[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01 02 03 04 05 06 07 RFC 4778
OPSEC M. Kaeo
Internet-Draft Double Shot Security, Inc.
Expires: December 27, 2006 June 25, 2006
Operational Security Current Practices
draft-ietf-opsec-current-practices-04
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 27, 2006.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document is a survey of the current practices used in today's
large ISP operational networks to secure layer 2 and layer 3
infrastructure devices. The information listed here is the result of
information gathered from people directly responsible for defining
and implementing secure infrastructures in Internet Service Provider
environments.
Kaeo Expires December 27, 2006 [Page 1]
Internet-Draft OPSEC Practices June 2006
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Attack Sources . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Operational Security Impact from Threats . . . . . . . . . 5
1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7
1.6. Definitions . . . . . . . . . . . . . . . . . . . . . . . 8
2. Protected Operational Functions . . . . . . . . . . . . . . . 9
2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 9
2.2. Device In-Band Management . . . . . . . . . . . . . . . . 11
2.3. Device Out-of-Band Management . . . . . . . . . . . . . . 15
2.4. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5. Routing Control Plane . . . . . . . . . . . . . . . . . . 22
2.6. Software Upgrades and Configuration Integrity /
Validation . . . . . . . . . . . . . . . . . . . . . . . . 25
2.7. Logging Considerations . . . . . . . . . . . . . . . . . . 29
2.8. Filtering Considerations . . . . . . . . . . . . . . . . . 32
2.9. Denial of Service Tracking / Tracing . . . . . . . . . . . 33
3. Security Considerations . . . . . . . . . . . . . . . . . . . 35
4. Normative References . . . . . . . . . . . . . . . . . . . . . 35
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 36
Appendix B. Protocol Specific Attacks . . . . . . . . . . . . . . 37
B.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 37
B.2. IPv4 Attacks . . . . . . . . . . . . . . . . . . . . . . . 37
B.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 38
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 39
Intellectual Property and Copyright Statements . . . . . . . . . . 40
Kaeo Expires December 27, 2006 [Page 2]
Internet-Draft OPSEC Practices June 2006
1. Introduction
Security practices are well understood by the network operators who
have for many years gone through the growing pains of securing their
network infrastructures. However, there does not exist a written
document that enumerates these security practices. Network attacks
are continually increasing and although it is not necessarily the
role of an ISP to act as the Internet police, each ISP has to ensure
that certain security practices are followed to ensure that their
network is operationally available for their customers. This
document is the result of a survey conducted to find out what current
security practices are being deployed to secure network
infrastructures.
1.1. Scope
The scope for this survey is restricted to security practices that
mitigate exposure to risks with the potential to adversely impact
network availability and reliability. Securing the actual data
traffic is outside the scope of the conducted survey. This document
focuses solely on documenting currently deployed security mechanisms
for layer 2 and layer 3 network infrastructure devices. Although
primarily focused on IPv4, many of the same practices can (and
should) apply to IPv6 networks. Both IPv4 and IPv6 network
infrastructures are taken into account in this survey.
1.2. Threat Model
A threat is a potential for a security violation, which exists when
there is a circumstance, capability, action, or event that could
breach security and cause harm [RFC2828].Every operational network is
subject to a multitude of threat actions, or attacks, i.e. an assault
on system security that derives from an intelligent act that is a
deliberate attempt to evade security services and violate the
security policy of a system [RFC2828]. All of the threats in any
network infrastructure is an instantiation or combination of the
following:
Reconnaissance: An attack whereby information is gathered to
ascertain the network topology or specific device information which
can be further used to exploit known vulnerabilities
Man-In-The-Middle: An attack where a malicious user impersonates
either the sender or recipient of a communication stream while
inserting, modifying or dropping certain traffic. This type of
attack also covers phishing and session hijacks.
Protocol Vulnerability Exploitation: An attack which takes advantage
Kaeo Expires December 27, 2006 [Page 3]
Internet-Draft OPSEC Practices June 2006
of known protocol deficiencies to cause inappropriate behavior.
