Internet Operators Dig into Fallout from Cisco Code TheftBy David Morgenstern | Posted 2004-05-17 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Router industry analysts and developers verify the theft of Cisco's IOS source and look at the code leak's potential security concerns.As more details were revealed Monday about the theft of Cisco Systems Inc.'s IOS Version 12.3 source code, networking analysts pondered the possible outcomes of the release for individual networks and for the entire Internet.
According to Russian security firm SecurityLab, 800MB of source code from Cisco, including a developmental version of the currently released software, was released. The hackers released a portion of the code on the Internet to prove the theft.
Officials of San Jose, Calif.-based Cisco confirmed the report and said the company is investigating the matter.
In an eWEEK.com interview, Li said many programmers already have access to the source code. "The social engineering or penetration of their security perimeter is not surprising. But it's sure embarrassing for Cisco and their 'self-defending' network [marketing campaign]," he said.
But Internet analysts and network operators gave mixed reactions on the eventual result of the source-code theft. Unlike in a client-side vulnerability, the routers sending Internet traffic will be more difficult targets.
"Very few people bother to directly attack the infrastructure of the Internet," said Bill Woodcock, research director with the nonprofit Internet routing education group Packet Clearing House, of Berkeley, Calif.
"Bad guys might throw eggs at a house, but they usually don't tear down the streetlights," Woodcock said. "The network routers themselves don't usually impinge on the consciousness of the baddies out there."
In an interview with eWEEK.com, Woodcock pointed to many limiting factors for a widespread attack from the leaked code. For example, the attacker would need inside knowledge about a particular network as well as the time to examine the code.
Even if an exploit could be realized, he said the attack would be difficult to achieve, since packets must be addressed to the CPU of the router and most packets are already filtered.
Next Page: "An attacker would need a lot of knowledge about the router," Woodcock says.
In most operational situations, Woodcock said, packets would be addressed to the router's CPU via a network management terminal located inside the site.
"Ten years ago, every router was directly addressable from the outside. Now, an attacker would need a lot of knowledge about the router, which may not even be addressable from the outside anyway," Woodcock said.
More of a potential concern to network operators was the widely publicized TCP flaw in the Internet's Border Gateway Protocol (BGP) in April. In that case, an attacker could stop traffic between two ISPs by way of a peer connection between routers.
On the NANOG list, Russian-based operator Alexei Roudnev said he's less concerned with the security implications than with the business ones for Cisco.
"I should not be too aware of the possible usage of this source code for the exploit development; Cisco [routers] have very few points where they parse or process IP packets, and most of such points are filtered out," Roudnev observed.
"Much more serious is the trade secrets issue. Of course, no one can take this code and use it on their equipment, or grab a library and reuse it," he wrote.
"But, unfortunately, Cisco's codes should have many small tricks, smart design solutions and so on, which make IOS so efficient, and these things can be reused by competitors (unfortunately for Cisco, only a few West countries respect authors' rights, and other people are free to purchase this source code from the hacker and use as much as they do want)," Roudnev posted.
On the other hand, some router industry professionals said Cisco could benefit from open-sourcing IOS. According to Per Gregers Bilse, routing software engineer at London-based Network Signature, the idea has a "lot going for it."
"IOS as such is not a major revenue source, considering equipment prices in general," Bilse observed in a NANOG posting. "Cisco could bundle IOS at no cost merely by cranking up the hardware prices by a small amount, and there are no big secrets in the source.
"Arguably, there are things that some people might find interesting to try to dig into, but in terms of making a network box, a lot of the mystery has turned into old hat over the years."
In an eWEEK.com interview Monday, Bilse expanded on his thesis: "Conceptually, I would compare IOS to Unix: Unix is a very good general-purpose computer operating system, and IOS is a very good general-purpose network box operating system. And what happened to Unix?
"Once the prized jewel of AT&T Labs, 'real' Unix [SysV] is now a piece of questionable intellectual property [with The SCO Group Inc.'s legal effort], and free, open-source reimplementations of the basic idea or functionality rule the market," Bilse added, pointing to Linux and BSD implementations.
"If AT&T had loosened their grip on the reins earlier on, they would still be in charge."