|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IOS Rookit: the sky isn't falling (yet)
[email protected] wrote: > On Tue, 27 May 2008, [email protected] wrote: >> On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said: >>> Like MD5 File Validation? - "MD5 values are now made available on >>> Cisco.com for all Cisco IOS software images for comparison against >>> local system image values." >> That does wonders for catching a corruption in the FTP that wasn't >> caught >> by the relatively weak TCP checksumming. >> But if the attacker has the wherewithal to cause a modified file to be >> downloaded (either by replacing it on the real server, or getting you to >> visit a fake server), they can also present you with a webpage that >> has an >> MD5 hash that matches the modified file. >> Now, if they provided a PGP signature of the file, done with a key >> that I >> have reason to trust, *that* raises the bar significantly... > > What you want is cisco hardware that verifies firmware signatures in > hardware. > > -Dan > Why not TPM? Sign every binary on the device, encrypt & sign the headers. The entire device runs in a hypervisor. Everything must be approved by Cisco. Let's make routers even more blackboxish and require vendor certification for every little thing. I don't know about you, but I don't want layers of DRM and crap ontop of my router when I'm still wondering about idiots leaving tftpds open. :-/ -- +1.925.202.9485 Sargun Dhillon deCarta [email protected] www.decarta.com
|