Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing...
-
Upload
leila-susan -
Category
Documents
-
view
214 -
download
0
Transcript of Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing...
![Page 1: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/1.jpg)
Dave Ahmad <[email protected]>
Jeremy Rauch <[email protected]>
Network Infrastructure Insecurity
The authentication, management and routing protocols that run your
network
![Page 2: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/2.jpg)
Topics
Overview Basic protocol flaws Network allocation flaws Routing protocol flaws Authentication flaws Network Management and other fun flaws Application of attacks
![Page 3: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/3.jpg)
The Network
Router
Printer
Radius Server
Hub
Switch
DMZ
Internet
Host
Host
Host
Host
Host
Firewall
![Page 4: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/4.jpg)
The Network
Router
Printer
Radius Server
Hub
Switch
DMZHost
Host
Host
Host
Host
![Page 5: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/5.jpg)
The Network
Router
Printer
Radius Server
Hub
Switch
Host
Host
Host
Host
Host
![Page 6: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/6.jpg)
The Network
Router
Printer
Radius Server
Hub
Switch
![Page 7: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/7.jpg)
Overview
Network Infrastructure– The building blocks of a network
» basic network protocols
» network management
» authentication
» routing
» other random things switches, hubs printers routers
![Page 8: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/8.jpg)
Overview
Does this stuff matter?– Absolutely - the network depends on these
» Basic protocols - obvious
» network management & allocation simplify network design and machine deployment
» Authentication access control
» Routing Getting from A to B
» Other stuff The network RUNS on these
![Page 9: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/9.jpg)
Overview
Impacts– Attacking protocols can allow for hijacking,
spoofing and impersonation– control network devices– elevate access– change network flow– hide connections– sniffing– …and more
![Page 10: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/10.jpg)
Basic Protocols
Security at the IP layer discussed over and over
Security at the link layer ignored
![Page 11: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/11.jpg)
ARP
Address Resolution Protocol– Used for mapping network IP addresses to
physical (in the case of ethernet, MAC) interface addresses.
– Broadcast at the link layer.
![Page 12: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/12.jpg)
ARP Security Flaws
Lack of Authentication Limited Table Entries
– ARP caches can be overpopulated and flushed
![Page 13: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/13.jpg)
ARP Authentication Flaws
Lack of Authentication– Arp replies are typically accepted and cached
without concern for origin when received.
– No method to distinguish between legitimate and illegitimate messages
![Page 14: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/14.jpg)
ARP Lack of Authentication
Invalid ARP replies– When an ARP who-is is broadcast on the wire,
anyone can reply and be mapped to the associated network address.
Gratuitous ARP replies– ARP replies without requests can be sent out and
cached, diverting traffic from the compromised network address to the attacker.
![Page 15: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/15.jpg)
ARP Attacks
Replace entries in arp caches for existing addresses– Denial of Service
– Reply to requests with compromised host adress as router or nameserver.
– Non-blind traffic hijacking
– Exploitation of host-based trusts.
![Page 16: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/16.jpg)
ARP Attacks
ARP Cache Overpopulation– Sending too many gratuitous ARP replies
flushing the target ARP cache in some implementations.
» Reach cache maximum, can cause devices like switches to re-enter “learning mode”
![Page 17: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/17.jpg)
DHCP
Dynamic Host Configuration Protocol– Popular amongst pc users for ease of
installation and configuration– UDP transport– To broadcast, from 0.0.0.0
![Page 18: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/18.jpg)
DHCP Security Problems
Unauthenticated– Anyone can request an address
Undirected– Anyone can respond
Limited ACL capabilities– Limit addresses per mac
![Page 19: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/19.jpg)
DHCP Attacks
Get all addresses– Denial Of Service– Reply to requests with compromised host set as
router or nameserver Deregister hosts
– hijack ip’s, connections
![Page 20: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/20.jpg)
DHCP Fixes
Authentication– ISC is adding authentication in their 3.1
implementation– Others have implemented proprietary
authentication mechanisms Don’t allow dynamic assignment of DNS
servers or routers– Statically define these
![Page 21: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/21.jpg)
Gateway Protocols
IGP– RIPv1
– RIPv2
– OSPF
BGP
![Page 22: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/22.jpg)
RIP
Routing Information Protocol– Widely used distance-vector IGP (Interior
Gateway Protocol) within autonomous systems.
