Trust in your Equipment

How to avoid backdoors in network security equipment

Whom do you trust when buying secure network communications equipment? The systems that your company relies on to bounce off unauthorized prying eyes? These boxes should provide encryption and authentication services with the highest level of security.  They must use the most advanced and secure cryptographic algorithms. Besides, they have to protect against physical tampering and safeguard from sidechannel attacks. Certification bureaus check for these basics, stating that the manufacturer did not make any gross mistakes. Yet, a certificate gives no information about other built-in, undocumented features such as backdoors.

Backdoors are secret ways to enter and take control of a computer system. There are plenty and many may still be uncovered (see here for a small list). Attempts are documented where someone tried to insert backdoors in open source software or through malware. Often though, they are designed in by the manufacturer himself. These manufacturers may be forced to insert backdoors by their respective national security agency or another law enforcement office. Moreover, these companies are by law obliged not to acknowledge the existence of these backdoors. We have to assume that network security equipment from the US, China, France, U.K., Israel, Germany, i.e. from most countries, contain backdoors. The Chinese government now even wants foreign manufacturers to reveal (just to them) these backdoors for any network security equipment deployed in China (link).

Whatever the intention, backdoors are a bad idea. No backdoor can keep bad guys out (check with Bruce Schneier for more on this). Bad guys can find backdoors through online attacks or often simpler by stealing the information from the manufacturer or a government entity that knows about them. Once a backdoor is uncovered the system is broken and all communications and data may be tampered with, stolen, or even made disappear.

Only the naive believe their network security equipment is free of backdoors. One cannot trust a manufacturer without getting full access. Providing full access to our customers is the path we have chosen at Securosys. Our customers can review all our software and blueprints using their own experts. They can compile the firmware and compare it with the binaries in Securosys' appliances installed in their data centers. Moreover, Securosys is developing and manufacturing in Switzerland, where no legislation exist that would force us to install backdoors for anybody. Thus, our customers can trust our network security equipment.

Robert Rogenmoser, CEO Securosys