Professional Documents
Culture Documents
CSWcore02 SecIP v1
CSWcore02 SecIP v1
CSWcore02 SecIP v1
nico@securite.org - http://www.securite.org/nico/
Agenda
Network Security
> Layer 2, layer 3 and routing protocols attacks > DDoS/worm attacks detection, protection and filtering > MPLS > IPv6
Router Security
> Integrity checking
Disclaimer : we dont work for Cisco and we dont have Cisco stock :-) 2002 Scurit.Org
2
Protocol attacks
Well known (not to say old) attacks
> ARP cache/CAM table poisoning, gratuitous ARP messages and ARP/{DHCP,BOOTP} spoofing > Tools : dsniff, hunt, ARP0c, taranis, etc.
Layer 2 protocols
Layer 2 protocols and traffic
> ARP - Address Resolution Protocol > CDP - Cisco Discovery Protocol > VLAN - Virtual LAN > STP - Spanning Tree > {D/V}TP - Dynamic, VLAN Trunking Protocol > Unicast, Broadcast and Multicast addressing and traffic
2002 Scurit.Org
Listening state
Disabled state
Learning state
2002 Scurit.Org
2002 Scurit.Org
2002 Scurit.Org
2002 Scurit.Org
2002 Scurit.Org
10
2002 Scurit.Org
11
2002 Scurit.Org
12
2002 Scurit.Org
13
> VLAN bridges allow bridging between VLANs for non-routed protocols
2002 Scurit.Org
14
Protocols : VTP
VLAN Trunking Protocol
> Enables central VLAN configuration (Master/Client) > Message format : like CDP (SNAP HDLC 0x2003) > Communicates only over trunk ports
Attacks
> Add/remove VLANs > Create STP loops
Security measures
> Put your switches in transparent VTP mode and use a password
set vtp domain <vtp.domain> password <password> set vtp mode transparent
2002 Scurit.Org
15
Protocols : DTP
Dynamic Trunking Protocol
> Enables automatic port/trunk configuration > Message format : like CDP (SNAP HDLC 0x2004) > All switch ports are in auto mode by default
Attacks
> 802.11q frames injection > VLAN hoping
Security measures
> Turn DTP off on all the ports
set trunk off all
2002 Scurit.Org
16
Layer 3 protocols
The network layer
> IP(v4) : no built-in security > ICMP : information leakage and side effects > HSRP / VRRP : provide next-hop redundancy > RIP / RIPv2 : no authentication (v1) and flooding > OSPF : multicast (adjacencies and DR/BDR at risk) > BGP : core of the Internet (RR/peerings/sessions at risk) Not (yet) well known or not so used in enterprise networks > ISIS : but a lot of Service Providers are moving from OSPF to ISIS (usually in relation with MPLS/Traffic Engineering deployment) > (E)IGRP
2002 Scurit.Org
17
2002 Scurit.Org
18
2002 Scurit.Org
19
2002 Scurit.Org
20
Future ?
> S-BGP (Secure BGP)
2002 Scurit.Org
21
Vulnerable IOS
> Fixed as of 12.0(15) and 12.1(7) > ISNs are (still) time dependant
Source : http://razor.bindview.com/publish/papers/tcpseq.html
2002 Scurit.Org
22
Autonomous System Border Router (ASBR) Network running another IGP Area 1
2002 Scurit.Org
23
> Turn your network into a NBMA (Non Broadcast Multiple Access - point-to-point links only) network
interface xy ip ospf network non-broadcast router ospf 1 neighbor x.x.x.x
2002 Scurit.Org
24
> You cant filter what is injected into the local area (the network statement meaning is misleading) only to other ASes > You can filter what you receive
router ospf 1 distribute-list <ACL> in distribute-list <ACL> out
2002 Scurit.Org
25
> Contrary to OSPF DR/BDRs a new IS-IS DIS (Designated IS) with higher priority will take precedence (preempt) and all the routers maintain adjacencies with all the routers in the area (separate L1 and L2 adjacencies on same LAN)
2002 Scurit.Org
26
Security measures
> Log changes > Use authentication at
- the interface level - the area level - the domain level
interface xy isis password <password> level-<z> router isis log-adjacency-changes domain-password <password> area-password <password>
2002 Scurit.Org
27
> You can have more than 2 routers in a standby group, no need to kill a router, becoming the master is enough
2002 Scurit.Org
28
> Use IPsec (Cisco recommendation) but is not trivial (multicast traffic, order of processing depending on IOS release, limited to a group of 2 routers)
2002 Scurit.Org
29
> Mostly 64 bytes packets > RRDtool and Netflow can be used to graph trends, detect changes and anomalies
Source : Flowscan from UW-Madison (http://wwwstats.net.wisc.edu/)
2002 Scurit.Org
31
2002 Scurit.Org
32
2002 Scurit.Org
33
2002 Scurit.Org
34
2002 Scurit.Org
35
2002 Scurit.Org
36
> ICMP filtering is a source of dispute (unreachables, parameter-problem, etc) > ICMP is not just ping, you can break a lot of things (Path MTU Discovery for example) > YMMV.
