Partners Concerned Over Document Stating NSA Had Backdoor Access To Juniper Firewall
Just shy of a week after Juniper revealed vulnerabilities in its firewall operating system, partners said a document saying that the NSA exploited the flaws to gain backdoor access to VPN connections has them concerned.
The document, provided by whistleblower Edward Snowden and published Wednesday by The Intercept, indicates that the NSA has cooperated with British counterpart GCHQ to exploit vulnerabilities in Juniper NetScreen firewall devices running the ScreenOS operating system.
The document release and the report come on the heels of almost a week of rumors that two vulnerabilities detailed by Juniper in its ScreenOS firewall operating system, including a vulnerability to decrypt VPN connections, could be linked to the NSA. Partners said the rumors and the latest document release have them on edge.
[Related: Juniper Partners See Uptick In Customer Concerns About Security Vulnerability; Cisco Throws Jabs]
"It's a scary document for sure," said one partner executive, who did not want to be identified. "It makes you think how much of this is really going on and if Juniper has any say whatsoever in all this."
In a statement to CRN, Juniper, Sunnyvale, Calif., denied any knowledge of any NSA involvement.
"Juniper Networks operates with the highest of ethical standards, and is committed to maintaining the integrity, security, and quality of our products," a Juniper spokesperson said in an email. "As we've stated previously in a Juniper Security Advisory, it is against established Juniper policy to intentionally include 'backdoors' that would potentially compromise our products or put our customers at risk. Moreover, it is Juniper policy not to work with others to introduce vulnerabilities into our products."
Partners said they were getting more concerned calls from customers about the vulnerabilities, but that they were in general giving Juniper the benefit of the doubt when it comes to whether Juniper had intentionally become involved with the NSA.
"I don't think Juniper would play any role in something like this willingly," said one executive, who did not want to be identified. "Juniper is not going to hurt our company, but the NSA or these [foreign spy agencies] can, with something like this."
Dominic Grillo, executive vice president of Atrion Communications, a Branchburg, N.J.-based solution provider and longtime Juniper partner, agreed.
"I just really can't see ... a large for-profit company like Juniper really having any particular interest in providing backdoor access into equipment for the government," Grillo said. "It seems more like conspiracy theory that Juniper had anything to do with the NSA, compared to more legitimate technology concerns."
The documents also point to a larger tug of war going on between the public sector and the private sector over information security, a debate that most notably came to a head around encryption, said Doug Cahill, senior analyst, cybersecurity at Milford, Mass.-based Enterprise Strategy Group, though he declined to comment directly on if he thought the NSA was involved with the Juniper vulnerabilities. That balance is a "fine line," said one partner executive, who did not want to be identified. He said he expects to hear more about the tug of war over data in the coming year as companies struggle to straddle the line between privacy and security.
"If the noise continues, I'm sure we'll be hearing more and more from our customers about this," the executive said.
That debate won't be ending anytime soon, Cahill agreed. The NSA's reach, combined with a renewed debate over encryption technologies, will drive the conversation into 2016 and take center stage in political conversations, including the upcoming election, he said.
"It will be a space that's fascinating and scary in 2016," Cahill said.
PUBLISHED DEC. 23, 2015