1 / 74

Network Infrastructure Insecurity

Network Infrastructure Insecurity. The authentication, management and routing protocols that run your network . Topics. Overview Basic protocol flaws Network allocation flaws Routing protocol flaws Authentication flaws Network Management and other fun flaws Application of attacks. DMZ.

red
Download Presentation

Network Infrastructure Insecurity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Infrastructure Insecurity The authentication, management and routing protocols that run your network

  2. Topics • Overview • Basic protocol flaws • Network allocation flaws • Routing protocol flaws • Authentication flaws • Network Management and other fun flaws • Application of attacks

  3. DMZ Firewall Switch Router Internet Hub Printer Radius Server Host Host Host Host Host The Network

  4. DMZ Switch Router Hub Printer Radius Server Host Host Host Host Host The Network

  5. Switch Router Hub Printer Radius Server Host Host Host Host Host The Network

  6. Switch Router Hub Printer Radius Server The Network

  7. Overview • Network Infrastructure • The building blocks of a network • basic network protocols • network management • authentication • routing • other random things • switches, hubs • printers • routers

  8. Overview • Does this stuff matter? • Absolutely - the network depends on these • Basic protocols - obvious • network management & allocation • simplify network design and machine deployment • Authentication • access control • Routing • Getting from A to B • Other stuff • The network RUNS on these

  9. Overview • Impacts • Attacking protocols can allow for hijacking, spoofing and impersonation • control network devices • elevate access • change network flow • hide connections • sniffing • …and more

  10. Basic Protocols • Security at the IP layer discussed over and over • Security at the link layer ignored

  11. ARP • Address Resolution Protocol • Used for mapping network IP addresses to physical (in the case of ethernet, MAC) interface addresses. • Broadcast at the link layer.

  12. ARP Security Flaws • Lack of Authentication • Limited Table Entries • ARP caches can be overpopulated and flushed

  13. ARP Authentication Flaws • Lack of Authentication • Arp replies are typically accepted and cached without concern for origin when received. • No method to distinguish between legitimate and illegitimate messages

  14. ARP Lack of Authentication • Invalid ARP replies • When an ARP who-is is broadcast on the wire, anyone can reply and be mapped to the associated network address. • Gratuitous ARP replies • ARP replies without requests can be sent out and cached, diverting traffic from the compromised network address to the attacker.

  15. ARP Attacks • Replace entries in arp caches for existing addresses • Denial of Service • Reply to requests with compromised host adress as router or nameserver. • Non-blind traffic hijacking • Exploitation of host-based trusts.

  16. ARP Attacks • ARP Cache Overpopulation • Sending too many gratuitous ARP replies flushing the target ARP cache in some implementations. • Reach cache maximum, can cause devices like switches to re-enter “learning mode”

  17. DHCP • Dynamic Host Configuration Protocol • Popular amongst pc users for ease of installation and configuration • UDP transport • To broadcast, from 0.0.0.0

  18. DHCP Security Problems • Unauthenticated • Anyone can request an address • Undirected • Anyone can respond • Limited ACL capabilities • Limit addresses per mac

  19. DHCP Attacks • Get all addresses • Denial Of Service • Reply to requests with compromised host set as router or nameserver • Deregister hosts • hijack ip’s, connections

  20. DHCP Fixes • Authentication • ISC is adding authentication in their 3.1 implementation • Others have implemented proprietary authentication mechanisms • Don’t allow dynamic assignment of DNS servers or routers • Statically define these

  21. Gateway Protocols • IGP • RIPv1 • RIPv2 • OSPF • BGP

  22. RIP • Routing Information Protocol • Widely used distance-vector IGP (Interior Gateway Protocol) within autonomous systems. • Exists in two forms, Version 1 and the backwards compatible Version 2. • RIPv1 is extremely vulnerable to serious attack.

  23. RIP Security Flaws • Transport Method • Authentication

  24. RIP Transport Method Flaws • Based on UDP, utilizing port 520 for sending and receiving messages. • UDP is unreliable, no sequencing of packets. Easy to send arbitrary data to target . • Since sequencing is not a concern, forging source address can be very effective. • May be able to receive data from anywhere on the internet.

  25. RIP Authentication Flaws • Lack of any authentication in RIPv1 • Cleartext Authentication recommended in RFC 2453 RIPv2 Specifications • MD5 Key/KeyID Digest Based Authentication described in RFC 2082.

  26. RIP Attacks • Forging RIP messages • Spoofing source address and sending invalid routes, altering traffic flow. • Traffic Hijacking • Traffic Monitoring • Redirecting traffic from trusted to untrusted. • Obtaining Cleartext RIPv2 "password" when sent across network. • Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with consequences listed above.

  27. RIP Solutions • Disabling RIPv1 and using RIPv2 with MD5 authentication. • Enabling MD5 based authentication for RIPv2 • Disabling RIP completely and using OSPF with MD5 authentication as interior gateway protocol. OSPF is the suggested IGP.

