How do I know if I have an NSA enabled bios on a Cisco ASA?
I read on NSA TAO catalogue that they have BIOS firmware for the ASA that provides a backdoor ASA can't be removed by changing the image and is persistent.
I am fully aware of the integrity mechanisms to verify the integrity of an image using the MD5 hashes, but I would like to know if there is any way I can read the BIOS from two different ASA's and make a comparision?
I have two Cisco ASA's which were bought around the same time, one was through a HK distributor the other was through a China distributor that has an office in HK. The HK one can be upgraded to ASA915 version software but the other can't. The Bios hardware, and everything seems to be identical on both of them.
Whilst we are on the subject does Cisco have any plans in releasing any tools for us to verify the integrity of products further at present or we going to be left to the mercy of NSA and others.
I don't want to focus on what has been done, who is right, wether there is proof or not. Whether J. Chambers going to see Obama was a token gesture or not is beyond what I can judge. I understand that legal system can stop Cisco from commenting or acting.
I think public 3rd party evaluation as to what is running inside an ASA is important and it is a way that would allow us to try to re-establish some trust and have an answer when customers question us about the integrity of Cisco products.
If Cisco don't want or can't provide tools for to verify the integrity of their products, it would be nice if at least someone somewhere could tell us how we lift the bios out of an ASA and we can look at it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...