2002 Scurit.Org
37
2002 Scurit.Org
38
iBGP sessions
Internet or Customers
2002 Scurit.Org
39
2002 Scurit.Org
40
2002 Scurit.Org
41
2002 Scurit.Org
43
2002 Scurit.Org
44
2002 Scurit.Org
45
DDoS/worm research/future
Worse to come
> A lot of research has been done but nothing has been published/disclosed : risks are too high > Most of the worms weve seen were quite gentle > Will the next worm affect IIS/Outlook users again ? > What are the effects on the Internet stability (CAIDA) ?
2002 Scurit.Org
46
MPLS (1)
MultiProtocol Label Switching
> MPLS label added to the IP packet to identify the VPN > Each router (LSR) on the path (LSP) has a local table (LIB) > The label only has a local meaning and is/may be changed on each hop
)htaP hctiwS lebaL( PSL yramirP PSL pukcaB egdE remotsuC retuoR
2002 Scurit.Org
eroC SLPM
47
MPLS (2)
MultiProtocol Label Switching
> Virtual Circuits, not encrypted/authenticated VPNs > Equivalent to a layer 2 VPN (ATM/FR)
- the security is often provided by hiding the MPLS core structure/cloud from customers by using filtering or nonrouted address space (think security by obscurity) - as a customer you have to trust the MPLS core
> IPsec can be used to secure the traffic > VPN partitioning done at routing layer > One routing table per VPN on each PE router
- separate Virtual Routing and Forwarding instance (VRF) - or extended Route Distinguisher (RD)
> Current trend in SP networks : deploy MPLS+ISIS w/ Wide Metrics+TE for subsecond convergence and traffic rerouting
2002 Scurit.Org
48
MPLS (3)
Attacks
> Labeled packets injection :
- locked by default on all interfaces (Customer Edge Router) - easy if access to the MPLS routers
> Inject data in the signaling protocols ((MP-)BGP and IGPs) to modify the VPN topology : IPv4-RRs and VPNv4-RRs (Route Reflectors) > Even a higher risk when the same router is shared for Internet access and a MPLS L2VPN
2002 Scurit.Org
49
MPLS (4)
Attacks
> Use new functionality like FRR (MPLS Fast ReRoute)
- RSVP (No Route) Path Error message : allows sniffing by redirecting traffic over a router that is under control and part of the MPLS core
. a new LSP is signaled . the adjacency table is updated for the tunnel interface . a LSR receiving a marked packet with label x will accept it on any interface and switch it out
fake/spoofed IGP LSP/LSA or RSVP Path Error message
Label In old Path new Path 3 3 Label Out Interface Out 17 8 POS7/0 POS7/1
MPLS Core
2002 Scurit.Org
50
MPLS (5)
Security measures
> Good configuration of all routers (CE, PE, P, MPLS Core)
ACLs Static and dynamic routing VRFs etc.
> The MPLS network should start on the PE router, not the CE > Difficult to gather MPLS information from the routers > Use IPsec (without anonymous key exchanges ;-)
2002 Scurit.Org
51
IPv6
IPv6
> Basically no new risks/big changes > Native IPsec support > Higher risks during the transition phase from IPv4 to IPv6 ? > Protocols used to interconnect IPv4 to IPv4 islands over IPv6 (and vice versa)
- GRE - MPLS
2002 Scurit.Org
52
> 3. Check : automatically (cron/at job), when you see configured by <xyz> or a router boot in the logfile or when you get the configuration changed SNMP trap
2002 Scurit.Org
53
54
> ELF 32-bit MSB executable, statically linked, stripped > What is possible with remote gdb access :
- gdb {kernelpid pid-num} ?
> A lot of different images exist (but providers usually go for ~12.0(x)S) and a tool to patch images would be required
- 37 feature sets and 2500 images out there (90% IP FS)!
> What will happen with IOS-NG (support for loadable modules) ?
- Is Cisco still working on it ? GSR dedicated team ?
2002 Scurit.Org
56
Pictures of CanSecWest/core02
< http://www.securite.org/csw/core02/ >
Questions ?
Image: http://www.inforamp.net/~dredge/funkycomputercrowd.html
2002 Scurit.Org
57