While IPv6 is especially parsing friendly, other protocols that get inspected during transit may not - we have just failed to identify them yet.

• Thomas Ptacek

  November 6th, 2007 11:32 am

  Well, I agree with you, sigsegv; like the original post said, I think we need to mainstream everyone’s skunkworks IOS projects and start beating on Cisco.

  But there’s very little in that work that’s unique to routers. Much of the vulnerability research work that has gone into router-specific attacks has come to nothing. Clearly, there’s a rich vein of software implementation problems to be found in the Cisco and Juniper stacks, but it’s going to be dirty, tedious work to haul them to the surface.

  TCP/IP is designed to minimize the amount of parsing work that middleboxes need to do to protocols, which somewhat insulates routers and switches from protocol problems.

  An obvious caveat: when we start talking about VPN concentrators, WAN accelerators, app load-balancers and traffic managers, all bets are off.

• dre

  November 10th, 2007 7:45 pm

  I spent many years in very close proximity to this field and even in BGP4, where route security is perhaps most developed, I don’t get the sense that there’s any findings to be had once you can bring up an unauthorized session. Game over is game over

  This is absolutely true. I was severely bothered a few years back about security problems in the EIGRP protocol. Using a pedantic configuration with neighbor statements on everything, you can get around some of them - but there will always be new findings because the models, logic, and states of these protocols are weaker than even the parsers that read their messages.

  Nobody cares about unauthenticated routing/switching protocol traffic because it’s not interactive or “everyone’s grandma” user-controlled like web applications or other modern applications. Regardless of what backbone engineers want you to believe, every message that is sent between large and complex routing infrastructure isn’t tuned or tweaked with interrupt-driven hooks. When it is - usually the network breaks and the customer calls start pouring in.

  Plus, don’t the operators have enough problems with trying to convince people to move to IPv6 and get their vendors to produce hardware and code that will support 257K routes in 2007 and 513K routes in 2008? Or maybe the BGP UPDATE message churn or available ASN or IP prefixes will be their/our downfall?

  What we really need is for there to be a concentrated effort into modern IOS vuln dev and *not* have Cisco and other companies try and squash the findings.

  Now this I can agree with! What ever happened to the BinNavi support for IOS / ScreenOS / etc? Nobody I know has the money for BinNavi for it to be worth the time investment.

  When do we get FLIRT signatures for these OS’s on all their relative platforms? Where’s “PaiMei, Embedded Edition”? How about BugScam/BugScan (or BEAST or OBOE) for router images?

  Wouldn’t it be nice if router vendors had available open-source third-party code for some of their components like Apple does with WebKit? If we had IOSKit with code coverage reports to compile in as an optional feature - we’d be whipping out remote enable shells from now until Christmas. It’s too bad that Cisco IOS source is so hard to get access to (cough: EFNet 1996 11.2, 1999 12.0T. DOTU. Russian incident. Huawei. Etc).

  Cisco could at least open-source the code for multicast and IPv6 parsers - nobody uses that stuff.

  I guess the legality of vulnerability disclosure on these platforms is so strict and Cisco or Juniper have lawyers to take care of this problem after the PR people spin it. In the web application security scanner world, some guy is trying to reverse benchmark using false positives. I wonder if something similar can be done with regards to “squash happy” router vendors?

• dre

  November 10th, 2007 7:51 pm

  OTOH - it’s been 5 years or so since Gadi Evron coined the term OPK for “one packet kill”, and yet we’ve never heard or seen one of these in the wild

• Christopher Cashell

  January 23rd, 2008 3:32 pm

  I’m going to have to disagree with you on Vyatta and the possibility of Open Source Routers, especially in appliance form, having a decent niche potential.

  FortiNet is a rapidly growing competitor to Checkpoint, NetScreen, PIX, and company, that started out as little more than company supported Linux-based firewall boxes. Heck, as it is now, for the *average* case, you can get essentially the same featureset you’d expect on a commercial firewall from a Linux box and a little extra software.

  So, why do people purchase Checkpoint, or PIX, or whatever? A combination of support, and ease of use. They don’t want to spend hours or weeks getting the base installed, configured, and locked down, before they can even start writing firewall rules. As new OS’s include better and better host firewalls, and better support for running commercial firewalls (either appliance based, or Checkpoint-style), they’re becoming commoditized. That’s why you’re seeing the growth of the ASA’s, with VPN and IDS.

