At the time of this writing, I am the only person to have publicly demonstrated the ability to reliably exploit buffer overflows on Cisco routers. Considering that we know others are looking to do the same thing, we don't have much time. We can either hope that when they find out how, they will be as open and helpful as I have tried to be, or we can prepare for the worst. Hope is not a defense strategy.
The ability to maliciously take control of a router or a switch is a much more serious compromise than an attack on a workstation or a server, because it gives the attacker a favorable network position. Routers are responsible for forwarding our traffic across the network, so attackers can listen to and modify all traffic being passed through the hacked device. This means that a router can become a spring board to compromise entire networks, all from a single device. A slightly more sophisticated attacker can use the fact that he or she is now in the middle of the traffic to perform attacks on encrypted networks. These man-in-the-middle attacks can allow hackers to decrypt virtual private networks and gain access to the data they protect.
Such exploitation has been the holy grail for many would-be attackers. The source code for Cisco's IOS has been stolen on at least two occasions. The only reason to steal this source code is to find vulnerabilities and create exploits to attack routers and switches. My research took more than six months of full time reverse-engineering work to demonstrate such an attackwith source code, this would have taken far less time and skill. We know that source code thieves are working on this, and it's doubtful they will come forward and do the right thing when they succeed.
The exploitation of security vulnerabilities in our routers and switches is bad enough, but that's just the beginning. The next threat will be worms that attack our network infrastructure. Unlike worms that attack endpoints, a network infrastructure attack could cripple the network in ways that are much more difficult to recover from. How do you ship a software fix when the infrastructure itself is down? The worst case scenario is an attacker gaining control of a router and erasing the boot instructions from a router's flasheffectively rendering the device unusable from then on. This makes for the gruesome possibility that malicious network traffic can actually destroy network hardware. Imagine how much that would cost your organization in lost equipment and down time?
Few network administrators would place an important server or workstation directly on the Internet without the protection of a firewall. Today, most border routers, the devices that connect intranets to the Internet, sit unprotected from malicious traffic. Most of us are unprepared to defend our intranet gateways against these new threats, and we may not even have a way to know whether we've been attacked .
A good admin regularly patches workstations and servers even when they are protected by firewalls. Routers and switches, on the other hand, often go overlooked in patching. While they are more important to the network infrastructure, it is not uncommon for our network devices to remain unpatched from the day they are installed to the day they are retired .
It's clear that a storm is brewing on the horizon, but the good news is that we still have time to prepare our defenses. We can do a number of things to ensure the continued security and operation of our networks, and the solution starts with the kinds of people buying this book.
Start with questioning any vendor's claims about security. It's clear now that no computer system can be totally secure, and any such claim should be met with suspicion. Sometimes vendors lie; don't be afraid to confront your vendor about security. It can take a year or more for a major network device vendor to release details about a security issue, and when they do disclose information they often downplay the issue to an extent that no one takes it seriously. When a vendor misleads you about the severity of an issue, they damage your ability to triage issues and ultimately reduce your ability to defend your network.
This is no longer acceptable.
For their part, vendors must fess up to the problems in their systems. We can't fix something if we can't agree that it is broken. All systems have bugswhat is important is how a vendor deals with the bugs in its products. It's no longer acceptable for a vendor to cover up a security issue rather than address the problems openly. As customers, it's your job to pressure vendors to do the right thing.
We have to start thinking of routers and switches as networked computers. They need to have proper patch management procedures that get fixes for issues as they happen. To the extent that it is practical, we need to firewall off our routers just as we would any other host. This will require that vendors take the process of patch management as seriously as network administrators do.
Responsible engineering practices dictate that any firmware-based system with modifiable images must have a reliable way to restore a system after an incident. Routers and switches should no longer be manufactured without fail-safe, hardware enforced read-only boot images. It's worth the extra 50-cent ROM chip to make sure your $20,000 router doesn't become a boat anchor.
We have survived attacks targeted at our all-Microsoft endpoints, but the stakes are much higher on our network devices. In the long- term ecology of networking, we must learn to resist homogeneity at the infrastructure level in order to survive. If we are going to combat network destroying worms and VPN spying exploits, we are going to have to start running a more diverse code base on our network devices. That means that vendor initiatives such as the Cisco powered network, which are designed to enforce network monoculture, must be resisted. Conventional wisdom once held that routers and switches were not vulnerable to attack in the same way as our network endpoints. Consequently, most of our network infrastructure received about the same security attention as the toaster oven in the IT department break room. Today the revelation that Cisco's ubiquitous IOS operating system can be attacked by hackers, just like any other computer, renders conventional wisdom obsolete.
No network administrator should be without a solid understanding of the risks we face today. The Hacking Exposed series provides all the information you need to plan your defense with confidence. Hacking Exposed Cisco Networks continues that tradition by showing you step by step where the problems are and explaining in-depth how to solve them. This book gives you the knowledge you need to defend your Cisco-based network against the threats of today and tomorrow.
Consider this: it took Roger Bannister a lifetime of training to run the first 4-minute mile. It only took six months for someone else to follow. The clock is ticking. Have you started preparing your defense yet?
Michael Lynn has an extensive background in embedded systems, including kernel development. His research interests include signals intelligence, cryptography, VoIP, reverse engineering, and breaking any protocol designed by committee. His current research focuses on securing critical routing infrastructures . He was the first person to demonstrate publicly that buffer overflows can be reliably exploited on Cisco routers and switches.