Message Insertion: This can be a valid message (which could be a
reply attack, which is a scenario where a message is captured and
resent at later time). A message can also be inserted with any of
the fields in the message being OspoofedO, such as IP addresses, port
numbers, header fields or even packet content. Flooding is also part
of this threat instantiation.
Message Diversion/Deletion: An attack where legitimate messages are
removed before they can reach the desired recipient or are re-
directed to a network segment that is normally not part of the data
path.
Message Modification: This is a subset of a message insertion attack
where a previous message has been captured and modified before being
retransmitted. The message can be captured by using a man-in-the-
middle attack or message diversion.
Note that sometimes Denial of service attacks are listed as separate
categories. A denial of service is a consequence of an attack and
can be the result of too much traffic (i.e. flooding), or exploiting
protocol exploitation or inserting/deleting/diverting/modifying
messages.
1.3. Attack Sources
These attacks can be sourced in a variety of ways:
Active vs passive attacks
An active attack involves writing data to the network. It is
common practice in active attacks to disguise one's address and
conceal the identity of the traffic sender. A passive attack
involves only reading information off the network. This is
possible if the attacker has control of a host in the
communications path between two victim machines or has compromised
the routing infrastructure to specifically arrange that traffic
pass through a compromised machine. In general, the goal of a
passive attack is to obtain information that the sender and
receiver would prefer to remain private. [RFC3552]
On-path vs off-path attacks
Kaeo Expires December 27, 2006 [Page 4]
Internet-Draft OPSEC Practices June 2006
In order for a datagram to be transmitted from one host to
another, it generally must traverse some set of intermediate links
and routers. Such routers are naturally able to read, modify, or
remove any datagram transmitted along that path. This makes it
much easier to mount a wide variety of attacks if you are on-path.
Off-path hosts can transmit arbitrary datagrams that appear to
come from any hosts but cannot necessarily receive datagrams
intended for other hosts. Thus, if an attack depends on being
able to receive data, off-path hosts must first subvert the
topology in order to place themselves on-path. This is by no
means impossible but is not necessarily trivial. [RFC3552]
Insider or outsider attacks
An "insider attack" is one which is initiated from inside a given
security perimeter, by an entity that is authorized to access
system resources but uses them in a way not approved by those who
granted the authorization. An "outside attack" is initiated from
outside the perimeter, by an unauthorized or illegitimate user of
the system.
Deliberate attacks vs unintentional events
A deliberate attack is one where a miscreant intentionally
performs an assault on system security. However, there are also
instances where unintentional events cause the same harm yet are
performed without malice in mind. Configuration errors and
software bugs can be as devastating to network availability as any
deliberate attack on the network infrastructure.
The attack source can be a combination of any of the above, all of
which need to be considered when trying to ascertain what impact any
attack can have on the availability and reliability of the network.
It is nearly impossible to stop insider attacks or unintentional
events. However, if appropriate monitoring mechanisms are in place,
these attacks can be as easily detected and mitigated as with any
other attack source. Any of the specific attacks discussed further
in this document will elaborate on attacks which are sourced by an
"outsider" and are deliberate attacks. Some further elaboration will
be given to the feasibility of passive vs active and on-path vs off-
path attacks to show the motivation behind deploying certain security
features.
1.4. Operational Security Impact from Threats
The main concern for any of the potential attack scenarios is the
Kaeo Expires December 27, 2006 [Page 5]
Internet-Draft OPSEC Practices June 2006
impact and harm it can cause to the network infrastructure. The
threat consequences are the security violations which results from a
threat action, i.e. an attack. These are typically classified as
follows:
(Unauthorized) Disclosure
A circumstance or event whereby an entity gains access to data for
which the entity is not authorized.
Deception
A circumstance or event that may result in an authorized entity
receiving false data and believing it to be true.
