Security Watch

Anti-Virus Protection for Routers?

The recent Cisco IOS vulnerability controversy highlights the attractiveness of routers for hackers.

• By Russ Cooper
• 08/29/2005

The simultaneous discussions of issues with Cisco IPv6 security and IOS might have caused them to appear related. They are not.

One has to wonder how long it will be before we see anti-virus for routers. There are a lot of them out there, and they're less secure than a lot of hosts. And since a hacker can do a lot more with a router than most other types of hosts, we may see them becoming an increasingly attractive target for attackers.

While it's true that up-to-date versions of IOS have no unpatched vulnerabilities, there may be routers in various roles which cannot easily run up-to-date IOS versions because of the roles they're playing in an organization integrating with older tools. Further, keeping routers up-to-date is no trivial task, and typically involves insecure techniques like Trivial File Transfer Protocol (TFTP). IOS is in dire need of an overhaul and I hope we see one soon.

Computer Associates BrightStor ARCserve and Enterprise Backup agents for Windows contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code. Patches are available.

Security company FrSIRT posted a hack to scan for the vulnerability and a SQL injection exploit. Veritas' backup server got picked on a couple of weeks ago and there were some .edu intrusions. So far we have not seen any discussion about intrusions via this vulnerability.

Well-known security researcher Dan Kaminsky got some interesting results when he recently scanned 2.5 million DNS servers. He found that fewer than 10 percent were vulnerable to cache poisoning, which allows an attacker to control the IP address returned by a DNS server for the host name being sought.

That's a sign of progress. One of the biggest problems the Internet faces is the continued use of old and vulnerable software, despite up-to-date and more secure versions being as freely available as the old and insecure stuff.

Imagine if ISPs stopped delivering packets to old and insecure versions of products, like out-of-date BIND servers! What a concept.

Human Factors
The U.K. encryption company nCipher conducted a survey of over two hundred companies, and concluded that management is holding back the deployment of encryption technologies. They suggest that a lack of understanding of how encryption works, or how to deploy it, is causing the now "mainstream" encryption technologies to be withheld from en-masse deployment. A large majority of those surveyed indicated they would be encrypting stored data within the next 18 months, but there is a general lack of knowledge about the latest encryption technologies involving hardware-based Trusted Platform Modules (TPMs.)

Our take is that this is probably a good thing, since it's debatable about how useful it is to encrypt everything. It's not a new problem. While 82 percent of those surveyed indicated they would be encrypting stored data, they would be doing so only up to the point where it once again needs to be decrypted (e.g., when the data is accessed or used.) At that point the data becomes as vulnerable as it ever had been. There is also the problem of lost keys, such as when S/MIME encrypted data needs to be read some years after it was sent. The key may have been lost, or left with a departed employee. In these cases, the risk of having it encrypted may be larger than some unauthorized person actually reading the unencrypted e-mail.