Adding a Full API to PicOS

Pica8′s PicOS is a Linux network OS based on Debian. This makes it easy for our customers to integrate their own tools or applications within PicOS. We are compatible with all the leading DevOps tools, such as Puppet, Chef, and Salt; and of course, we support OpenFlow.

But what if you would like to have an application on the switch itself to manipulate its data path? This is beyond the standard DevOps model and is not aligned with the traditional OpenFlow model, which uses a centralized controller.

Typically the requirement for such an application would be:
- A switch using traditional L2/L3, as well as an API to override those L2/L3 forwarding decisions.
- The API could be called on the switch itself while the application is running on the switch (that requirement would forbid a centralized OpenFlow controller).

For this use case, most network equipment vendors have an SDK (Software Development Kit) to program native applications running directly on the switch. A good example would be the Arista EOSSdk.

One big issue with those SDKs is that they are “sticky.” Once you develop your application, it only runs on the SDK provided by your vendor, so you Continue reading

Are white box switches less secure?

Are white box switches less secure than proprietary alternatives like Juniper or Cisco switches?

Gregory Pickett, Founder of Hellfire Security, did a presentation about white box security during the last Black Hat conference, triggering a multitude of news articles which we will study in this post. Without dwelling on the author mixing ideas between SDN and White Box Networking (which is quite common these days – the title of the presentation is about SDN and the presentation is all about white box networking security) the security issues raised are real.

Those security issues are either network operating system (NOS) specific (which I will not comment on as none of them are related to PicOS), or Pre-Boot related (Bootkit). I will focus on the key issues relating to security of NOS boot loaders, specific to Open Networking / White Box Networking.

Rootkit and Bootkit

The typical goal of a malicious user is to install a rootkit on the device under attack. A rootkit is a collection of software designed to enable unauthorized access while masking its existence.

Because NOS’s protection mechanisms are becoming more elaborate, a new kind of attack came up. This type of attack bypasses all NOS security by Continue reading