Disruption
A circumstance or event that interrupts or prevents the correct
operation of system services and functions. A broad variety of
attacks, collectively called denial of service attacks, threaten
the availability of systems and bandwidth to legitimate users.
Many such attacks are designed to consume machine resources,
making it difficult or impossible to serve legitimate users.
Other attacks cause the target machine to crash, completely
denying service to users.
Usurpation
A circumstance or event that results in control of system services
or functions by an unauthorized entity. Most network
infrastructure systems are only intended to be completely
accessible to certain authorized individuals. Should an
unauthorized person gain access to critical layer 2 / layer 3
infrastructure devices or services, they could cause great harm to
the reliability and availability of the network.
A complete description of threat actions that can cause these threat
consequences can be found in [RFC2828]. Typically, a number of
different network attacks are used in combination to cause one or
more of the above mentioned threat consequences. An example would be
a malicious user who has the capability to eavesdrop on traffic.
First, he may listen in on traffic for a while to do some
reconnaissance work and ascertain which IP addresses belonged to
specific devices such as routers. Were this miscreant to obtain
Kaeo Expires December 27, 2006 [Page 6]
Internet-Draft OPSEC Practices June 2006
information such as a router password sent in cleartext, he can then
proceed to compromise the actual router. From there, the miscreant
can launch various active attacks such as sending bogus routing
updates to redirect traffic or capture additional traffic to
compromise other network devices.
1.5. Document Layout
This document is a survey of current operational practices that
mitigate the risk of being susceptible to any threat actions. As
such, the main focus is on the currently deployed security practices
used to detect and/or mitigate attacks. The top-level categories in
this document are based on operational functions for ISPs and
generally relate to what is to be protected. This is followed by a
description of which attacks are possible and the security practices
currently deployed which will provide the necessary security services
to help mitigate these attacks. These security services are
classified as:
o User Authentication
o User Authorization
o Data Origin Authentication
o Access Control
o Data Integrity
o Data Confidentiality
o Auditing / Logging
o DoS Mitigation
In many instances, a specific protocol currently deployed will offer
a combination of these services. For example, AAA can offer user
authentication, user authorization and audit / logging services while
SSH can provide data origin authentication, data integrity and data
confidentiality. The services offered are more important than the
actual protocol used. Each section ends with an additional
considerations section which explains why specific protocols may or
may not be used and also gives some information regarding
capabilities which are not possible today due to bugs or lack of ease
of use.
Kaeo Expires December 27, 2006 [Page 7]
Internet-Draft OPSEC Practices June 2006
1.6. Definitions
RFC 2119 Keywords
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in [RFC2119].
The use of the RFC 2119 keywords is an attempt, by the editor, to
assign the correct requirement levels ("MUST", "SHOULD",
"MAY"...). It must be noted that different organizations,
operational environments, policies and legal environments will
generate different requirement levels.
Kaeo Expires December 27, 2006 [Page 8]
Internet-Draft OPSEC Practices June 2006
2. Protected Operational Functions
2.1. Device Physical Access
Device physical access pertains to protecting the physical location
and access of the layer 2 or layer 3 network infrastructure device.
Physical security is a large field of study/practice in and of
itself, arguably the largest. oldest and most well understood area of
security. Although it is important to have contingency plans for
natural disasters such as earthquakes and floods which can cause
damage to networking devices, this is out-of-scope for this document.
Here we concern ourselves with protecting access to the physical
location and how a device can be further protected from unauthorized
access if the physical location has been compromised, i.e protecting
the console access. This is aimed largely at stopping an intruder
with physical access from gaining operational control of the
device(s). Note that nothing will stop an attacker with physical
access from effecting a denial of service attack, which can be easily
accomplished by powering off the device or just unplugging some
cables.