  Now, you’ll never (or, at least, not anytime soon) see Vyatta type appliances or Open Source based routers handling core routing. You also won’t see them in large ISP’s with seriously big pipes. However, that’s only one part of the market. There’s a lot of companies out there with a T1, or maybe a couple of them, that also need a router. That’s the market that I could see Vyatta carving a niche in.

  Heck, part of the reason I say that, is because that’s the very market that my employer is in (two 10MBit Ethernet drops for Internet, and 30MB Ethernet drop to a colo outside of town for first stage DR). One of my coworkers brough up Vyatta, and we’re seriously considering them to replace a pair of aging Cisco routers.

  Add in the increased familiarity of a Linux based platform, and the flexibility and extensibility, and there’s a lot of potential there. Heck, I see even more potential for these things as a truly multi-function appliance for smaller shops, or branch offices. Take the Open Source router, add in firewall, something like OpenVPN for remote access, and snort for IDS, and you’ve got a very compelling device, provided you can give it a uniform user interface and integrate them well.

  Most of the functionality is already there. It’s just putting it together into something people can see as a network device, instead of a server (since that’s traditionally how network devices operated).

• Thomas Ptacek

  January 23rd, 2008 3:39 pm

  Couple things.

  (1) I’m not sure what Fortinet started out as, but by the time I heard about them for the first time at RSA in 2004, they were a monster hardware UTM platform with ambitions for the service provider market. There there is Linux and open-source security code under the hood doesn’t surprise me, but it hardly seems fair to compare them to Vyatta.

  (2) Fewer people consider replacing aging Ciscos with Vyatta code every year than have considered doing the same with GateD or Zebra for the past 10 years. A typical F-500 enterprise will buy between 10-100 Cisco access routers in a year. Name one that has standardized on open-source routers. Many have and will standardize on open-source firewalls, but firewalls are a less risky technology to gamble on (you buy less, and fewer people manage them).

• Christopher Cashell

  January 23rd, 2008 5:38 pm

  With regards to Fortinet, I mentioned them simply because there are some parallels between where they started, and where Vyatta is, IMO. While they’ve become among the biggest, building a firewall based on Linux and ipchains/iptables/etc is definitely nothing new. However, even though it was possible to do it for years by hand, it didn’t get much use commercially until people started offering firewall appliances, a la some of the Fortinet products. Heck, even though the stack on top of it will be entirely proprietary, the number of Linux based firewalls will increase exponentially with the PIX OS 8.0 release, where the ASA devices will make use of a Linux kernel underneath, and PIX devices continuing with Finesse/PIX OS.

  Either way, I’m getting off topic a bit, here.

  With regards to the Cisco vs. Vyatta, the reason that businesses haven’t previously made heavy use of Open Source routing setups is precisely because in the non-startup business market, it’s usually better business to buy the finished appliance and *use* it, then buy the parts and build it. Prior to now, there was (as far as I know), no Open Source based router appliances. If you wanted one, you built it. There are *very* few businesses that will do that, because it isn’t cost effective.

  I would say that while there may not be a lot of people doing it yet, I definitely think the market for Open Source based routers will grow in the near future. The fact that my company is considering it right now means that there *is* a market out there. And despite the fact that we’re a heavily linux-based shop, we would not consider building our own production routers with GateD or Zebra/quagga. We don’t want to build it, we just want to use it. and if Vyatta can deliver all of the features that we need, at a price that beats Cisco, we may even end up going with them.

  If there’s one thing I’ve seen from Open Source, it’s that it may not take off like a rocket, but it tends to not go away, either. Vyatta may not have any F-500 enterprises now, and they may not next year, either. But, in fairness, how long has Vyatta been around? A year or two? The fact that they’re able to compete with Cisco at all is a pretty impressive achievement, and a testament to what can be done with Open Source software.

  Most startups aren’t going to immediately target the Fortune 500. They’ll target the smaller shops, the newer companies without as much existing infrastructure investment, etc.

Leave a reply

name (required)

email ( will not be shown ) (required)

website