Developments in Cisco IOS Forensics
Felix “FX” Linder
BlackHat 2008 DC
This talk started with explanation on how IP works on networks and what protocols we stack on top of IP (TCP, UDP, ect...). I have to say this was my favorite talk of Day 2 and probably the whole con. I am a core network guy and I really enjoyed a talk in an area I am very comfortable in. The speaker has a lot of experience in the network and router area and his views on issues in the routing side of the network is a refreshing view.
Cisco is the core of the internet (yes other routers are out there but Cisco is the largest).
Reason for Cisco’s place in the core is due to equipment cost and cost of support to replace the core. If you had to replace the Cisco’s you have in place now it would cost a lot and the next vendor may not offer better equipment.
Same basic code from day one with update and platform dependent code but the core IOS is still there.
How do you maintain the code when there are some many different trains and versions with special feature sets.
Too difficult to add security to the RMON due to the fact Cisco uses many different types of Processors and to implement the processors specific security feature you would have even more versions of IOS and this would cause more security holes and software management issues (how many IOS’s do you want to look thought to find your version).
ISO security issues:
A signal mistake in the most unimportant piece of code can influence anything else on the system, including kernel, security subsystems, and Cryptographic.
Cost of newer IOS is a hinder to upgrading to fixing security issues and the time to test and verify the new IOS will not break something else on the internet.
Most of your lower end Cisco routers are neglected for IOS upgrades and my pose serious security holes in your network. Remember a hacker only has to find one good hole to stage a full attack on the network.
FX’s views on how to find out if your routers are breached was very interesting and the fact there is almost no easy way to see if the router is running rouge processes in the IOS can cause extra worries for network engineers. His methods of dumping the core memory and comparing it to a known good IOS sample is very a intelligent idea to see if your IOS has rouge patches in it. His notes and whitepaper are posted on his company’s website www.recurity-labs.com/content/pub/Recur ... ensics.pdf.
I would highly recommend you to visit there site and review some of the documents they have listed.
As I said before I would recommend getting the presenters files from BlackHat once they are posted to see what was discussed.