Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Cisco's IOx architecture



I recall reading an interesting article long ago about "halted" routers.
The concept, as I recall, was to boot a minimal Linux system, establish the
network, routing, and firewall rules, then halt the system without powering
off and without disabling the networking. A vestige of the kernel would
remain running in memory, with no disk, no I/O other than networking,
pretty much all kernel modules unloaded except for networking.

As I understood it, halting meant that the cpu was in a tight busy loop
until the machine was powered off or hardware-reset. By configuring the
init scripts so they don't disable networking or the ethernet card, the
halted system would continue running the kernel's routing and firewall
code. Thus, essentially nothing is running that an attacker could leverage.

It seemed like an interesting approach for designing a firewall. I have no
idea if it ever went beyond a proof of concept.


On Sat, Feb 1, 2014 at 3:35 AM, Peter (peabo) Olson <peabo at peabo.com> wrote:

> On February 1, 2014 at 2:42 AM Tom Metro <tmetro+blu at gmail.com> wrote:
> > Is running applications on your router really such a good idea?
> >
> >
> http://gigaom.com/2014/01/31/in-a-distributed-world-cache-is-king-why-routers-are-becoming-the-new-server/
> > [...]
> >   Cisco's IOx architecture will be a Linux-based operating system that
> >   will be embedded in forthcoming industrial routers.
> >
> >   And unlike its previous box software, Cisco says it plans to open the
> >   IOx architecture up for others to run their own applications on
>
> A router should be a router.  Allowing applications to run on it invites
> serious
> security risks.
>
> I want to go in the other direction.  I think there is already stuff I
> would
> like to disable by deleting it.  It is a truism that an attacker cannot
> attack a
> program/feature which isn't installed on the victim.
>
> peabo
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23  C2D0 E885 E17C 9200 63C6



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org