On Tue, Dec 31, 2013 at 5:38 AM, Sabri Berisha <sa...@cluecentral.net>wrote:
> Hi Roland. > > > I don't know much about Juniper > > gear, but it appears that the Juniper boxes listed are similar in nature, > > albeit running FreeBSD underneath (correction welcome). > > With most Juniper gear, it is actually quite difficult to achieve > wire-tapping on a large scale using something as simple as a backdoor in > the BIOS. > > You would just need an entry-point into the system, nothing fancy at first. > Assuming M/MX/T series, you are correct that the foundation of the > control-plane is a FreeBSD-based kernel. However, that control-plane talks > to a forwarding-plane (PFE). The PFE runs Juniper designed ASICs (which > differ per platform and sometimes per line-card). In general, > transit-traffic (traffic that enters the PFE and is not destined to the > router itself), will not be forwarded via the control-plane. This means > that whatever the backdoor is designed to do, simply can not touch the > traffic. There are a few exceptions, such as a carefully crafted backdoor > capable of altering the next-hop database (the PFEs forwarding table) and > mirroring traffic. This however, would mean that the network would already > have to be compromised. Another option would be to duplicate target traffic > into a tunnel (GRE or IPIP based for example), but that would certainly > have a noticeable affect on the performance, if it is possible to perform > those operations at all on the target chipset. > > >From my experience with Juniper, you can actually tell the PFEs to do quite a lot to the packets that flow through the router, I would imagine that programmatically you can tell the router to mirror packets which match a certain criteria (source, destination, ports, protocol) to a chosen destination and it would not get noticed by the NOC monitoring systems (it may not even blip on the throughput graphs) > However, attempting any of the limited attacks that I can think of would > require expert-level knowledge of not just the overall architecture, but > also of the microcode that runs on the specific PFE that the attacker would > target, as well as the ability to partially rewrite that. Furthermore, to > embed such a sophisticated attack in a BIOS would seem impossible to me > with the first reason being the limited amount of storage available on the > EEPROM to store all that binary code. > > All you need is a hook into the system and load your code, the main payload can be easily downloaded from the internet. > An attack based on corrupted firmware loaded post-manufacturing would also > be difficult due to the signed binaries and microcode. If someone were to > embed a backdoor it is extremely difficult without Juniper's cooperation. > And the last time I looked at the code (I left Juniper a few months ago), I > saw nothing that would indicate a backdoor of any kind. > > Who checks the binaries when they are loaded when the OS boots up ? :)
