Re: Definitions of "Console" and "CLI" expanded

[Mike O'Connor <mjo@dojo.mi.org>]

:Well, sure, but HTTP is an application protocol. Ethernet is a kind of
:communications hardware. Saying "Ethernet or USB console" is one
:thing. Saying "HTTP instead of SSH CLI" is another. Mixing apples and
:oranges here is bad.

Agreed.  I actually refer to the loose wording of "IP stack" in some
comments I sent to opsec-request that George hasn't responded to/fed
back to the list.

:It is a pain having to build screen scrapers for HTTP. HTTP makes
:things easy only if a human is the thing managing the box. Most of us
:try to have machines do that sort of thing, and machines don't prefer
:HTML web pages. CLIs are not really optional for us.

Having written and used a CLI front-end that just frames admin
commands into URLs and such sent via HTTP/SSL to an admin server
 and read back results which were framed to avoid the need to
screen scrape, I never thought it as being all that difficult.

:> I think that SSL/SSH/other encryption over the management interface
:> would be equally necessary (or unnecessary) in the RS232 space.  It's
:> about as easy to sniff RS232 connections as IP.
:
:By what mechanism would you sniff an RS232 connection? Perhaps you
:would argue that the serial line will tend to radiate and can be
:listened in on with TEMPEST gear, but then again the box is probably
:not proof against that either.

There's hardware-based serial analysers that do man-in-the-middle
things, just as there's hardware-based IP sniffers and ethernet taps
(aka dumb hubs).  There's serial sniffers at the client-side level,
though my experience with those is mostly with Windoze strangely
enough (SerialTest and PortMon).

:> But adding strong
:> crypto to the management interface equation, whatever flavor, makes
:> things decidedly not dumb.  Folks have gotten working TCP stacks in
:> 256 bytes of code embedded on PICs, which fits my definition of "dumb".
:
:That's not true. No one has ever gotten TCP into 256 bytes of
:code. People do have small TCP stacks -- I have one that fits in a few
:k. 256 bytes is impossible.

http://www-ccs.cs.umass.edu/~shri/iPic.html is where I recall the
reference.  Yes, there were some gotchas, but the whole business
of mini-server-on-a-simple-chip is alive and well.

:Anyway, you can now fit strong crypto into a smart card, which is
:about as small as systems often get, so on a modern system, there is
:really not much of an issue any more.

Does such strong crypto count as dead dumb simple?
I dunno, quite honestly.

:> Securing the networking that connects the management client to the
:> management port is as "out of scope" as securing the management client
:> itself, AFAICT.
:
:That's really untrue. You need secure access to your boxes to manage
:them. That's not "securing the network" -- that's just providing for
:the use of secure protocols like ssh or ssl.

What I meant was:

If you have a sniffed link or trojaned client, they seem to be equally
out of scope.  Implementing protocols to make it so that sniffed links
and trojaned clients are less likely to result in bad things is within
scope.  Having management interfaces possibly require such things is
within scope, but care should be taken about making the "dumb as rocks"
management interface not too complex.  Most of what makes RS232 simple
is the fact that it's generally implemented a back-to-back connection
with sufficient length limits such that there's not some hidden pipe
in the wall/closet one could tap.  Nothing precludes such a thing for
ethernet/IP management networks, but that's not how they tend to work
in practice for convenience sake.

-- 
 Mail: mjo@dojo.mi.org  WWW: http://dojo.mi.org/~mjo/  Phone: +1 248 427 4481
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Never underestimate the power of a dark clown!"     -Bobo, Tripping The Rift