I've received several calls and emails from customers today asking about the relevancy of the Cisco Security Alert. By and large, I only deal with enterprise/corporate-type customers (not large VoIP service providers), and I install a ton of Cisco VoIP products, so this comment really only applies to that segment of the marketplace.
I don't think that this is going to be as large of a problem as Cisco's earlier issues. Although a worm could target home users running IP telephony applications on their PC's, this vulnerability is non-replicating and the potential for abuse is rather limited.
Basically, there are two major Cisco product lines that are affected by this bug. The first is Cisco's VoIP infrastructure products: the Cisco CallManager server, Conferencing Server, Softswitch and IOS-based routers running H.323 services, among others. Except where the public has access to VoIP services over the Internet, these servers and routers are located on the inside of a firewall. In a best-practices network design, all access to these servers and routers is either via the internal LAN or through a secure VPN connection over the Internet (or any other public network, for that matter). I would find it very unusual to have these services available publicly. If I left a Cisco router with POTS access and an easily guessable dial peer on an Internet-accessible LAN, the potential for toll fraud would be enormous (free calls, lots 'o free calls).
The second group of products that are vulnerable are Cisco routers performing NAT and firewall services. Cisco's Content Based Access-Control (CBAC) -- a "dynamic firewall" technology -- is also vulnerable to the H.323 DoS attacks in the same manner as the Microsoft IAS server. Once again, unless H.323 ports are open to unrestricted access from the Internet, routers are not vulnerable from random outside attacks. Traffic that originated from behind the firewall would be able to disrupt services, however it's much easier to apply an access list to track and block the offending traffic than it is to prevent an external DoS attack.
What's my point? I don't see a widespread attack being able to disable servers and routers on a large scale. Unless attacks are originated from inside a corporate firewall, the potential for disrupted services are minimal. I'm sure that large VoIP service providers are scrambling to patch and secure whatever systems possible - however, they are much better equipped to handle this issue than a Mom and Pop business who happens to have a CallManager server (at least we hope).
For people who are running these products, I'm recommending a thorough review of external firewall policies to make sure that there aren't any exposed H.323 ports. I'm also recommending an upgrade when it's feasible, but IMHO, there aren't many situations that would require burning the midnight oil to install patches.
I work for a network consulting company, so I've seen some pretty funny stuff in the last few years. Here are some right off the top of my head:
One company didn't order a rack mount kit for their KVM switch (some Belkin model), so they duct taped it to the main monitor. No subtle tape loops under the KVM..... they wrapped the tape three or four times around the KVM and the monitor.
Another company was remodeling their server room but neglected to move the servers somewhere else. There was an inch and a half of drywall and sawdust on top of all the network equipment and servers. The circuit boards looked like it had snowed on them.
I'm doing an audit on some systems. I see a motherboard sitting in a cardboard tray (the kind you get when you purchase a 24-pack of Coke from Costco), along with a hard drive, floppy, power supply and network card. No case. No cooling. Turns out it was their PDC and print server. That's quality craftsmanship.
This isn't about server rooms, per-se, but I did some work for a national pizza chain. They had modems at a central site that were supposed to make a phone call to the stores to print out order tickets. We were sent to figure out why they weren't printing. At one site, the printer was on the floor next to the prep counter where they add the toppings. Someone had spilled a good quart of marinara sauce into the printer. They gave the outside of the printer a good once over, but the inside was just nasty.
We were sent out to troubleshoot a voice-over-IP problem at a garden nursery. We arrive on site and lo and behold, there was a dead rat on top of the router. It didn't have anything to do with the problem, but it sure was unexpected.
I love when people don't properly plan their electrical power consumption in their server rooms. I walked into some company's server room, plugged in my laptop to the rack mounted power strip, turned it on, and blew the breaker for two racks of servers.
I watched a wireless network installer gob Liquid Nails onto the back of an Aironet access point and stick it to the ceiling. I hope they never want to upgrade that particular access point.
