|Fortinet Fortigate Firewall|
According to Fortinet's blog, the backdoor password was backdoor at all, but rather was an "management authentication issue."
|Only older versions for the Fortigate Firewalls|
*As you probably know, I travel a lot. I sleep in a hotel bed at least twice as often as my own. Caesar's Palace has hands down the worst key system of any hotel I stay in.
Whether you believe Fortinet about malicious placement of the code or whether you think it was NSA that hacked Juniper, the recently discovered firewall vulnerabilities should be a reason for pause. As infosec professionals we should be using these vulnerabilities to rekindle the discussion about defense in depth for our networks.
Most networks that we evaluate at Rendition Infosec resemble a piece of candy. They have a hard crunchy outside and a soft gooey inside. Once attackers breach the perimeter, they often move around the network with impunity. Defense in depth is about more than running antivirus and having a perimeter firewall. In fact, nobody has called that the standard for defense in depth in the last decade.
We need to evaluate what would happen if an attacker can bypass the firewall at will - or worse yet control it. Because that's exactly what successful use of the backdoor passwords would do. Either would allow the attacker a privileged place in the network, sitting on the very device that is supposed to protect the network.
|Is your network one backdoor away from total compromise?|
My recommendation is that organizations begin conducting sand table exercises to ensure that they understand how they will respond to various incidents. Sand table exercises help uncover systematic weaknesses in a network before they are exploited. After all, if your defenses are broken on paper, you're not ready for a penetration test. If you need help building and conducting sand table exercises, give me a shout. I've built and executed many sand table exercises for small and large organizations alike. We have several configured to discuss compromises of perimeter devices and get your organization thinking about its defense in depth strategy.