[VOIPSEC] An issue of Trust?

Shawn Merdinger shawnmer at gmail.com
Sun Jun 18 20:05:27 CDT 2006 

Hi Andre,

Thanks for your comments.  Please see mine in-line.

sm>> Stated plainly:  Software security bugs exist in products.  Some get
sm>> fixed, some don't.   Features add into products to improve security
sm>> may actually well expose the product and network to increased risk of
sm>> compromise.  This is something that I'm sure we can all agree on.

af> I would agree but remark that ANY FEATURE, and not only security features,
af> tends to increase your security exposure. But this is not related
to security
af> features but software reliability and quality. What you say sounds like a
af> more as a sophism than actual reason. :-)

My comment was regarding "features add[ed] into products to improve
security - that doesn't necessarily make them "security features."
Regardless, I fail to see how you construe my statement as a "sophism"
-- which seems to indicate that you perceive my statement as a willful
misrepresentation and deliberately trying to mislead.

That's OK, I'm a big boy and can take it as much as I give :)

sm>> The Release Notes for Cisco uBR10012 - Cisco IOS Release 12.3
sm>> BC indicate several CALEA related bugs of interest:

af> Already expected since CALEA is a "new feature".

For the sake of clarification, CALEA is US legislation.  Lawful
Intercept is Cisco's term for the technology to support CALEA.

af> Points us to the same aspect
af> of software quality. I usualy don't agree that much with Marcus Ranum but he
af> has a nice point of view about this.
af> http://www.ranum.com/security/computer_security/editorials/dumb/
af> [#3) Penetrate and Patch]

The point I was trying to make with the 3 Cisco uBR10012 bugs I cited
was not a "penetrate and patch" failure, but that LI capability of
that software is impacted by these bugs which have no workaround.

sm>> One may think that admin (level 15) access on a LI enabled IOS box has
sm>> all privileges this document seems to indicate otherwise:
sm>> http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part30/hclivws.htm
sm>>
sm>> .....snip.....
sm>>
sm>> Commands available in lawful intercept view belong to one of the
sm>> following categories:
sm>>
sm>> •Lawful intercept commands that should not be made available to any
sm>> other view or privilege level
sm>> •CLI views that are useful for lawful intercept users but do not have
sm>> to be excluded from other views or privilege levels
sm>>
sm>> Troubleshooting Tips
sm>>
sm>> To display information for all users who have access to a lawful
sm>> intercept view, issue the show users lawful-intercept command. (This
sm>> command is available only to authorized lawful intercept view users.)
sm>>
sm>> ........./snip........

af> For me sounds just like a separation of duties issue. Unix systems
are a good
af> school for us to understand that the administrator isn't a supernatural
af> person and should have limited powers.

af> An admin is not supposed to use LI commands unless allowed to, am I wrong?

af> Separation of duties is just a basic security principle. Am I missing the
af> point or you don't agree with that?

You're missing the point.  After all, this new account and basic
security principle is just another feature, no?   And as I understand
it, the "li user" is a result of regulatory and legal requirements.
We need to look way beyond the "basic security principle" that you see
this "separation of duties" accomplishing.

I think a couple of questions I have regarding the li user account may
clarify where I'm coming from here...and this is just for starters.

1.  How is logging and a audit trail created and handled for actions
by the li user account?  Who may view this logging information?  How
is this capability configured and then transmitted to a logging server
not using the normal defined paths?
2.  Admins (level 15) cannot view any LI configuration changes, taps
in progress, etc. related to the LI account.  So this means of course
that any debug commands that a admin  could do with admin (level 15)
access, including "debug ip all" will not contain any LI related
information?
3.  Cisco IOS has a rich history of undocumented commands.  Have all
the LI User commands been documented?  Is there no undocumented
commands relating to LI that both the LI User and Admin (or lower
level) have access to?

Thanks,
--scm

More information about the Voipsec mailing list