[cryptography] this house believes that user's control over the root list is a placebo

The Fungi fungi at yuggoth.org
Sun Jun 26 19:29:49 EDT 2011

On Sun, Jun 26, 2011 at 03:31:23PM -0500, Marsh Ray wrote:
> But what about all the other admins? :-)

Hopefully they quickly realize their true calling is in the booming
food service and housekeeping industries.

> You're probably right today, the guys running the core routers are
> some of the best. This web management thing seems to be targeted
> to small/medium non-ISP businesses.

Not always, but the senior admins are usually the ones setting the
policies about management access to the devices, at least.

> But what about after a few more rounds of IT people graduate from
> courses and certification programs which now divert time from the
> old command-line stuff to teach the new web management
> functionality?

The current vendor-led training/certification (for what it's worth)
still focuses on command-line management. That's not to say that it
couldn't change soon, but so far that doesn't seem to be happening.

> What if functionality gets released for which there is no
> command-line interface?

It could happen, I suppose, but these days it tends to be the other
way around... features in the WebUI lag well behind more advanced
configuration options available in the CLI for most popular

> What about all the other datacenter gear plugging into trusted
> segments?

At least in my day-job employer's data centers (and as a data center
management and hosting company they have some whopping big ones),
the "trusted segments" I assume you're takling about are the core
routers and the out-of-band serial management gear for them which
run the same operating systems as the core routers themselves. The
limited subset of NOC staff authorized to manage these devices work
from *mostly* isolated segments of the network and only get access
to the core gear via SSH.

> What about the other makes of routers? Well, Juniper, that is.

The last time Juniper demonstrated the WebUI for their SRX to us,
there were so many bugs in it they kept having to break out the
JunOS CLI to fix or continue the demo--which was just as well since
we were more interested in the CLI and integration with their
existing enterprise device management platform. Similarly, we
already use their ScreenOS-based devices and disable the WebUI
immediately on those too.

> A lot of systems are set up with RADIUS/TACACS centralized
> authentication. In these cases there are many admins with access
> to many routers and other pieces of equipment. The bad guy only
> needs to convince the high-level admin to use his password once on
> the least-important piece of equipment.

Granted, but hopefully the devices are also limiting management
access with source IP address ACLs, raising the bar to where the
attacker has to already have somewhat greater access to those
admins' networks.

> A self-propagating router MitM would make for a very interesting
> and scary worm. Hopefully such a thing would first start out on
> some small home routers and give time to raise awareness for those
> with login credentials on the big ones.

Google "psyb0t" and "bluepill" for similarly novel ideas. ;)
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi at yuggoth.org); FINGER(fungi at yuggoth.org);
MUD(kinrui at katarsis.mudpy.org:6669); IRC(fungi at irc.yuggoth.org#ccl);
ICQ(114362511); YAHOO(crawlingchaoslabs); AIM(dreadazathoth); }

More information about the cryptography mailing list