It has been three months since the world learned that the NSA’s Signals Intelligence Directorate, through its Tailored Access Operations (TAO) has been deploying backdoors in Cisco, Juniper, Huawei, Dell, and several hard drive manufacturer’s gear.
The response from them so far? Weak protestations that they knew nothing of this. What they don’t get is that this response is inadequate. Don’t Cisco and Juniper understand that their flagship products, their routers and firewalls, have been demonstrated to be insecure?
Don’t they understand that is an existential threat to their business? And conversely, that fixing these issues with their products would be a differentiator that could protect their market share?
On December 30 I called for vendors to offer a substantive response, including:
-Develop tools to detect when their systems have been compromised and make these available to their customers.
-Conduct a comprehensive review of their architectures with an eye towards a much more sophisticated attacker than ever before. All security is a compromise. But too often compromises justified by underestimating an attacker’s resources eventually succumb.
-Assign a Red Team to break its own products.
-Use network-fuzzing tools to discover previously unknown vulnerabilities.
-Evaluate how hardware roots of trust that store keys to authenticate software and updates can be incorporated in product designs.
-Look at architectures that use separate monitoring devices in front of and behind their products to detect when they have been compromised.
With no response from Cisco, Juniper, or Huawei to date (at least publicly), every customer of these vendors should be planning their own response.
Perhaps the most comprehensive approach will be the result of a fundamental shift in trust. Knowing that persistent malware is being deployed to network gear, even possibly at the point of manufacture if the latest revelations of NSA attacks against Huawei are believed, means that network gear cannot be trusted.
While inspections of installed routers and firewalls from these vendors is required to establish that an organization is free of BANANAGLEE, ZESTYLEAK, and JETPLOW persistent backdoors, that will not be enough.
Monitoring of routers and firewalls is now required. The best way to do this is put network-sniffing appliances on the outside of the network to look for command and control communications with the NSA. Network gear should be re-imaged and updated. Any communication from the firewalls and routers should be detected and blocked to prevent FEEDTROUGH from reinstalling the persistent TAO (Tailored Access Operations) malware.
Network vendors are going to have to dramatically revamp their architectures. The descriptions in the ANT Catalog indicate that BIOS attacks are part of the NSA’s approach. In the near future cryptographically secure assurance modules will have to be deployed so that customers can be confident that the OS kernel has not been compromised in their primary networking gear.
These are trying times for the IT security industry. As much as vendors don’t like to talk about it, networking gear is not capable of fulfilling the basic expectations of resilience to attack. All organizations are going to have to spend more to ensure their own security. The vendors with the most effective fixes will win.