“Unauthorized code” in Juniper firewalls

gofer_touch said:
I guess many of you may have already seen this. It will be interesting to see how they deal with this.

http://arstechnica.com/security/201...per-firewalls-decrypts-encrypted-vpn-traffic/
Click to expand...

Note: This is in their ScreenOS-based devices (Juniper NetScreen), which have been end-of-lifed for 7-odd years now, although they are still offering support for existing boxes. And not in their JunOS-based devices (the Juniper firewalls and routers that you can actually buy).

AFAIUI, ScreenOS isn't based on FreeBSD, only their JunOS is.
 
Given source control, it should be easy enough to find out who committed the code. It will be interesting to see whether that is made public.
 
Not to worry CIPSA will save us all.
How Ironic now Juniper is required to report and cooperate with the NSA that they got hacked...

The cynic in me says they just got legal indemnification for this.
 
Last edited:
Yep, one of the first questions will be "How did you find out about us- aeh, 'them'?"
But make no mistake, Juniper takes the hard road to publically show this is happening. What about the rest of the vendors? They are safe, right? No one backdoored them?
 
After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.
 
gofer_touch said:
After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.
Click to expand...
That is not how the real world operates in U.S.
 
gofer_touch said:
After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.
Click to expand...

There's a multitude of reasons. Keep in mind that not all proprietary products are bad. However, what is more favorable for this part of infrastructure that open source provides is transparency and open auditing. Commodity networking gear is still an unsolved problem.
 
gofer_touch said:
After reading multiple threads about this issue, I can't understand why a major institution/company would want to go with proprietary options for something as sensitive as firewalls and networking devices.
Click to expand...
As with anything else, it's a combination of reasons. Many, many people are not really concerned with security so much as having someone to blame. Set up your own security, and you are responsible. Buy some prepackaged thing, and the perception is that the vendor is responsible. (People love service contracts for the same reason. More money, more downtime than spare equipment, but "not our fault".)

Oko, please feel free to explain what you mean. The US is not the only country with business and government corruption.
 
wblock@ said:
The US is not the only country with business and government corruption.
Click to expand...

At least U.S. citizens are, to some immeasurable degree, aware. That said, I have been notified twice in the past year that my information at The U.S Department of Personnel Management and at my Health Insurance provider, was downloaded. The mitigation, from the .gov and the .com, was laughable. Go to another website and enter my personal data (ie put it all in one place), so that this new entity, who I know nothing about, can monitor my data and thereby "protect" me.



Edited for clarity and punctuation.
 
Last edited:
  • Thanks
Reactions: Oko
Oko said:
Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall. Check out this and tell me if you see any BSD
http://www.disa.mil/network-services/ucco
https://www.fedramp.gov/marketplace/compliant-systems/

Now go and play with bhyve.
Click to expand...

Well the European Parliament's researchers surely have enough faith in OpenBSD to mention them in a report designed to increase awareness about information security and increase investment in open source security tools.

https://joinup.ec.europa.eu/community/osor/news/ep-study-“eu-should-finance-key-open-source-tools”

(See pages 52 and 53 of part 1 of the report).

For convenience:

"OpenBSD is a free, open-source multi-platform 4.4 Berkeley Software Distribution (BSD)-based UNIX-like operating system. Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways"
 
I have being living for over 20 years in U.S. I have no idea what the
Bruxelles' Politburo things about OpenBSD but I can tell you that U.S. government agencies have full faith in the technical competence of U.S. companies (IBM, HP, Oracle, Google, Microsoft, and similar), and U.S. based open source projects (RedHat, Python etc), often sponsored by DARPA and similar agencies, to provide software solution for military and civilian use.

If there is a hole in Juniper or Cisco firewall it is there for the reason not because people are not competent to plug it. Also in U.S. any software product without large legal entity which can be sued in the case something goes wrong is essentially non usable except for the research purposes or a base for proprietary products.

This is U.S. MBA class 101.
 
Oko said:
Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall.
Click to expand...
I thought that mentioning of U.S. and "real world" in one sentence was stretching it a bit ;) From the outside, the political U.S. looks like a crash derby with clown cars. But then, same thing here :(

Most of the politicans in the U.S., same as elsewhere, will trust those who will line their pockets. This is what they understand. That other stuff is nerd stuff. The point with suing someone is the real reason, I think. Worse than "my fault" is to explain to the beancounters that no one is there to pay for the fallout.

Also, with open source, there still is the nimbus of arcane invocations and insider knowledge. You need to understand it yourself. And that is not for those who try to exchange money for "not my problem".

Again, I do not belive one ms that there are no backdoors in other equipment, be it from the U.S. or China or Andorra. Juniper disclosed the bug in some EOL part, which I think is some kind of whistle blowing on their end. And I think it will turn out to be the fault of two or three rouge engineers. As always.
 
gpatrick said:
It also could have been the Chinese, North Koreans, Russians, Iranians....

Everyone assumes the NSA when those other nations have as much or more reasons to circumvent security devices.
Click to expand...
Or Israel, Japan, South Korea, Germany and alike.

If I am in North Korea sitting in my rice paddy hoping to harvest enough rice to survive next winter hacking your stupid corporate firewall to get the secrets for you latest iPhone gadget is not very high on my agenda.
 
Yeah, I find it interesting to see on the usual places to see the immediate jump to it being the NSA without consideration that select other countries are just as likely, if not more so, to do the same thing.
 
I guess the truth of the matter is we will never know.
When you live under a secret government you will inevitably end up with conjecture.
 
Oko said:
Who was talking about corruption? You think US government will trust bunch of OpenBSD bozos like me for their firewall. Check out this and tell me if you see any BSD
http://www.disa.mil/network-services/ucco
https://www.fedramp.gov/marketplace/compliant-systems/

Now go and play with bhyve.
Click to expand...

I think Bhyve is much better idea. I don't have the temerity to click either of those links today, since I may want to fly someplace someday.

I wonder how big those codebases are? Stuff today is so full of bagatelle, such that it provides the nice tall grass wherein the gaff or sploit may hide. I like skinny stuff, so I can see the bumps sticking out (Like FreeBSD's base which expands to 285 MB, NAS4Free to 85MB, FreeBSD hangs 750 modules on the belt, versus 50 for NAS, etc, etc. Securing anything in an ocean of code is impossible, so IT (smartly) takes the option that lets them blame someone else.
 
gpatrick said:
It also could have been the Chinese, North Koreans, Russians, Iranians....

Everyone assumes the NSA when those other nations have as much or more reasons to circumvent security devices.
Click to expand...
I think the list of entities not interested in doing this is much shorter... But as ronaldlees already (kind of) stated - you want to fly someplace sometime. And neither the chinese nor the iranians are standing here at the airport to deny me the flight, based on stuff fished off the internet about what I did there.
 
You must log in or register to reply here.
Back
Top