Contact:http://www.packetnexus.com
Protecting Network Infrastructure at the Protocol Level V1.0. Curt Wilson, Netw3.com Consulting. 12/15/00 This paper is posted in the Netw3.com security reading room and can be found along with other security documents at http://www.netw3.com/documents.html Scope of paper This paper will briefly discuss attacks and attack prevention methods for network infrastructure protocols. Particular focus will be given to router and routing protocol vulnerabilities such as Routing Information Protocol (RIP), Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), and others. Routers perform a critical function for each network and if a router is compromised or a route is successfully spoofed, network integrity can be seriously damaged especially if hosts are not using encrypted communications channels. The potential for data manipulation through man-in-the-middle attacks, denial of service, data loss, disruption of network integrity, and packet sniffing is great. Security mechanisms are often available, but are commonly not used because attacks on routing protocols have been rare. Due to the lack of hard data on actual incidents, some approaches outlined in this paper will be theoretical in nature. Routing is a huge and complex topic; therefore this document will be updated and corrected as I continue my research. Note that I am not a routing engineer and would be glad to accept corrections to any information contained herein. Commonly known router security issues Various types of routers have well-known security issues. A collection of some of the commonly known vulnerabilities for network infrastructure equipment vendors such as Cisco, Livingston, Bay and others, can be found at http://www.antionline.com/cgi-bin/anticode/anticode.pl?dir=router-exploi ts. Most of these vulnerabilities are non routing-protocol level attacks that rely on misconfiguration, bugs in IP packet handling, SNMP insecurities such as default community name strings, weak password or weak password encryption, DOS conditions due to bad IP/UDP packets, etc. These types of attacks are commonly known, and a standard NIDS should be able to be programmed to detect these, at least on an IP based network. IDS are still in the emerging stages as far as non-TCP/IP based routing protocols are concerned. Any of these types of attacks can weaken a network infrastructure and could be used in combination with higher-level protocol-based attacks. Proper configuration management can resolve many of these common vulnerabilities. This would involve standard procedures such as not using SNMP (or choosing strong passwords/encryption), keeping up to date with vendor patches, proper use of access lists, ingress/egress filtering, firewalls, encrypted management channels and passwords, route filtering, and use of MD5 authentication. However, to understand and implement these security procedures, network engineers must be given the time and training to understand the security implications of their work Recent Developments in Infrastructure Defense A recent development in network defense comes in an IDS called JiNao, which can be found at http://www.anr.mcnc.org/projects/JiNao/JiNao.html. JiNao is funded by DARPA and is currently in development as a joint research project between MCNC and North Carolina State University.