Part of Ebay's fraud problem would be curtailed (IMHO) if Ebay would either require members to maintain a credit card or checking account with a verified address, or require users to participate in their ID Check program. Also, Ebay needs to look at bidding patterns to determine fraud. Here's why:
Every so often, we put up some auctions for networking equipment. Lately there has been a trend of people bidding on Cisco auctions (see this article) and never paying.
One Ebay user bid a Cisco 3640 router I was selling up to $2550. This same user created his account two days prior, and was the high or winning bidder on over 80 auctions. Here's this user's Ebay winning bid history. Now, I'm not a mathematician, but this A-hole ruined over $64k of auctions. Sure, you can relist and file fraud reports, but what's to prevent someone else from doing this again and again? There's no accountability.
If they would require some type of user verification to buy and sell, wouldn't you think twice about fraud? Furthermore, why can't Ebay red-flag suspicious bidding patterns? I think everyone agrees that a new user probably will not bid on over 80 auctions worth over $64k in a couple of days.
I saw a demo of this system at a local A/V megaplex. Basically, the system consists of a control box hooked up to four lifts. The lifts sit under a simple platform that you put your couch on. Each lift has two or three inches of travel and can accelerate at up to 2 Gs. Needless to say, it packs quite a punch.
The dealer played a scene from Jurassic Park 3 where an airplane tries to take off and then subsequently crashes in a jungle. As the plane took off, it felt like the couch had some bass shakers on the bottom. Not a big deal.
Well, when the plane hit a tree and spun around, my friend and I were nearly thrown from the couch. It felt like a Universal theme park ride. The only downside is that you are really involved in the movie, almost too involved -- it's tough to lay on the couch and relax to an action-packed blood-fest while you're being violently tossed around.
The motion system is totally standalone. The video and motion sync up through the A/V connection from your DVD player. To start a movie, hit play on the DVD player and select the movie in the Odysee. It does the rest by iteself. I think the sales guy said they had a couple hundred movies already preprogrammed.
The system costs $20,000 (list) and comes with a year of free updates. After that, if you want more movies, it's $500/year. Not exactly cheap.
If you're near a Soundtrack/Ultimate Electronics store, they probably have a demo room. It's worth the trip.
Slashdot Mirror
I don't think that this is going to be as large of a problem as Cisco's earlier issues. Although a worm could target home users running IP telephony applications on their PC's, this vulnerability is non-replicating and the potential for abuse is rather limited.
Basically, there are two major Cisco product lines that are affected by this bug. The first is Cisco's VoIP infrastructure products: the Cisco CallManager server, Conferencing Server, Softswitch and IOS-based routers running H.323 services, among others. Except where the public has access to VoIP services over the Internet, these servers and routers are located on the inside of a firewall. In a best-practices network design, all access to these servers and routers is either via the internal LAN or through a secure VPN connection over the Internet (or any other public network, for that matter). I would find it very unusual to have these services available publicly. If I left a Cisco router with POTS access and an easily guessable dial peer on an Internet-accessible LAN, the potential for toll fraud would be enormous (free calls, lots 'o free calls).
The second group of products that are vulnerable are Cisco routers performing NAT and firewall services. Cisco's Content Based Access-Control (CBAC) -- a "dynamic firewall" technology -- is also vulnerable to the H.323 DoS attacks in the same manner as the Microsoft IAS server. Once again, unless H.323 ports are open to unrestricted access from the Internet, routers are not vulnerable from random outside attacks. Traffic that originated from behind the firewall would be able to disrupt services, however it's much easier to apply an access list to track and block the offending traffic than it is to prevent an external DoS attack.
What's my point? I don't see a widespread attack being able to disable servers and routers on a large scale. Unless attacks are originated from inside a corporate firewall, the potential for disrupted services are minimal. I'm sure that large VoIP service providers are scrambling to patch and secure whatever systems possible - however, they are much better equipped to handle this issue than a Mom and Pop business who happens to have a CallManager server (at least we hope).
