Reply From: //Stany <stanyat_private> The following are most probably notes on general set-top boxes design philosophy, but they should apply to set-top firewalls as well as to set-top file servers and print-servers. > 1/28/99 > UK: - AN ALL-IN-ONE HACKER REPELLENT. > > Effective security for your network doesn't always come in big beige > boxes, as Bob Walder explains. > > The term network appliance is gradually making its way into common usage. > It refers to self-contained devices that plug into a Lan at any > appropriate point, are managed over the network (often using a standard > web browser), and then just do a single job without any further attention > required from the network administrator. > > Such devices come in a range of flavours, including print, fax and mail > servers, and now firewalls. Even these devices once - considered as big > budget purchases for equally sized companies - are now such a commodity > that you can buy them for less than #1,000 and install them in under five > minutes. In the past 6 month I have played with at least 3 different offerings of set-top boxes that are supposed to be the administrators' all-in-one replacemetnt of file (NFS and/or samba), web and/or print servers, including one that had an ability to be an internet gateway (by virtue of having 2 NICs and a modem) and a firewall. 2 of the systems I have played with were using Linux as their basic underlaying system, and one had NetBSD as it's guts. 2 of them are designed for on Intel comptable PC (Winddance shipped if with a nice machine, preinstalled), and one was designed to run on StrongARM SA110 RISC CPU I am not going to bash any of the systems, as I no longer have access to one of them (and hopefully people and <http://www.winddancenet.com/> have by now fixed the bugs in their Breeze product), I have wiped clean the web server disk image off my Corel NetWinder <http://www.corelcomputer.com/>, and am just in the process of evaluating Newlix Omega Beta 0.12b <http://www.newlix.com/>, so I most probably will be not up to date in most of my statements, however.... One crucial thing is missed by most designers of set-top boxes: they do not realize that what they do is a direct compromize between security, power/flexibility and ease of use. When one has a design objective to build and sell a product "so simple that even a secretary would be able to use them within 5 minutes" (This quote is actually paraphrazed out of sales information that came with Breeze Network Server), one starts to go lax on powerful features and/or security. In essence this is just a new spin on old and good "Cheap, good, fast. Choose any two." statement. If you want more power and flexibility to the users, like web interface for backups, which will allow one to restore and save data from floppies or tape drive, you better make sure that the person that stuck the tape in (or, as it was in my case, 120 Meg floppy) is not a malicious, and does not have just 2 files in the "backup archive" (/etc/passwd and /etc/shadow of course), and the files are not blindly overwritten on the file system. The compromise is made partially because the people who seem to be "jumping on the bandwagon" are not really familiar with underlaying detailes. Programmers who write CGI interfaces for set-top boxes usually are not security professionals. Some of them (no, not people are Corel. In my experience, as Corel have invested immense money and time in both hardware R and D and into further enhancing the ARM Linux port. You can figuratively say that Corel gave ARM Linux a major boost into arm. ) are starting a set-top box business by thinking: "Well, noone else has it out yet, we'll just take a free operating system, put it on a normal Intel PC, where all the quirks have already been resolved and everything is known to work, and then just write a web interface". The people doing this are not security professionals, are usually on a shoe-string budget (Compared to bigger companies out there, like Litton Industries or even IBM, Oracle, etc.) so they want the product out fast, to start selling it and to start generating revenue. This is not a good approach for a number of reasons (WindDance, take note): Programmers are hurried by the management to speed up developement, which results in a number of security compromises being implemented, a "comprehensive security audit just before the product is about to be shipped" is either never done ("We have a deadline. Ship it now, we have not time!") or when done is hurried and does not uncover all of the problems. Of the three systems I have played with (Well, NetWinder can be a set top box, or a workstation, depending on packages installed, and I have turned mine into a firewall/gateway after playing with the web server setup) one was not designed to have a shell access at all (My first thought was: "They are hiding their cool software". It quickly changed to: "They are hiding their bugs".) and I had to trick the Breeze from console to give me a shell access. The other two systems did have shell access, but it was provided for by a simple telnetd (In case you prefere power over ease of use). It would have been grand if a licensed copy of sshd was shipped with the product (I mean when a set-top box costs 3.5K USD, and the hardware it consists of costs 700 Canadian Peso, and the software is NetBSD, what am I paying for? Bugs in the web interface?), but the only people who were providing it was Corel through their developer site, where you could grab a precompiled version and instructions on how to fix the official source so it will compile on NW (Those export restrictions on crypto. Grr...). Well, if ssh is too expensive, why not use one of the tried and true tools like OPIE or S/Key telnetd replacements and ship a system with a floppy providing a copy of OPIE calculator for Mac and Doze? Another example is user management: If you want to add or delete users on the set-top box, you have to authenticate yourself to it. Authentication to many people building set top boxes means passwords, which either means Basic Auth Apache module, or simply a form with 2 fields (username and password) and a submit button. Now Basic Auth is an abnormality in a face of God for such purposes. A quick trip to www.rootshell.com will find you a program that is designed to sniff just for that. It will automatically decode the password, and tell you in a nice format who connected to where, into what directory, and at what time in addition to the B1gS3kr3t password one used. Submitting a form is slightly more secure because the header is not screaming out loud that it is an authentication attempt, and one actualy has to listen to all of the trafic on port 80 