Linux.com

Everything Linux and Open Source

Commentary: If only Cisco code had been open source

May 17, 2004 (8:00:00 AM) - 5 years, 6 months ago

The 15 May 2004 theft and publishing of the source code for Cisco's IOS router firmware could mean a wave of exploits against the critical router infrastructure of the Internet will be on its way. If that happens, it will be because Cisco ignored one of the iron rules of network security -- and experts the world over will be muttering "if only IOS had been open source."

The iron rule is Kerckhoffs' Law, which states, "A cryptosystem should be designed to be secure if everything is known about it except the key information." Now that the source code of IOS is circulating in the cracker/phreak underground, we're going to find out if IOS followed that rule. If it didn't, we'll find out the hard way.

What has this got to do with open source? Well, if IOS had been open source to begin with, we'd have a firm basis for believing that it passes the Kerckhoffs test: Open source keeps you honest that way. As it is, customers' first notice that it wasn't is likely to be chaos and havoc from router compromises.

Claude Shannon, the inventor of information theory, restated Kerckhoffs' Law as: "[Assume] the enemy knows the system." Here's Raymond's Reformulation for the 21st century: "Any security software design that doesn't assume the enemy possesses the source code is already untrustworthy; therefore, *never trust closed source*."

Maybe the theft will be a good enough reason for Cisco customers to check out open source alternatives like XORP or FREESCO. And that's not just a good idea for router firmware, either. As the Netsky and Sasser worms pound on your Windows machines, ask yourself: "Is there a better way?"

Millions of Linux users already know the answer is yes.

Read in the original layout at: http://www.linux.com/archive/articles/36106