For people who are running these products, I'm recommending a thorough review of external firewall policies to make sure that there aren't any exposed H.323 ports. I'm also recommending an upgrade when it's feasible, but IMHO, there aren't many situations that would require burning the midnight oil to install patches.
Just my $.02.
I work for a network consulting company, so I've seen some pretty funny stuff in the last few years. Here are some right off the top of my head:
One company didn't order a rack mount kit for their KVM switch (some Belkin model), so they duct taped it to the main monitor. No subtle tape loops under the KVM..... they wrapped the tape three or four times around the KVM and the monitor.
Another company was remodeling their server room but neglected to move the servers somewhere else. There was an inch and a half of drywall and sawdust on top of all the network equipment and servers. The circuit boards looked like it had snowed on them.
I'm doing an audit on some systems. I see a motherboard sitting in a cardboard tray (the kind you get when you purchase a 24-pack of Coke from Costco), along with a hard drive, floppy, power supply and network card. No case. No cooling. Turns out it was their PDC and print server. That's quality craftsmanship.
This isn't about server rooms, per-se, but I did some work for a national pizza chain. They had modems at a central site that were supposed to make a phone call to the stores to print out order tickets. We were sent to figure out why they weren't printing. At one site, the printer was on the floor next to the prep counter where they add the toppings. Someone had spilled a good quart of marinara sauce into the printer. They gave the outside of the printer a good once over, but the inside was just nasty.
We were sent out to troubleshoot a voice-over-IP problem at a garden nursery. We arrive on site and lo and behold, there was a dead rat on top of the router. It didn't have anything to do with the problem, but it sure was unexpected.
I love when people don't properly plan their electrical power consumption in their server rooms. I walked into some company's server room, plugged in my laptop to the rack mounted power strip, turned it on, and blew the breaker for two racks of servers.
I watched a wireless network installer gob Liquid Nails onto the back of an Aironet access point and stick it to the ceiling. I hope they never want to upgrade that particular access point.
Any other good stories?
Every so often, we put up some auctions for networking equipment. Lately there has been a trend of people bidding on Cisco auctions (see this article) and never paying.
One Ebay user bid a Cisco 3640 router I was selling up to $2550. This same user created his account two days prior, and was the high or winning bidder on over 80 auctions. Here's this user's Ebay winning bid history. Now, I'm not a mathematician, but this A-hole ruined over $64k of auctions. Sure, you can relist and file fraud reports, but what's to prevent someone else from doing this again and again? There's no accountability.
If they would require some type of user verification to buy and sell, wouldn't you think twice about fraud? Furthermore, why can't Ebay red-flag suspicious bidding patterns? I think everyone agrees that a new user probably will not bid on over 80 auctions worth over $64k in a couple of days.
Just my 2.47 yen.
I saw a demo of this system at a local A/V megaplex. Basically, the system consists of a control box hooked up to four lifts. The lifts sit under a simple platform that you put your couch on. Each lift has two or three inches of travel and can accelerate at up to 2 Gs. Needless to say, it packs quite a punch.
The dealer played a scene from Jurassic Park 3 where an airplane tries to take off and then subsequently crashes in a jungle. As the plane took off, it felt like the couch had some bass shakers on the bottom. Not a big deal.
Well, when the plane hit a tree and spun around, my friend and I were nearly thrown from the couch. It felt like a Universal theme park ride. The only downside is that you are really involved in the movie, almost too involved -- it's tough to lay on the couch and relax to an action-packed blood-fest while you're being violently tossed around.
The motion system is totally standalone. The video and motion sync up through the A/V connection from your DVD player. To start a movie, hit play on the DVD player and select the movie in the Odysee. It does the rest by iteself. I think the sales guy said they had a couple hundred movies already preprogrammed.
The system costs $20,000 (list) and comes with a year of free updates. After that, if you want more movies, it's $500/year. Not exactly cheap.
If you're near a Soundtrack/Ultimate Electronics store, they probably have a demo room. It's worth the trip.