Should ISPs, Web hosting companies and network administrators—the people who live and die by their Cisco routers—be worried about the possible consequences of Cisco Systems Inc.‘s IOS source code being stolen? Certainly, in the past, Cisco’s IOS, like almost all software, has been shown to have security vulnerabilities.
Click here to read more about the possible theft of Cisco’s source code.
For example, last year a vulnerability was found, and fixed, in Cisco routers and switches running IOS software that were configured to work Internet Protocol version 4 (IPv4) packets—which meant that essentially all of them were vulnerable to distributed-denial-of-service (DDoS) attacks.
Thus, the question is, how worried should network administrators and integrators be today?
Not very, is how Matt Wade, president of DC Access, a major ISP in Washington, might answer that question.
“While this theft is a major issue for Cisco, in general I do not believe it presents a grave threat to the Internet,” Wade said. “There is a chance that, armed with the code, a hacker may be able to create a denial-of-service attack.
“However, I imagine that the Cisco ISO software is engineered well enough to stand up to such an attack. Even if an exploit is found, Cisco will be able to provide a patch in a timely manner.
“The interesting point that this theft brings up is the stark contrast between the philosophies of open-source and proprietary systems,” Wade said. “With open source, anyone can, and many do, contribute to make the product better. This openness creates a more transparent process.
“With proprietary systems, security is provided through obscurity. If there is a problem with the software, no one will see it … unless the code is stolen or released to the general public,” he said.
Eric S. Raymond, president of the Open-Source Initiative, also zeroed in on this point. “The theft and publishing of the source code for Cisco’s IOS router firmware may mean a wave of exploits against the critical router infrastructure of the Internet may be on its way,” Raymond said.
“If that happens, it will be because Cisco ignored one of the iron rules of network security—and experts the world over will be muttering, ‘If only IOS had been open-source.’”
In paraphrasing Kerckhoffs’ principle, Raymond said, “A cryptosystem should be designed to be secure if everything is known about it except the key information.
“Now that the source code of IOS is circulating in the cracker/phreak underground, we’re going to find out if IOS followed that rule. If they didn’t, we’ll find out the hard way,” he said.
“What has this got to do with open source?” Raymond asked. “Well, if IOS had been open-source to begin with, we’d have a firm basis for believing that it passes the Kerckhoffs’ test—open source keeps you honest that way. As it is, customers’ first notice that they didn’t is likely to be chaos and havoc from router compromises.
“Claude Shannon, the inventor of information theory, restated Kerckhoffs’ law as: ‘[Assume] the enemy knows the system,’” Raymond said.
He then offered his own version for the 21st century: “Any security software design that doesn’t assume the enemy possesses the source code is already untrustworthy; therefore, never trust closed source.”