North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Maformed SNMP Packet log/trace

  • From: Eric Brandwine
  • Date: Tue Feb 26 22:49:03 2002

>>>>> "sd" == Sean Donelan <[email protected]> writes:

sd> On Tue, 26 Feb 2002, Richard A Steenbergen wrote:
>> A lot of those protocols have people looking at them on a regular basis,
>> and they still manage to come up with obscure exploits noone else noticed
>> (ex: 23mb of buffer overflows to exploit telnetd).

sd> So what is the solution for a public network operator.  I attended
sd> a presentation last week where a Checkpoint reseller suggested the
sd> client needed to buy eight Checkpoint firewalls to protect a
sd> single web server.  I was impressed, what about the undercoating
sd> and scotchguard fabric protector.

That's actually a possibility, soon as they support OC-192 interfaces

Stay away from the undercoating, but the ScotchGuard(tm) is definitely
worth it!

sd> Is it time to fall back in punt?  How would you architect a backbone if
sd> you could do it over?

Security is not about making things foolproof.  They'll always be able
to break you, no matter what you do.  Security is about assuming
acceptable risk, and mitigating unacceptable risk.

This whole recent mess has actually gone over fairly cleanly.  The
vast majority of public infrastructure seems to have been patched with
a fair amount of speed, and nobody's noticed any serious outages due
to it.  Apparently, the risk we assumed was acceptable, and when it
became unacceptable, it was mitigated quickly enough.

If I could do it over?  I'd get in my Tardis, and go back to 1969.
I'd teach everyone at DARPA how to spell security.  Loose source
route, IP options in general, ICMP address mask requests, all these
things should go away.

sd> Is the complexity  of SSH code worth the protection?  Or is it better
sd> never to access your routers through VTY ports, and always use an
sd> reverse-terminal server to the console from an out-of-band management
sd> LAN?

Console is slow, logs can easily DoS a 9600 baud line.  It only allows
one connection.  Good fallback point, operationally does not scale.

SSH is worth the protection, as reference implementations are
available, and it requires very little in the way of system support.
As long as in-band access to routers is required, SSH (or HTTPS or
IPSec) will be with us.  As time passes, the quality of the tools that
we have to work with improves, and our trust in them can grow.

The official answer is control plane separation.  This worked for the
PSTN, and it's the way the Internet will go, eventually.

Eric Brandwine     |  Things should be as simple as possible, but not simpler.
UUNetwork Security |
[email protected]       |
+1 703 886 6038    |      - Albert Einstein
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E