The Case For Network Infrastructure Security

"The network is the computer"
---Sun Microsystems, c.a. 1984

"The network is the network, the computer is the computer. Sorry about the confusion."

George M. Jones

What Does "Network Security" mean?

What do you mean when you say "Network Security"? Firewalls? Intrusion Detection Systems? Anti-Virus Software? Authentication Systems? System and application hardening? These are all fine and even necessary elements of "current best practice" if you're running a small office network or even a medium-sized corporate intranet.

What if you're running a global Internet backbone with over 4700 routers, announcing over %60 of all routes, and have over 600 routers and switches in 25 hosting data centers? What does "Network Security" mean when you *are* the network and have no perimeter?

Chances are that in your world, you are closer to the first scenario. It is the premise of this article that while many of the solutions for smaller networks don't scale, many of the problems in the larger networks do apply generally, and that ignoring them may result in widespread disruption of service.

What's the Goal?

The main goal for large networks is availability. The bits should keep flowing, preferably to the right place. While integrity and confidentiality are important problems, it is assumed that these are handled "at the end of the pipe" by things such as VPNs, host-based controls, good security policy and practice, etc. Assuring availability is a larger problem than it might at first seem. Let's take a look at some (relatively) recent problems.

Some Real Problems

Hacks *using* the network.

Bugs that enable hacking *of* the network

Here is a sampling of some "recent" bugs that enable hacking of the network infrastructure.

Conflicting Priorities.[footnote2]

Commercial vendors and network operators have conflicting priorities. Vendors are interested in selling new equipment and software. Network operators are interested in operating networks. Vendors tend to focus effort on developing new products (which invariably have new bugs). Network operators focus on operating networks. Vendors tend to view bug fixing as a distraction from new product development and sales. Network operators view bug fixes in existing products as essential to operating networks. Vendors tend to see their job as done when the bug is fixed in the latest release. Network operators see their job as done when the bug fix is deployed across all devices (including old/obsolete ones) in their operating networks.


Operational realities can adversely affect security, even if technical solutions are known and available.


Some Potential Problems

We have seen a sampling of things that are problems today. Now, let's take a look at Network Nightmares, the Next Generation.

So What?

The Big Question

The big question, assuming this assessment of the problem is correct, is whether anything will be done before we have a major network outage. Can we, as a community, proactivly address the issues raised here, or will it take a major disruption of services for "Network Security" to be recognized as an important priority? Time will tell.

References and Resources


Network Infrastructure Insecurity
Ahmad, Rauch
Cisco Catalyst Memory Leak Vulnerability
Cisco Systems
Multiple SSH Vulnerabilities
Cisco Systems
Cisco Security Advisory: NTP Vulnerability
Cisco Systems
Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)
EFF Homepage
Electronic Frontier Foundation
Network Security Requirements for Devices Implementing Internet Protocol
George M. Jones, editor.
DDoS attacks--one year later
Robert Lemos
Ntpd Remote Buffer Overflow Vulnerability
How to 0wn the Internet in your Spare Time
Stuart Staniford, Vern Paxon and Nocholas Weaver
Latest Hacker Target: Routers
Rutrell Yasin
Your Rights Online

Resources For Securing Cisco Routers

Hardening Cisco Routers
Thomas Akin
Improving Security on Cisco Routers
Cisco Systems

The Router Audit Tool and Benchmark
George M. Jones at al./Center for Internet Security
Securing Cisco Routers Step-by-Step
John Stewart and Joshua Wright

Scheduled for publication Fall, '02.
Rob Thomas' Security Articles
Rob Thomas

Articles/Guides to securing IOS, JunOS, BGP, DoS tracking, etc.


SNMP has been rumored to stand for 'Security Not My Problem'.
The author acknowledges that this may be "unfair" as it portrays the external view of vendors as seen from the engineering/security trenches.
Thanks to Pete White for suggesting this survey method.
From 1/5/00 to 3/5/02 the number of advertised routes has grown from 76182 to 110842, a %45 increase, even in the face of a down economy. Source:


Thanks to the whole UUNET net-sec team (past and present) for feedback.

Copyright (C) 2002, George M. Jones

George M. Jones
Last modified: Fri Jun 7 07:19:17 EDT 2002
$Id: login-2002-infra.html,v 1.4 2002/06/07 22:46:04 george Exp $