Re: [ISN] An All-In-One Hacker Repellent

From: mea culpa (jerichoat_private)
Date: Sun Feb 14 1999 - 16:48:17 PST

  • Next message: mea culpa: "[ISN] Conflict holding up hacker bill"

    Reply From: //Stany <stanyat_private>
    The following are most probably notes on general set-top boxes design
    philosophy, but they should apply to set-top firewalls as well as to
    set-top file servers and print-servers. 
    > 1/28/99
    > Effective security for your network doesn't always come in big beige
    > boxes, as Bob Walder explains. 
    > The term network appliance is gradually making its way into common usage.
    > It refers to self-contained devices that plug into a Lan at any
    > appropriate point, are managed over the network (often using a standard
    > web browser), and then just do a single job without any further attention
    > required from the network administrator. 
    > Such devices come in a range of flavours, including print, fax and mail
    > servers, and now firewalls. Even these devices once - considered as big
    > budget purchases for equally sized companies - are now such a commodity
    > that you can buy them for less than #1,000 and install them in under five
    > minutes. 
    In the past 6 month I have played with at least 3 different offerings of
    set-top boxes that are supposed to be the administrators' all-in-one
    replacemetnt of file (NFS and/or samba), web and/or print servers,
    including one that had an ability to be an internet gateway (by virtue of
    having 2 NICs and a modem) and a firewall.  2 of the systems I have played
    with were using Linux as their basic underlaying system, and one had
    NetBSD as it's guts.  2 of them are designed for on Intel comptable PC
    (Winddance shipped if with a nice machine, preinstalled), and one was
    designed to run on StrongARM SA110 RISC CPU
    I am not going to bash any of the systems, as I no longer have access to
    one of them (and hopefully people and <> have
    by now fixed the bugs in their Breeze product), I have wiped clean the web
    server disk image off my Corel NetWinder <>,
    and am just in the process of evaluating Newlix Omega Beta 0.12b
    <>, so I most probably will be not up to date in
    most of my statements, however.... 
    One crucial thing is missed by most designers of set-top boxes: they do
    not realize that what they do is a direct compromize between security,
    power/flexibility and ease of use.  When one has a design objective to
    build and sell a product "so simple that even a secretary would be able to
    use them within 5 minutes" (This quote is actually paraphrazed out of
    sales information that came with Breeze Network Server), one starts to go
    lax on powerful features and/or security.  In essence this is just a new
    spin on old and good "Cheap, good, fast.  Choose any two." statement. 
    If you want more power and flexibility to the users, like web interface
    for backups, which will allow one to restore and save data from floppies
    or tape drive, you better make sure that the person that stuck the tape in
    (or, as it was in my case, 120 Meg floppy) is not a malicious, and does
    not have just 2 files in the "backup archive" (/etc/passwd and /etc/shadow
    of course), and the files are not blindly overwritten on the file system. 
    The compromise is made partially because the people who seem to be
    "jumping on the bandwagon" are not really familiar with underlaying
    detailes.  Programmers who write CGI interfaces for set-top boxes usually
    are not security professionals.  Some of them (no, not people are Corel. 
    In my experience, as Corel have invested immense money and time in both
    hardware R and D and into further enhancing the ARM Linux port.  You can
    figuratively say that Corel gave ARM Linux a major boost into arm. ) are
    starting a set-top box business by thinking: "Well, noone else has it out
    yet, we'll just take a free operating system, put it on a normal Intel PC,
    where all the quirks have already been resolved and everything is known to
    work, and then just write a web interface".  The people doing this are not
    security professionals, are usually on a shoe-string budget (Compared to
    bigger companies out there, like Litton Industries or even IBM, Oracle,
    etc.) so they want the product out fast, to start selling it and to start
    generating revenue.  This is not a good approach for a number of reasons
    (WindDance, take note): Programmers are hurried by the management to speed
    up developement, which results in a number of security compromises being
    implemented, a "comprehensive security audit just before the product is
    about to be shipped" is either never done ("We have a deadline.  Ship it
    now, we have not time!") or when done is hurried and does not uncover all
    of the problems. 
