You might have a better chance of winning him over if you show him how
you've carefully designed separate data and control planes. With
carefull attention to aaa and policing the control plane. Then, of
course, allow him to audit your design. And finally, convice him that it
was all his idea.

../C

Based on the track-record of the IOS http server when it comes to
vulnerabilities, I'd be inclined to agree with your security admin unless
the switch is sitting in a very protected network environment. In
fact, we don't have a single Cisco device with the http server enabled
anywhere, and I believe most of the network engineers would riot if
someone suggested turning it on. :)

/leg
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi,
Oh yes. Web UIs are slow and annoying (and the java stuff is especially
bad). Command line rules.

But that's personal user preferences.
is to put the management VLAN behind a HUGE firewall (preferably the
air-gap type) and stop worrying about L3 exploits against your nice
L2 devices.

gert

The http server has been found to have security vulnerabilies in the
past, but if you're locking it down to only certain address ranges being
able to attach, it should be secure enough. Keeping the management
interface in a separate VLAN is certainly a good idea as well.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
***@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-***@puck.nether.net
[mailto:cisco-nsp-***@puck.nether.net] On Behalf Of John Neiberger
Sent: Thursday, June 09, 2005 3:20 PM
To: Gert Doering
Cc: cisco-***@puck.nether.net
Subject: Re: [c-nsp] Vulnerabilities in HTTP server on Catalyst Switches

I'm only interested in the security aspects of the http server on the
switches, not the usability of the GUI. I also prefer the CLI but I'm
considering offering CNA to some of the other people in our department
so they can do some basic troubleshooting on their own without
involving me.

Thanks,
John
especially
//www.muc.de/~gert/
***@net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Your security guy is right. Turn off the http server.

Anything you do with separating out access via "planes" is a POLICY decision,
NOT a SECURITY decision. People like to use their POLICY to enforce SECURITY
but the fact of the matter is that any vulnerability in the http server
completely bypasses your hours of POLICY configration.

This is not a subtle point. I'm not talking about some "far out chance" that
someone might someday write an IOS vulnerability exploit. Although it's
not a prerequisite, the various Cisco IOS source code leaks over the
years make exploits slightly easier to craft. The day has come and past where
a buffer overflow has been exploited in Cisco's code to elevate privileges
from 'outside observer' to 'able to control the router'.

The discussion this list really should be having is why hasn't Cisco
(or anyone else for that matter) started using relatively simple
prevention measures (if they were, wouldn't it be press release material?),
like OpenBSD has done with W^X, guard pages, randomized memory allocation,
privilege separation, propolice, and many more pieces, integrated into the
kernel and userland. (Oh, right, everything on IOS runs with the same
privilege level. I wonder if anyone 0wns route-views.oregon-ix.net ?)

These are not abstract concepts. IT HAS BEEN DONE AND IT WILL BE DONE AGAIN.
TURN OFF SERVICES YOU DON'T USE TO LOWER YOUR EXPOSURE. That's the only
'policy' that might actually stop or at least slow an attack to the point
where it might catch your attention. Well, only if you're looking.
And, if you're looking, it's actually pretty hard to really look in all
the right places. Don't be suprised if someday, some well funded, anonymous
group can run code on your router via an exploit in the BGP listener,
executed via a worm in one of your peer's routers. By thsi time, perhaps they
already 0wn most of the Juniper and Cisco internet through this. The lack of
modern security models and measures on such critical infrastructure hardware
such as this is more than a little scary when you consider the implications!

(You know, OpenBSD's bgpd can handle today's full views in 64MB of RAM, can
load them up in less than a minute, and on halfway decent hardware, can rival
any 7200 NPE. The limited interface selection is, well, limiting. T1, T3,
802.11 or 10/100/1000 Ethernet are the only real options. For several people
on this list, that won't cut it. For 7200 users, it probably does.)

-c
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/