– Exists in two forms, Version 1 and the backwards compatible Version 2.
RIPv1 is extremely vulnerable to serious attack.
![Page 23: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/23.jpg)
RIP Security Flaws
Transport Method Authentication
![Page 24: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/24.jpg)
RIP Transport Method Flaws
Based on UDP, utilizing port 520 for sending and receiving messages.– UDP is unreliable, no sequencing of packets.
Easy to send arbitrary data to target .
– Since sequencing is not a concern, forging source address can be very effective.
– May be able to receive data from anywhere on the internet.
![Page 25: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/25.jpg)
RIP Authentication Flaws
Lack of any authentication in RIPv1 Cleartext Authentication recommended in
RFC 2453 RIPv2 Specifications MD5 Key/KeyID Digest Based
Authentication described in RFC 2082.
![Page 26: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/26.jpg)
RIP Attacks
Forging RIP messages– Spoofing source address and sending invalid
routes, altering traffic flow.
» Traffic Hijacking
» Traffic Monitoring
» Redirecting traffic from trusted to untrusted.
– Obtaining Cleartext RIPv2 "password" when sent across network.
» Using retrieved password to send authenticated updates to RIPv2 routers, altering traffic flow with consequences listed above.
![Page 27: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/27.jpg)
RIP Solutions
Disabling RIPv1 and using RIPv2 with MD5 authentication.
Enabling MD5 based authentication for RIPv2
Disabling RIP completely and using OSPF with MD5 authentication as interior gateway protocol. OSPF is the suggested IGP.
![Page 28: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/28.jpg)
OSPF
OSPF - Open Shortest Path First– Link-State Interior Gateway Protocol. In wide
use within autonomous systems.
– OSPF is the recommended IGP, intended as a replacement for RIP.
![Page 29: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/29.jpg)
OSPF Security Flaws
Authentication
![Page 30: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/30.jpg)
OSPF Authentication Flaws
Default Lack of Authentication– By default in some implementations, OSPF
authentication may be off.
Cleartext "simple password" Authentication– Commonly a default setting, clear-text password
included in OSPF message used to authenticate peers.
Type of authentication determined by "CODE" field in the OSPF message header.
![Page 31: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/31.jpg)
OSPF Attacks
Forging OSPF messages – Can be somewhat difficult but theoretically
possible if no authentication required or cleartext password obtained.
![Page 32: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/32.jpg)
OSPF Solution
Enable MD5 Authentication in OSPF implementation.
![Page 33: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/33.jpg)
BGP
BGP, The Border Gateway Protocol– Successor to EGP, the Exterior Gateway
Protocol. Used primarily for connecting autonomous systems.
![Page 34: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/34.jpg)
BGP Security Flaws
Transport Mechanism Authentication
![Page 35: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/35.jpg)
BGP Authentication Flaws
Default lack of authentication– In some operating systems/network devices
supporting BGP, authentication may not be used by default.
Default "simple password" cleartext– Password sent in cleartext across the network by
default.
![Page 36: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/36.jpg)
BGP Transport Mechanism Flaws
BGP uses TCP transport. – Communication occurs on TCP port 179.
– Vulnerable to TCP Security Problems such as Syn flood, sequence number prediction.
» Denial of Service
» Advertisement of Invalid Routes
![Page 37: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/37.jpg)
BGP Transport Method Flaws
Uses TCP– Reliable, sequenced control protocol.
– Trusts Initial Sequence Number (ISN) generation
– If ISN generation is weak, vulnerable to ip-spoofing/hijack attacks.
– Vulnerable to attacks affecting TCP, ie, Syn Flood
» Denial of Service
![Page 38: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/38.jpg)
BGP Attacks
Sending forged UPDATEs to AS Gateways– Possible if the ISN generation on the target is
weak.
