[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Comments on draft-ietf-opsec-current-practices-05.txt

To: <gmj@pobox.com>, "Merike Kaeo" <merike@doubleshotsecurity.com>
Subject: RE: Comments on draft-ietf-opsec-current-practices-05.txt
From: "Smith, Donald" <Donald.Smith@qwest.com>
Date: Tue, 11 Jul 2006 14:52:45 -0600
Cc: <opsec@ops.ietf.org>
A few questions/comments marked with djs> 

Protocol Vulnerability Exploitation: An attack which takes advantage
of known protocol deficiencies to cause inappropriate behavior.

djs>Is that protocol definitation vulnerabilities 
djs>(ie udp can be trivially spoofed due to its connectionless based
defination) 
djs> or is it vulnerablities in implmentation 
djs>(ie protos snmp tool found nearly all snmp v1 implementations had
some flaws in them).



2.1.2.  Security Practices

   For physical device security, equipment is kept in highly restrictive
   environments.  Only authorized users with card key badges have access
   to any of the physical locations that contain critical network
   infrastructure devices.  These card-key systems keep track of who
accessed which location and at what time.

djs>Most cardkey systems have a fail back "master key" 
djs>in case the cardkey system is down for some reason.
djs>Do we need to address limiting the use of the master key 
djs>AND logging any time it is uses while the card key system is on
line/funtional?



2.2.1.1.  Confidentiality Violations

   Confidentiality violations can occur when a miscreant intercepts
   confidential data that has been sent in cleartext.  This includes
   interception of usernames and passwords with which an intruder can
   obtain unauthorized access to network devices.  It can also include
   other information such as logging or configuration information if an
   administrator is remotely viewing local logfiles or configuration
   information

djs> cleartext or weak encryption.


2.2.3
Data Origin Authentication - Management traffic is strictly
      filtered to allow only specific IP addresses to have access to the
      infrastructure devices.  This does not alleviate risk from spoofed
      traffic.  Using SSH for device access ensures that noone can spoof
      the traffic during the SSH session.

djs> if you combine on system filtering (acls) with bcp38 on the edges
then the risk  
djs> of spoofing is mitigated baring a compromised internal system.


2.4.4.  Additional Considerations

   For layer 2 devices, MAC address filtering and authentication is not
   used.  This is due to the problems it can cause when troubleshooting
   networking issues.  Port security becomes unmanageable at a large
   scale where 1000s of switches are deployed.

   Rate limiting is used by some ISPs although other ISPs believe it is
   not really useful since attackers are not well behaved and it doesn't
   provide any operational benefit over the complexity.  Some ISPs feel
   that rate limiting can also make an attacker's job easier by
   requiring the attacker to send less traffic to starve legitimate
   traffic that is part of a rate limiting scheme.  Rate limiting may be
   improved by developing flow-based rate-limiting capabilities with
   filtering hooks.  This would improve the performance as well as the
   granularity over current capabilities.


djs> In the case of syn floods ratelimiting done correctly 
djs> will limit the effects of the attack.
djs> The flooder will only send SYNs while the 
djs> real clients will send syns until they get connected 
djs> or quit trying and THEN they will become an estabilished 
djs> connection (syn/ack, ack, ack/push, ack/urg ...)
djs> I am not sure how to capture that idea well in a single paragraph:(


Generalized TTL Security Mechanism 
djs> Not supported by most commercial network element vendors.
djs> Ask your vendor but I only know of one vendor 
djs> that has implemented it and they only support it for bgp.


2.6.  Software Upgrades and Configuration Integrity / Validation
djs> Is this intended to be limited to intra-ISP communication.
djs> It doesn't appear to address the actual download from the vendor.

2.6.6.  Man-In-The-Middle

   A man-in-the-middle attack attacks the identity of a communicating
   peer rather than the data stream itself.  The attacker intercepts
   traffic that is sent between the infrastructure device and the host
   used to upload/download the system image or configuration file.  He/
   she can then act on behalf of one or both of these systems.

   If an attacker obtained a copy of the software image being deployed,
   he could potentially exploit a known vulnerability and gain access to
   the system.  From a captured configuration file, he could obtain
   confidential network topology information or even more damaging
   information if any of the passwords in the configuration file were
   not encrypted.
djs> MIM can be used to attack the data stream. 
djs> Commands can be inserted that would allow an 
djs> attacker to add a local account with any password they choose.
djs> some of the exploit tools for cisco routers change the config to 
djs> provide admin access.

djs> if any of the encrypted password can be decrypted (such as cisco
type 7)

2.8.3.  Routing Control Plane Filtering

   Routing filters are used to control the flow of routing information.
   In IPv6 networks, some providers are liberal in accepting /48s due to
   the still unresolved multihoming issues.  Any announcement received
   that is longer than a /48 for IPv6 routing and a /24 for IPv4 routing
   is filtered out of eBGP.  Note that this is for non-customer traffic.
   Most ISPs will accept any agreed upon prefix length from its
   customer(s).

djs> I see no mention of COPP/RE ratelimiting
djs> we have tested and implemented some reliable limiting.
djs> without that ratelimiting some very simple attacks can consume 
djs> the NE's cpu.
djs> perhaps that is too new or belongs somewhere else?




Our IDS reports a false negative rate of 0 (Dr J).
Donald.Smith@qwest.com giac   

> -----Original Message-----
> From: owner-opsec@psg.com [mailto:owner-opsec@psg.com] On 
> Behalf Of George Jones
> Sent: Monday, July 10, 2006 8:10 AM
> To: Merike Kaeo
> Cc: opsec@ops.ietf.org
> Subject: Comments on draft-ietf-opsec-current-practices-05.txt
> 
> Comments and HTML diffs attached.
> 
> For those on the list: Merike submitted -05 after the cutoff. 
>   You can see the changes
> from -04 in the attached .HTML file.
> 
> I think it's pretty well done.   Only major thing is add 
> citations (CVE, CERT, etc) for attacks
> enumerated.
> 
> Good work.
> 
> ---George
> 
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.
Prev by Date: Extra reference for current practices ?
Next by Date: Re: Initial Logging capabiltiies document
Previous by thread: Re: Comments on draft-ietf-opsec-current-practices-05.txt
Next by thread: RE: Comments on draft-ietf-opsec-current-practices-05.txt
Index(es):
- Date
- Thread