    Of the three systems I have played with (Well, NetWinder can be a set top
    box, or a workstation, depending on packages installed, and I have turned
    mine into a firewall/gateway after playing with the web server setup) one
    was not designed to have a shell access at all (My first thought was: 
    "They are hiding their cool software". It quickly changed to: "They are
    hiding their bugs".) and I had to trick the Breeze from console to give me
    a shell access. 
    The other two systems did have shell access, but it was provided for by a
    simple telnetd (In case you prefere power over ease of use).  It would
    have been grand if a licensed copy of sshd was shipped with the product (I
    mean when a set-top box costs 3.5K USD, and the hardware it consists of
    costs 700 Canadian Peso, and the software is NetBSD, what am I paying for? 
    Bugs in the web interface?), but the only people who were providing it was
    Corel through their developer site, where you could grab a precompiled
    version and instructions on how to fix the official source so it will
    compile on NW (Those export restrictions on crypto. Grr...). Well, if ssh
    is too expensive, why not use one of the tried and true tools like OPIE or
    S/Key telnetd replacements and ship a system with a floppy providing a
    copy of OPIE calculator for Mac and Doze?
    Another example is user management: If you want to add or delete users on
    the set-top box, you have to authenticate yourself to it.  Authentication
    to many people building set top boxes means passwords, which either means
    Basic Auth Apache module, or simply a form with 2 fields (username and
    password) and a submit button. 
    Now Basic Auth is an abnormality in a face of God for such purposes.  A
    quick trip to will find you a program that is designed
    to sniff just for that.  It will automatically decode the password, and
    tell you in a nice format who connected to where, into what directory, and
    at what time in addition to the B1gS3kr3t password one used.  Submitting a
    form is slightly more secure because the header is not screaming out loud
    that it is an authentication attempt, and one actualy has to listen to all
    of the trafic on port 80 to grab the password, but with some creative use
    of tcpdump it is trivial to do.  Now, if this set-top box controls the
    departamental printer, at most you will DOS the department, and they will
    not be able to print their memos.  But if it is a firewall, some nice
    social engineering ("Hello, I am John Q Public from 'YourBigClient', and I
    can not connect to your ftp site.  Can you check your firewall?" - works
    best for insiders) and a well-placed sniffer will allow one to open the
    private network to the unrestricted traffic and still maintain the
    illusion that the firewall in on guard to protect the network. 
    If you *must* use web interface (and besides what is wrong with console
    only?  We had SS20s running Milkyway Blackhole/SecureIT and always if you
    had to fix it, you had to drive over to the office.  Noone died from doing
    that so far ;-) for firewall administration, why not take the same OPIE
    (source for which is available) and modify the web interface
    authentication CGI to check the logins against it? 
    You connect, put in your username into a form, press submit, and see a
    nice challenge replied back to you.  You copy/paste it into your OPIE
    calculator, type in your password, copy/paste the results back into the
    form on the web page, and click submit once again.  For added security
    throw in Apache-SSL with certificates.  Then noone can see what the
    configuration of the firewall is as you modify it.  No, this is too
    complicated for secretary to use. 
    > This is the category that Sonicwall falls into. Ranging from #495 for a
    > 10-user basic version, we reviewed the high-end #1,795 version, which
    > includes three network interfaces and a De-Militarised Zone (DMZ) on which
    > you can host all your publicly available web and FTP servers. 
    > A set-top box
    > All the necessary hardware and software is contained in a single box the
    > size of a paperback book. There are three network ports at the back and
    > three sets of corresponding status LEDs on the front panel. That, and a
    > reset switch, is all there is to it. The hardware is a 25MHz 68360 Risc
    > processor with 4Mb Ram, 128Kb Rom and 2Mb of flash memory. The firewall
    Gee, a Cisco 1000 router with 3 lightes prayed out.  This CPU can firewall
    how much bandwidth?  Oh, and how big an access list can you fit in 4 megs? 
