WILTW: TWINAX, TRACEROUTES AND ROMMON (2)

WILTW (What I Learned This Week) is a (hopefully) never-ending series of mini-posts, once a week, until the end of time. Terms and holidays apply.

TwinAx cables

It's 10G over coaxial cable, for very short distances. And by that I mean up to 5m (passive) and 10m (active). Good enough in server-to-switch scenarios or switch-to-switch when they're close to each other.

Connectors are SFP+ for easy compatibility on switch interfaces and has a much lower power draw (1W) compared to 10GBASE-T (4-8W). If you have a lot of interfaces that difference adds up real quick.

Traceroutes through Cisco ASA

Oh how fun it is to do network discovery the hard way, with traceroutes and routing tables and CDP. What's more interesting is when the routing table points you at a device that does not appear as a hop in the traceroute output.

Once I found it was an ASA, it was but a Google search away, as I'm always suspicious when it comes to firewalls. And it turned out to be correct: the ASA does not decrease TTL when the packet goes through it! Paul Stewart explains is in great detail on his blog, so I won't repeat any of that.

It also turns out that the ASA is part of an OSPF domain and, in my book, that makes it a router (if the fact that it routes packets between two interfaces was not enough). Which means it MUST (RFC2119) decrease that silly TTL. It can do that of course, but only if you modify the default policy (see the article linked above).

Replacement of Cisco ROMMON on compromised devices

Cisco released a security bulletin about a new thing that apparently is happening: attackers are replacing the IOS ROMMON image with a modified one, to no doubt do something dodgy and maintain control over a device even after it is rebooted or reconfigured.

Flashing a different ROMMON image is a documented administrative feature, so this is not a vulnerability per se. It is just one of many attack vectors, which should be included in the hardening of devices, as all the cases they've seen were due to the attacker first gaining administrative privileges.

Until next week

Did you learn anything interesting this week? Let me know and share it with everybody else in the comments below!

And, as always, thanks for reading.


comments powered by Disqus