– No sequencing in BGP other than TCP sequence
– Must be authenticated (if authentication req)
Hijacking BGP connection between peers– If password is known or no-authentication
Denial of Service– Syn flooding port 179
![Page 39: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/39.jpg)
BGP Attacks (cont)
Dictionary attack– Simple-Password Authentication (cleartext
password) vulnerable to a basic dictionary attack.
If properly authenticated, a malicious UPDATE can alter the outward flow of network traffic for an entire AS. – Routes for address space not belonging to the
BGP speaker can be advertised and stored in tables.
![Page 40: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/40.jpg)
BGP Attacks (Cont.)
Compromised BGP Source– If a router supporting BGP is compromised, it is
certainly possibly to begin advertising invalid routes with little to stop it.
– This can divert the traffic from other AS routers who trust the routes advertised by the compromised one.
– Traffic can be intercepted, hijacked or monitored.
![Page 41: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/41.jpg)
BGP Solutions
Enable md5 authentication Limit access to the service (TCP port 179) Configure route filters
![Page 42: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/42.jpg)
Authentication Flaw Overview
Authentication is a means for verification and granting of access
Problems range from denial of service to active and passive attacks leading to total compromise– gain access– elevate access
![Page 43: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/43.jpg)
Authentication Mechanisms
Radius TACACS, XTACACS, TACACS+ NIS/NIS+ LDAP
![Page 44: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/44.jpg)
RADIUS
Remote Authentication Dial In User Service RFC 2138 & 2139 Used to authenticate users Off-machine/device authentication
– Central authentication server called a NAS– Popular implementations from Livingston and
Merit
![Page 45: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/45.jpg)
Radius Security Model
UDP Based transport Each packet contains an authenticator
– Access-Requests» md5(secret + authenticator) ^ user password
– Access-Reject & Access-Accept» md5(Code + ID + Length + Request-Auth +
Attributes + Secret)
![Page 46: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/46.jpg)
Radius Flaws
Gaining the shared secret– Send Access-Request with all known values
» Authenticator = 0
» User-Password = 0
» Code = Access-Request
» ID = 0, length = known, Attributes = none
» Reply will come back with the following md5(1 + 0 + length + 0 + 0 + Secret)
» Dictionary attack for Secret radbrute.tar.gz
![Page 47: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/47.jpg)
Radius Flaws...
Passive attack– Knowledge of a user password will allow attack
if sniffing is possible– Request-Access uses user password +
authenticator + shared secret» md5(authenticator + shared secret) ^ user pass
» obtain md5 by ^ userpass
» brute force dictionary attack with known authenticator
![Page 48: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/48.jpg)
Radius Flaws...
Replay– Radius servers must not reuse authenticator
» if authenticator isn’t cryptographically random, repeat authentications until an authenticator is reused, and replay server Request-Accept
Failure limits and logging limit the effectivity
» Predictable authenticator If authenticator can be predicted, replay attacks become
easier and more effective
![Page 49: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/49.jpg)
TACACS, XTACACS and TACACS+
Terminal Access Controller Access Control System??– Old protocol developed by BBN for Milnet
Similar in concept to RADIUS– Central authentication server moves
authentication off device or host RFC 1492, Internet Draft “The TACACS+
Protocol”
![Page 50: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/50.jpg)
TACACS, etc Flaws
TACACS & XTACACS– UDP Transport
» spoof RESPONSE messages from server trivially
– Cleartext authentication normal» User names and password sent exposed
MD5 in newer implementations
– Good way to crack passwords online» Easy, fast way to grind for accounts with bad
passwords
![Page 51: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/51.jpg)
TACACS+
TCP Transport– Doesn’t suffer from easy spoofing; may be
hijackable Authentication and Encryption
– May be possible to conduct attacks similar to RADIUS
Defaults and failure modes may pose problems– tacacs-server last-resort succeed
![Page 52: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/52.jpg)
NIS and NIS+
Network Information Service Originally from Sun Popular scheme for distributing password,
name service, etc RPC based transport
![Page 53: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/53.jpg)
NIS and NIS+ Flaws
NIS transports in plaintext NIS is only protected by a domainname
– easily guessed Many vulnerabilities in implementations
– quick search for NIS and NIS+ vulnerabilities resulted in over a dozen individual problems