to grab the password, but with some creative use of tcpdump it is trivial to do. Now, if this set-top box controls the departamental printer, at most you will DOS the department, and they will not be able to print their memos. But if it is a firewall, some nice social engineering ("Hello, I am John Q Public from 'YourBigClient', and I can not connect to your ftp site. Can you check your firewall?" - works best for insiders) and a well-placed sniffer will allow one to open the private network to the unrestricted traffic and still maintain the illusion that the firewall in on guard to protect the network. If you *must* use web interface (and besides what is wrong with console only? We had SS20s running Milkyway Blackhole/SecureIT and always if you had to fix it, you had to drive over to the office. Noone died from doing that so far ;-) for firewall administration, why not take the same OPIE (source for which is available) and modify the web interface authentication CGI to check the logins against it? You connect, put in your username into a form, press submit, and see a nice challenge replied back to you. You copy/paste it into your OPIE calculator, type in your password, copy/paste the results back into the form on the web page, and click submit once again. For added security throw in Apache-SSL with certificates. Then noone can see what the configuration of the firewall is as you modify it. No, this is too complicated for secretary to use. > This is the category that Sonicwall falls into. Ranging from #495 for a > 10-user basic version, we reviewed the high-end #1,795 version, which > includes three network interfaces and a De-Militarised Zone (DMZ) on which > you can host all your publicly available web and FTP servers. > > A set-top box > > All the necessary hardware and software is contained in a single box the > size of a paperback book. There are three network ports at the back and > three sets of corresponding status LEDs on the front panel. That, and a > reset switch, is all there is to it. The hardware is a 25MHz 68360 Risc > processor with 4Mb Ram, 128Kb Rom and 2Mb of flash memory. The firewall Gee, a Cisco 1000 router with 3 lightes prayed out. This CPU can firewall how much bandwidth? Oh, and how big an access list can you fit in 4 megs? (The hardware described is almost identical to Cisco 100[345] ISDN or Serial router. Those beasts seem to work OK, however the CPU does not have enough horse power for things like big access lists, so when you do it, your throughput starts to suffer.) > code and host operating system is completely proprietary, making it > unlikely that hackers will concentrate their attentions on it when they > can be having so much fun undermining general purpose operating systems, > such as Windows NT. It is not a secret that most of the back-bone routers out there are 0wned (Why, it is a different matter, however I have seen some Nortel Sonet equipment which runs some god awful HP-UX based firmware [based on HP-UX 6.95 or so] and has root:root as a hardcoded remote passsword. I was told that the only thing you can change is what port it listens to for telnet connections. Great! ) and I have seen a Cisco 4000 with a new version of IOS reflashed, that seemed to have sniffing code built in (did Cisco ever made IOS source public? I want to build a copy of firmware which would calculate rc5 in it's spare time ;-). This firewall from the description is almost identical to some of the Ciscos out there, so I am wondering how long it will take someone to come up with a new copy of firmware with all those new abilities we know and love? I guess this will depend on how well accepted the firewall will be. [snip] > The firewall engine uses stateful inspection, and includes full Network > address translation (Nat) and hacker attack prevention (to repel Denial Of > Service attacks). Creating and amending filters is not the easiest I have > seen, but is far from impossible. A built-in DHCP server makes the > administrator's life an easier one, as does full support for DHCP on all > ports. > Nat translates multiple IP addresses on the private Lan to one public > address visible on the Net. This adds a level of security since the IP > address of a PC connected to the private Lan is never transmitted on the > Internet. Further, Nat allows Sonicwall to be used with low cost Internet > accounts where only one IP address is provided by the Internet service > provider. I begin to wonder why not take a 700$ PC, install Linux or a flavor of BSD on it, and do all that and more, while not having to pay "per machine" fees? There are some nice firewall/router projects out there, and I know that you can have a Linux box do routing by booting from one floppy, so there goes the cost of hard drive, and you do not have to worry about files being modified or backdoors being planted on your router. [snip] > A final word of caution: these devices may appear to be easy to install > and configure, and many of them are (some are even easier than Sonicwall). > However, this does not mean they are secure. But don't get me wrong; > Sonicwall is as secure a firewall device as you are likely to find, > although it would be nice if more firewall vendors opted for the Checkmark > certification process from West Coast Labs in addition to ICSA. > > There is more to configuring a firewall than getting it out of the box, as > we all know. In the default state, these devices are either wide open or > too restrictive to be of any use. This means that 99 per cent of all sites > must start fiddling with the filters, and that is when the loopholes are > introduced - some wide enough for your average hacker to drive a double > decker bus through! If you don't know what you are doing, it is worth > spending a little extra money to get a security consultant to install and > configure these things for you. Agreed. In conclusion: it seems that someone *will* come up with a set-top box that is both secure and flexible. It *is* possible to do, as long as security is a part of the mindset as the system is being designed. Out of 3 different vendors I have tried, noone have managed to do it just right yet, however when a system is more open for modification and customization, it is possible to adjust a shipped machine for your own needs. //Stany -- +-----------------------------------------------------------------------------+ | Stanislav N. Vardomskiy - Procurator Odiosus Ex Infernis[TM] | | This message is brought to you by letters jey, ow, el and tee. | | Jolt! For all the sugar and twice the caffeine. | +-----------------------------------------------------------------------------+ -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:00 PDT