    (The hardware described is almost identical to Cisco 100[345] ISDN or
    Serial router.  Those beasts seem to work OK, however the CPU does not
    have enough horse power for things like big access lists, so when you do
    it, your throughput starts to suffer.) 
    > code and host operating system is completely proprietary, making it
    > unlikely that hackers will concentrate their attentions on it when they
    > can be having so much fun undermining general purpose operating systems,
    > such as Windows NT. 
    It is not a secret that most of the back-bone routers out there are 0wned
    (Why, it is a different matter, however I have seen some Nortel Sonet
    equipment which runs some god awful HP-UX based firmware [based on HP-UX
    6.95 or so] and has root:root as a hardcoded remote passsword. I was told
    that the only thing you can change is what port it listens to for telnet
    connections.  Great! ) and I have seen a Cisco 4000 with a new version of
    IOS reflashed, that seemed to have sniffing code built in (did Cisco ever
    made IOS source public?  I want to build a copy of firmware which would
    calculate rc5 in it's spare time ;-). This firewall from the description
    is almost identical to some of the Ciscos out there, so I am wondering how
    long it will take someone to come up with a new copy of firmware with all
    those new abilities we know and love?  I guess this will depend on how
    well accepted the firewall will be. 
    > The firewall engine uses stateful inspection, and includes full Network
    > address translation (Nat) and hacker attack prevention (to repel Denial Of
    > Service attacks). Creating and amending filters is not the easiest I have
    > seen, but is far from impossible. A built-in DHCP server makes the
    > administrator's life an easier one, as does full support for DHCP on all
    > ports. 
    > Nat translates multiple IP addresses on the private Lan to one public
    > address visible on the Net. This adds a level of security since the IP
    > address of a PC connected to the private Lan is never transmitted on the
    > Internet. Further, Nat allows Sonicwall to be used with low cost Internet
    > accounts where only one IP address is provided by the Internet service
    > provider. 
    I begin to wonder why not take a 700$ PC, install Linux or a flavor of BSD
    on it, and do all that and more, while not having to pay "per machine"
    fees?  There are some nice firewall/router projects out there, and I know
    that you can have a Linux box do routing by booting from one floppy, so
    there goes the cost of hard drive, and you do not have to worry about
    files being modified or backdoors being planted on your router. 
    > A final word of caution: these devices may appear to be easy to install
    > and configure, and many of them are (some are even easier than Sonicwall).
    > However, this does not mean they are secure. But don't get me wrong;
    > Sonicwall is as secure a firewall device as you are likely to find,
    > although it would be nice if more firewall vendors opted for the Checkmark
    > certification process from West Coast Labs in addition to ICSA. 
    > There is more to configuring a firewall than getting it out of the box, as
    > we all know. In the default state, these devices are either wide open or
    > too restrictive to be of any use. This means that 99 per cent of all sites
    > must start fiddling with the filters, and that is when the loopholes are
    > introduced - some wide enough for your average hacker to drive a double
    > decker bus through! If you don't know what you are doing, it is worth
    > spending a little extra money to get a security consultant to install and
    > configure these things for you. 
    In conclusion: it seems that someone *will* come up with a set-top box
    that is both secure and flexible.  It *is* possible to do, as long as
    security is a part of the mindset as the system is being designed.  Out of
    3 different vendors I have tried, noone have managed to do it just right
    yet, however when a system is more open for modification and
    customization, it is possible to adjust a shipped machine for your own
    |         Stanislav N. Vardomskiy - Procurator Odiosus Ex Infernis[TM]        |
    |        This message is brought to you by letters jey, ow, el and tee.       |
    |              Jolt!  For all the sugar and twice the caffeine.               |
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:00 PDT