NIS+ is sufficiently complex to install that no one uses it
![Page 54: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/54.jpg)
NIS and NIS+ Solutions
Run NIS+ if at all possible Investigate alternatives like LDAP
![Page 55: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/55.jpg)
LDAP
Lightweight Directory Access Protocol Operates on distinguished name (DN) and
attribute pairs or collections
![Page 56: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/56.jpg)
LDAP Flaws
New and relatively untested Unfamiliar Default ACL’s are typically poor Authentication mechanisms still not fully
implemented– CA based authentication still only part there
DoS attacks– Flood with requests
![Page 57: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/57.jpg)
Network Management and Other Fun Flaws
SNMP printers
![Page 58: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/58.jpg)
SNMP
Simple Network Management Protocol– The most popular network management
protocol– Hosts, firewalls, routers, switches…UPS,
power strips, ATM cards -- ubiquitous “One of the single biggest security
nightmares on networks today”
![Page 59: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/59.jpg)
SNMPv1 Security Flaws
Transport Mechanism– Data manipulation– Denial of Service– Replay
Authentication– Host Based– Community Based
Information Disclosure
![Page 60: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/60.jpg)
SNMPTransport Mechanism Flaws
UDP Based– Unreliable - packets may or may not be
received– Easily forged - trivial to forge source of
packets
![Page 61: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/61.jpg)
SNMPAuthentication Flaws
Host Based– Fails due to UDP transport– DNS cache poisoning
Community Based– Cleartext community– Community name prediction/brute forcing– Default communities
![Page 62: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/62.jpg)
SNMP Popular Defaults
Popular defaults– public
– private
– write
– “all private”
– monitor
– manager
– security
– admin
– lan
– default
– password
– tivoli
– openview
– community
– snmp
– snmpd
– system
– and on and on...
![Page 63: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/63.jpg)
SNMPv1Information Disclosure
Routing tables Network topology Network traffic patterns Filter rules
![Page 64: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/64.jpg)
RMON and RMON2Security
SNMPv1’s flaws additional hazards by introducing “action
invocation” objects collects extensive info on subnet packet captures
![Page 65: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/65.jpg)
SNMP Fixes
Disable it ACL It Read-Only
![Page 66: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/66.jpg)
Printers Flaws
Actually a very large potential problem Laundering of hacking spoils bounce attacks Denial of service
![Page 67: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/67.jpg)
Printer flaws...
Many printers have FTP servers– Allow anonymous access
» store as much data as memory or disk space in the printer - great place to store hacking tools, sniffer logs, and other stolen things
– Most are poor implementations» easily used in more complex attacks
ftp bounce Berkeley lpd flaws
![Page 68: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/68.jpg)
Printer flaws...
Denial of Service– Used as a tool to conduct DoS
» most love to respond to broadcast pings smurf
– Service denied» poor tcp/ip implementations
crash easily
» poor service implementation SNMP ftp
![Page 69: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/69.jpg)
Printer fixes?
Disable everything you can
![Page 70: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/70.jpg)
Example applications
Defeat sniffing– Race hosts on ARP replies– reply to ARP’s with broadcast address– overpopulate caches
» some switches will flush their caches
– alter routing on the host you want to sniff
![Page 71: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/71.jpg)
Examples
Defeating things like SSH– Alter routing– Create SSH proxy
» Client will note key mismatch, but who ever pays attention?
Gaining router access– Obtain auth protocol key via brute force– Extract passwords on the wire– Just plain old sniff
![Page 72: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/72.jpg)
What to do?
Maintain good perimeter defenses– At least you only have to trust your
employees… Use cryptographically secure transports
– Crypto is good» But crypto fails without good policy
Disable unneeded services– Not using SNMP?
![Page 73: Dave Ahmad Jeremy Rauch Network Infrastructure Insecurity The authentication, management and routing protocols that run your network.](https://reader036.fdocuments.in/reader036/viewer/2022062511/551aa2565503466b3a8b57c0/html5/thumbnails/73.jpg)
What to do...
Disable things like routed on hosts– 99% of the time, static routes work fine on end
machines Use the strongest authentication methods
possible– Long keys, strong crypto