The U.S. government has emerged as a significant threat to the security and integrity of enterprise networks.
Documents leaked to German magazine Der Spiegel have revealed
Lawyers and judges will argue the legality of this aspect of the NSA backdoor hacking program, but network engineers have a more practical task ahead of them.
"I'm more concerned about the holes that [an NSA backdoor] could create in my network, especially as the information is coming out [from the Der Spiegel NSA report]. Many of these holes can't be resolved by an IOS update or a software upgrade," said Jonathan Davis, a network engineer who works at a global manufacturer.
Davis said his company lost millions of dollars a few years ago when his network was hacked by an entity in a foreign market. The hackers stole data that was used to build cloned products that continue to cost his company revenue. Davis is worried the NSA surveillance could open up more vectors of attack for industrial espionage and data theft that could lead to "money being stolen from my company or through my company."
"If the NSA is sitting on zero-day attacks on routers and other network hardware, we're fooling ourselves if we think the Chinese don't also already know or are not already working hard to find the same sorts of attacks," said Nate Cardozo, a staff attorney for the digital civil liberties team at San Francisco-based Electronic Frontier Foundation. "The NSA may well be the best at what they do, but they are not the only ones trying to do it. If the NSA is sitting on zero days, that's shockingly irresponsible."
What does the Der Spiegel NSA backdoor report mean to you? Assume your network is a target
Nearly every network engineer should consider his or her enterprise network a potential target, not only from NSA surveillance and hardware hacks, but from anyone else who might try to exploit these compromised devices.
"There is absolutely no question that the NSA is going to great lengths to compromise American companies who are providing communications or transactions services to innocent Americans," Cardozo said. These targets include everything from telecommunications providers and Web-facing companies like Google and Yahoo, to companies in the financial services, hospitality and transportation industries, he said.
The documents cited in the Der Spiegel NSA report date to 2008. Many of the hacks described in the documents are for products that have been discontinued, such as Juniper NetScreen and Cisco PIX firewalls. Engineers can't assume newer products are safe. Network engineer Nick Buraglio said the NSA has definitely kept up with the market, developing exploits for every product that vendors release. He is also certain that the catalog of hacks the NSA has is much broader than what Der Spiegel revealed. Cisco, Juniper, HP, Dell and Huawei aren't the only vendors who have been compromised.
"The frightening thing is that the documents are pretty old. Technology-wise,  was a lifetime ago. What new things do they have that are even more frightening?" Buraglio asked.
Network engineers should start forensically analyzing traffic today, Buraglio said. Not every engineer may consider NSA surveillance a major threat to his or her company, but engineers need to know if anyone else is exploiting the same attack vectors.
"Start trolling through your traffic, your flow logs. See if there is anything in there that is unreasonable," Buraglio said. "If you don't see anything unusual, ask your upstream provider if they have any data. There [has] got to be a box somewhere that doesn't obfuscate the data. Traffic isn't going to lie. One thing I'm adamant about is baselining your networks. A lot of people don't do it. The more data you have, the better."
Given the breadth of the NSA surveillance program, all IT professionals should be thinking about the security of their data and the integrity of the devices in their infrastructure.
"Microsoft has said that they now view the U.S. government as an advanced persistent threat and I think that's absolutely right," Cardozo said. "A company has the responsibility to safeguard its customers' data from known attack vectors and it's becoming abundantly clear that the NSA is not pulling its punches when it comes to U.S. companies."
How should you respond to the Der Spiegel NSA backdoor news? Talk to your vendors
Cisco and several other vendors have publicly denied any collaboration with -- or awareness of -- the backdoor hacks and vulnerabilities the NSA is exploiting. Cisco has said it is investigating the issue to ensure its products are secure.
Buraglio, Davis and Cardozo all believe these vendors are telling the truth. But IT professionals should be aggressive on this issue by asking their vendors tough questions.
"One of the biggest ones is: 'How can I be certain the hardware I have in my data center is the same hardware I purchased from you?' If that means providing the customers with schematics and maybe even a tech to go and open the cage and look in the box to make sure there are no extra pieces floating around in there, maybe that's what is necessary to restore trust," Cardozo said.
Vendors need to make things harder for the NSA, too. "If that means removing the JTAG [Joint Test Action Group] port, [or] if that means removing the I2C, maybe that's what hardware vendors need to start doing. If they are leaving open a debug port on a motherboard, that is trivial for the NSA to exploit. Maybe it's time to start closing off those vulnerabilities before they leave the factory," Cardozo said.
More news about the NSA's reach into the tech industry
Apple denies creating a backdoor for the NSA
Did the RSA really receive money from the NSA for encryption backdoors?
Investigators look at Skype's possible links to NSA
The NSA tracks 5 billion phone records a day
Cisco says NSA spy scandal is affecting sales
Buraglio intends to talk to vendors about the issue, and not just the ones he has in his network. He wants assurances from any vendor he may buy or recommend in the future, including vendors not named in the Der Spiegel reports. One major question he plans to ask is whether devices that are compliant with the Federal Information Processing Standards (FIPS) offer some protection from these hacks and vulnerabilities. FIPS-compliant network gear can alert engineers about their integrity.
"One of the things FIPS does is verify the integrity of the binaries on the system," Buraglio said. "It cryptographically verifies your OS [operating system]. If something has been modified, that cryptographic hash isn't going to match. Most people have [FIPS] on network devices but they probably aren't using it because it's complicated. I wonder how much it would protect against these NSA toolkits. You should ask your vendors about it."
Davis said he has already scheduled meetings with his vendors to discuss short-term and long-term responses to the NSA revelations, but he doesn't think he can crack open individual devices to look for surveillance implants.
"Even if I started pulling screws or un-racking stuff, globally there are about 25,000 devices in my network, and that's just network and firewall devices. This needs to be addressed from a systems level," he said. "In the near future there will be tools in place probably provided by firewall vendors, for example, that we can run against those devices to detect if something is wrong."
A silver lining
While the NSA's behavior might have compromised countless networks, Davis believes the networking industry could benefit in the long term.
"I think three to five years from now we're going to see a new form of security for these devices -- unboxing new devices, running checks on them to verify that this piece of equipment hasn't been touched. In the long term, this is going to be really good for security in general. In the short [term], it puts us in a really tight spot."