Can I Trust My Networking Gear?
This week Brad Davis from California asks:
“Can I trust my networking gear? I have heard a lot about NSA backdoors in Cisco and Juniper routers and firewalls. How can I tell if my networking gear has not been compromised?”
Well, Mr. Davis – I don’t know about you, but I was not a fan of the Harry Potter books or movies. All those wizards with all those powers and not one of them had cured the common cold or developed a telephone system so when you reached the wrong extension at a company the person didn’t have to say “I’ll try to transfer you, but if I lose you, here is the correct extension…” – let alone solved any cybersecurity problems. They seemed too busy playing polo on flying brooms and sending messages via owls, if you ask me.
But, in one of the 754 Harry Potter books there was one great quote by Mr. Weasley, who I believe headed up the Office for the Detection and Confiscation of Counterfeit Defensive Spells and Protective Objects, who surely had information technology in mind when he said: “Never trust anything that can think for itself, if you can't see where it keeps its brain.”
Now, cynical folk out there might tell you that even when you can see where something keeps its brain (such as a human being, a Rottweiler or a politician) you still should not trust it, but let’s not fall to their level in this discussion.
I’ll paraphrase Mr. Weasley by saying “Never trust anything that runs software.” And rather than get into a long discussion here on why that is so, I’ll simply remind you that “software engineering” is still an oxymoron – and really showing no signs of getting any less oxymoronic.
What we are really asking when we ask if can trust something is “Will it harm me if I don’t take extra precautions?” The simple answer to that question for anything that runs software is “Yes – expect pain if you aren’t careful.” It all gets down to how much and what type of harm you will endure – there is a 100% probability that something bad will happen.
So, back to your router. You really should not trust it, but the possibility of NSA having installed a backdoor in it is probably the least of your worries. I’m not saying that NSA or other national intelligence agencies haven’t compromised various pieces of technology – the evidence says they probably have.
But the vast majority of harm caused to businesses and government agencies has not, does not and will not come from governments exploiting compromises they have cleverly gotten built into or installed into technology – the vast majority of harm is financially motivated attackers using compromises the manufacturers of products have built into them (knowingly and unknowingly) and through the sloppy management practices of the IT organizations buying and using those products.
If you want to minimize the odds of harm, (1) require all vendors to show you proof that the software in the product has been tested for known vulnerabilities, (2) configure that router to limit access and (3) minimize the exposure of unneeded services – and monitor to make sure the router stays that way. If you look at any breach report (such as Verizon’s) you will see the vast majority of breaches can be traced to failure to do those three things.
Now, for governments that are worried about other governments, different story – but not really much different. The UK was worried about British Telecom using Huawei routers in the British national telecom system, so they required Huawei to fund a testing center that does (1) for all Huawei software releases and have programs in place to make sure (2) and (3) happen as well.
Let me leave you with one last thought, Mr. Davis Probably the first visceral demonstration we all received about trust was that old game where someone would stand behind you and if you trusted them you would fall backwards into their arms and they would catch you - no harm would come to you. Do not do that with your router, server, web site, smart phone, tablet, WiFi baby monitor or anything else that runs software.