  28. OSPF • OSPF - Open Shortest Path First • Link-State Interior Gateway Protocol. In wide use within autonomous systems. • OSPF is the recommended IGP, intended as a replacement for RIP.

  29. OSPF Security Flaws • Authentication

  30. OSPF Authentication Flaws • Default Lack of Authentication • By default in some implementations, OSPF authentication may be off. • Cleartext "simple password" Authentication • Commonly a default setting, clear-text password included in OSPF message used to authenticate peers. • Type of authentication determined by "CODE" field in the OSPF message header.

  31. OSPF Attacks • Forging OSPF messages • Can be somewhat difficult but theoretically possible if no authentication required or cleartext password obtained.

  32. OSPF Solution • Enable MD5 Authentication in OSPF implementation.

  33. BGP • BGP, The Border Gateway Protocol • Successor to EGP, the Exterior Gateway Protocol. Used primarily for connecting autonomous systems.

  34. BGP Security Flaws • Transport Mechanism • Authentication

  35. BGP Authentication Flaws • Default lack of authentication • In some operating systems/network devices supporting BGP, authentication may not be used by default. • Default "simple password" cleartext • Password sent in cleartext across the network by default.

  36. BGP Transport Mechanism Flaws • BGP uses TCP transport. • Communication occurs on TCP port 179. • Vulnerable to TCP Security Problems such as Syn flood, sequence number prediction. • Denial of Service • Advertisement of Invalid Routes

  37. BGP Transport Method Flaws • Uses TCP • Reliable, sequenced control protocol. • Trusts Initial Sequence Number (ISN) generation • If ISN generation is weak, vulnerable to ip-spoofing/hijack attacks. • Vulnerable to attacks affecting TCP, ie, Syn Flood • Denial of Service

  38. BGP Attacks • Sending forged UPDATEs to AS Gateways • Possible if the ISN generation on the target is weak. • No sequencing in BGP other than TCP sequence • Must be authenticated (if authentication req) • Hijacking BGP connection between peers • If password is known or no-authentication • Denial of Service • Syn flooding port 179

  39. BGP Attacks (cont) • Dictionary attack • Simple-Password Authentication (cleartext password) vulnerable to a basic dictionary attack. • If properly authenticated, a malicious UPDATE can alter the outward flow of network traffic for an entire AS. • Routes for address space not belonging to the BGP speaker can be advertised and stored in tables.

  40. BGP Attacks (Cont.) • Compromised BGP Source • If a router supporting BGP is compromised, it is certainly possibly to begin advertising invalid routes with little to stop it. • This can divert the traffic from other AS routers who trust the routes advertised by the compromised one. • Traffic can be intercepted, hijacked or monitored.

  41. BGP Solutions • Enable md5 authentication • Limit access to the service (TCP port 179) • Configure route filters

  42. Authentication Flaw Overview • Authentication is a means for verification and granting of access • Problems range from denial of service to active and passive attacks leading to total compromise • gain access • elevate access

  43. Authentication Mechanisms • Radius • TACACS, XTACACS, TACACS+ • NIS/NIS+ • LDAP

  44. RADIUS • Remote Authentication Dial In User Service • RFC 2138 & 2139 • Used to authenticate users • Off-machine/device authentication • Central authentication server called a NAS • Popular implementations from Livingston and Merit

  45. Radius Security Model • UDP Based transport • Each packet contains an authenticator • Access-Requests • md5(secret + authenticator) ^ user password • Access-Reject & Access-Accept • md5(Code + ID + Length + Request-Auth + Attributes + Secret)

  46. Radius Flaws • Gaining the shared secret • Send Access-Request with all known values • Authenticator = 0 • User-Password = 0 • Code = Access-Request • ID = 0, length = known, Attributes = none • Reply will come back with the following • md5(1 + 0 + length + 0 + 0 + Secret) • Dictionary attack for Secret • radbrute.tar.gz

  47. Radius Flaws... • Passive attack • Knowledge of a user password will allow attack if sniffing is possible • Request-Access uses user password + authenticator + shared secret • md5(authenticator + shared secret) ^ user pass • obtain md5 by ^ userpass • brute force dictionary attack with known authenticator

  48. Radius Flaws... • Replay • Radius servers must not reuse authenticator • if authenticator isn’t cryptographically random, repeat authentications until an authenticator is reused, and replay server Request-Accept • Failure limits and logging limit the effectivity • Predictable authenticator • If authenticator can be predicted, replay attacks become easier and more effective

  49. TACACS, XTACACS and TACACS+ • Terminal Access Controller Access Control System?? • Old protocol developed by BBN for Milnet • Similar in concept to RADIUS • Central authentication server moves authentication off device or host • RFC 1492, Internet Draft “The TACACS+ Protocol”

  50. TACACS, etc Flaws • TACACS & XTACACS • UDP Transport • spoof RESPONSE messages from server trivially • Cleartext authentication normal • User names and password sent exposed • MD5 in newer implementations • Good way to crack passwords online • Easy, fast way to grind for accounts with bad passwords

More Related