top of page

Detection and Prevention of 'unauthorized' Backdoors

Originally Published HPE Community HPE CaaS Header Footer Data Published 10/30/2015 06:00:23 AM, Template Published: UNKNOWNData Published 10/30/2015 06:00:23 AM, Template Published: UNKNOWN

StartFragment

With good reason, there is a lot of concern regarding the “unauthorized” backdoor software embedded in the operating system, ScreenOS for Juniper NetScreen Firewalls and Virtual Private Network (VPN). If you have the Juniper NetScreen firewalls and have not patched, stop reading & go patch them!

ngIf: link The unauthorized backdoor code has been in place for 3 years across multiple releases. The backdoors are surprisingly unsophisticated. They include hardcoded passwords which make them particularly dangerous. Not only can the original perpetrator can access the devices but anyone with a little bit of technical savvy can determine the password and gain access.

The backdoors allow the perpetrator to gain admin access, taking complete control of the firewall. The backdoors also provide the ability to decrypt the VPN traffic. For more detail, on the unauthorized backdoor refer to the Wired article.

Detect the backdoors in vendor product

The vendor is responsible to detect backdoors in products. The vendor needs to ensure that all software follows a well defined Application Lifecycle Management that includes software security assurance. A famous politician once said, “Trust but Verify." Yet another example of why to have a 3rd party review process in place for vendors, service provider and their suppliers.

Detect backdoors in your environment

Backdoors like those in Juniper’s ScreenOS can be detected via Security Incident and Event Management (SIEM) and via User Behavior Analytics (UBA). The Juniper backdoors were generating logs of the nefarious logins. SIEM can detect these backdoor logins.

UBA can detect the unusual access from non-standard location, from unusual locations or at unusual times. SIEM and UBA can detect the Juniper ScreenOS backdoors and potentially others.

Forensics

The SIEM and UBA can also be used to determine if and when the backdoors were used.

Protect against backdoor entry

Best practices to protect against back doors include:

  • Require all admin or root access to be done via a jumpserver or “jump box”. A jumpserver is a specially secured box that all administrators are required to log into to gain access to devices on the network.

  • Multi-factor authentication to all devices especially for root or admin access including via the jumpserver.

  • Implement network segmentation – allow access to device administration only from specific subnets and specific boxes i.e jumpserver.

  • Require vendors/business partners and their suppliers to provide proof they are providing adequate security for their products.

  • Setup honey pots

Best practices to detect back doors include:

  • Utilize SIEM & UBA

  • Perform 3rd party assessments of vendors including their suppliers

EndFragment


Featured Posts
Recent Posts
Search By Tags
No tags yet.
Follow Us
  • Facebook Classic
  • Twitter Classic
  • Google Classic
bottom of page