"LAN-only VOIP should be safe until the exploit becomes automated and makes its way into the corporate intranet— not across the Internet, but carried over inside a portable computer—sneakernet. This is how SQL Slammer and many worms got inside enterprises," King said.
The first routers to be attacked, he surmised, will be the ISPs and the corporate Internet-facing access routers. "The ISP will be the first the feel the Cisco pain. The LAN will be hit after the WAN."
ITs (and by extension, VOIP telecoms) best bet right now, he said, is to vigilantly monitor their perimeter router logs for the anomalies that might suggest assault. "Youre not going to know if anything goes wrong until it does," King said. "The idea is that youve been doing this all along, so that you recognize something out of the ordinary. But the hard part for a network administrator is to figure out what constitutes an anomaly. Typically, no one vigilantly monitors their routers and switches for security anomalies."
Isnt there anything in particular to look for? Abnormally high CPU and memory utilization, and excessive dropped packets, King suggested, for starters. "A lot of out-of-the-ordinary log events suggest that the router is trying to do something it shouldnt."
Firewalls are not capable of blocking these types of router-based hacks, King said. Even NIDS (network intrusion detection systems) are useless because they are reactive; the pattern of the exploit— the signature—is not yet known and therefore cannot be recognized. And with the size of this exposure—800MB of source code—King agrees that we could be looking at a series of varying attacks across a multitude of IOS-based platforms.
"Typically there are two routers outside corporate firewalls, meaning your telco routers, like AT&T owns. Outside the corporate firewall is a corporate router, too—the demarcation point where the ISPs router connects to the corporations. If Im a hacker, I do a trace route to www.xxx.com to find out the path of IP addresses to a companys Web server and then figure out their architecture and pinpoint the router. Theres my target. There are some unprotected routers on the network."
Routers outside the firewall are more vulnerable, but if somebody can subvert a routing protocol (which runs across firewalls), then inside routers can be compromised, too, King said.
The source code theft is not only a potential threat but a major embarrassment to the voice division of Cisco, which has had to reassure potential customers afraid to commit their phone systems to Windows 2000, the OS of the Call Manager core IP PBX. Cisco has pointed out that this Windows is a closed, hardened, proprietary version, therefore not prey to Microsofts hacker vulnerabilities or the system crashes of co-resident programs. Industry wisdom, in fact, was that Cisco was planning on defusing the issue by porting Call Manager to Red Hat Linux. Now its Ciscos own OS thats caught in the crosshairs.