(ASCEND) What is the (Full) Security Fix?

To: ascend-users@bungi.com
Subject: (ASCEND) What is the (Full) Security Fix?
From: U Keiko <ukeiko@ii-okinawa.ne.jp>
Date: Sat, 21 Mar 1998 23:41:27 +0900
Reply-To: ukeiko@ii-okinawa.ne.jp
Sender: owner-ascend-users@max.bungi.com
After doing a quick survey (using the getif utility that available
with the MRTG distribution) of the local situation (Japan), it has
become apparent to degree to which factory defaults, lax security, 
unmanned server rooms/NOCs, poor engineering and bad network design
has impacted ISPs.  Several local ISP's maxen went from having 
uptimes in the months long range to uptimes in the several hour
range.  While I'm still waiting to see, I believe the impact will
also show up under MRTG graphs as non-characteristic use of modem
pools and uplink bandwidth.  The economics or running an ISP in 
Japan are quite different from other parts of the world.  The margin
is very, very narrow.  Many of the nation wide, carrier class ISPs
are operating in the red (espically in this prefecture).  Many ISPs
monitor their uplink bandwidth utlization and modem pool utilization
very carfeully and use it to order more or less service (as needed)
from NTT/their uplink provider (it can mean $2-$3 per user difference
a month in access costs for the ISP).  Anything that interfers with
this statistic gathering is a Bad Thing (tm).  

My personal opinion is that the language
barrier (between Japanese techs and American equipment manufactures)
is going to present a two to three week propagation delay in any
wide speread fixes that are implemented (if anything is fixed at all).
I bet the engineers at NTT is kicking themselves for intalling rack
loads of 40XXs rather than TNT gear.  Luckly, caller pays telecom
policy and international long distance telephone rates keep remote
access vendors isolated truely global hacking implications.  Still,
if I were a Chinese hacker wishing the launder my connections, I would
look to equipment rich, configuration poor Japan (no, I'm not paranoid,
I've seen this happen before).

Speaking for all the multi-lingual techs. who are on top of things,
I really must thank Ascend for providing the overtime consulting
opportunity.  On the flip side, Ascend should probably buy a case
of beer for each NTT engineer (who has a family, a life and doesn't
get paid a dime extra for fixing engineering problems on foreign
gear).  Additionally, Ascend might want to consider the impact this
will have upon their sales in Japan.  For a medium sized ISP, having
their remote access servers compromised and their statistics gathering
interfered with can mean the difference between buying a new remote
access server or not (or considering equipment that doesn't have these
problems (a cisco 5300 has the same per-seat cost as a Max in Japan 
(over $500 per seat) and cisco techs aren't nearly as hard to find as
someone intimately familiar with Ascend gear).  Who knows, maybe 
Yamaha will get into the carrier class remote access server business 
someday  (if they do, I would strongly encourage them to make sure 
their ISDN interfaces work world wide)...

On to the point.. The architecture of the fix (thus far) includes :

   filtering at the pop switch/router(s)/firewall

       As stated in in Acends's instructions, filters placed into the
       radius profiles aren't enough to get things under control.  At
       this point, I don't know if I really trust the Ascend gear to 
       do what it supposed to do, so I'll use gear that I do trust to
       protect the remote access server from the internet.  As somone
       already pointed out, it would be nice if the ascend filters 
       provided logging capability.

   filtering at max ethernet interface(s)

   filtering at max wan/ppp interfaces

   filters added to all radius profiles (redundant, right?)

   enterprise wide password changes done on site

      First, your Max is compromised from some cyber cafe and then
      dummy account profiles are setup, logging turned off, etc.  
      If the hacker gets luckey, as they often do in Japan, passwords
      obtained with the Java configurator can be used to compromise
      other equipment.  Changing passwords for an ISPs providing
      national service is a tricky, expensive business and may mean
      getting techs to all the access points, depending on the type
      of equipment at the access point and co-location policies of
      access point facility provider.  The smarter, carrier class ISPs
      have centrally located authentication servers; however, telneting
      into the access servers without using some sort of tunneling or
      VPN (most everyone has this turned off anyway) stands a good
      chance of getting sniffed.  Dialing in is probably the best way
      to change the password; however, at the moment, I don't trust
      the Ascend equipment not to spew telnet packets to ethernet
      instead of using the loopback (I'll have to test with a sniffer
      in a controlled environment before I'll trust).  If the max,
      along with the pop router, are the only devices on the ethernet,
      this is less of a problem and dialing in is probably just fine.

   possible equipment software re-load using md5 checksummed binaries.

      yamaha provides md5 checksums for their router software, I think
      cisco is doing this these days, as well.  I haven't heard any
      rumblings yet of Ascend core software being hacked.  Still it 
      would be nice if Ascend would get into the practice.  Yes, Ascend,
      I know that's a huge pain in the rear, considering the number of
      loads that exist, but it will be less painful if you initiate
      the process now rather than when it's actually needed.  Placing
      md5 checksums on an ftp server, much like the idea of using
      deterministic algorithms to generate randoms numbers, is
      imperfect.  maybe you could litter the binary with enough of
      the checksums to influence the checksum... duhoo.. that won't
      work.  Maybe the checksums could only be distributed on CDROM...
      yikes.. that won't work.  Etc, etc...   Damned this secuirty
      stuff is hard....  I want my IPv6 solution for the current
      nightmare now (I know, keep dreaming)! 

These are just the implications for the way business is done in Japan.
I'm sure each country has its' own differences that require special
attention to detail.  Despite what Ascend would like to believe,
the security fix isn't as simple as putting filters in place, changing
passwords and hoping for the best (waiting for the next problem).
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>
Prev by Date: Re: (ASCEND) In Defense Of Ascend...
Next by Date: Re: (ASCEND) In Defense Of Ascend...
Prev by thread: (ASCEND) Pipeline 75
Next by thread: (ASCEND) Needed -- test account on a MAX, San Jose
Index(es):
- Main
- Thread