2.1.1. Threats / Attacks
If any intruder gets physical access to a layer 2 or layer 3 device,
the entire network infrastructure can be under the control of the
intruder. At a minimum, the intruder can take the compromised device
out-of-service, causing network disruption, the extent of which
depends on the network topology. A worse scenario is where the
intruder can use this device to crack the console password and have
complete control of the device, perhaps without anyone detecting such
a compromise, or to attach another network device onto a port and
siphon off data with which the intruder can ascertain the network
topology and take control of the entire network.
The threat of gaining physical access can be realized in a variety of
ways even if critical devices are under high-security. There still
occur cases where attackers have impersonated maintenance workers to
gain physical access to critical devices that have caused major
outages and privacy compromises. Insider attacks from authorized
personnel also pose a real threat and must be adequately recognized
and dealt with.
2.1.2. Security Practices
For physical device security, equipment is kept in highly restrictive
environments. Only authorized users with card key badges have access
to any of the physical locations that contain critical network
infrastructure devices. These card-key systems keep track of who
Kaeo Expires December 27, 2006 [Page 9]
Internet-Draft OPSEC Practices June 2006
accessed which location and at what time.
All console access is always password protected and the login time is
set to time out after a specified amount of inactivity - typically
between 3-10 minutes. Individual users are authentication to get
basic access. For privileged (i.e. enable) access, a second
authentication step needs to be completed. Typically all console
access is provided via an out-of-band (OOB) management infrastructure
which is discussed in the section on OOB management.
2.1.3. Security Services
The following security services are offered through the use of the
practices described in the previous section:
o User Authentication - All individuals who have access to the
physical facility are authenticated. Console access is
authenticated.
o User Authorization - An authenticated individual has implicit
authorization to perform commands on the device. Console access
is usually granted via at least two privilege levels:
authorization for performing a basic set of commands vs
authorization for performing all commands.
o Data Origin Authentication - Not applicable
o Access Control - Not applicable
o Data Integrity - Not applicable
o Data Confidentiality - Not applicable
o Auditing / Logging - All access to the physical locations of the
infrastructure equipment is logged via electronic card-key
systems. All console access is logged (refer to the OOB
management section for more details)
o DoS Mitigation - Not applicable
2.1.4. Additional Considerations
Physical security is relevant to operational security practices as
described in this document mostly from a console access perspective.
Most ISPs provide console access via an OOB management infrastructure
which is discussed in the OOB management section of this document.
Kaeo Expires December 27, 2006 [Page 10]
Internet-Draft OPSEC Practices June 2006
The physical and logical authentication and logging systems should be
run independently of each other and reside in different physical
locations. These systems need to be secured to ensure that they
themselves will not be compromised which could give the intruder
valuable authentication and logging information.
Social engineering plays a big role in many physical access
compromises. Most ISPs have set up training classes and awareness
programs to educate company personnel to deny physical access to
people who are not properly authenticated or authorized to have
physical access to critical infrastructure devices.
2.2. Device In-Band Management
In-band management is generally considered to be device access where
the control traffic takes the same data path as the data which
traverses the network. In many environments, device management for
layer 2 and layer 3 infrastructure devices is deployed as part of an
out-of-band management infrastructure although there are some
instances where it is deployed in-band as well. Presently, the
mechanisms used for in-band management are via virtual terminal
access (i.e. Telnet or SSH), SNMP, or HTTP. In all large ISPs that
were interviewed, HTTP management is never used and is explicitly
disabled. Note that file transfer protocols (TFTP, FTP, SCP) will be
covered in the 'Software Upgrades and Configuration Integrity/
Validation' section.
2.2.1. Threats / Attacks
For in-band device management, passive attacks are possible if
someone has the capability to intercept data between the management
device and the managed device. The threat is possible if a single
infrastructure device is somehow compromised and can act as a network
sniffer or if it is possible to insert a new device which acts as a
network sniffer.
Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised
or a device can be inserted into the path. For off-path active
attacks, the attack is generally limited to message insertion or
modification.
2.2.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts
confidential data that has been sent in cleartext. This includes
interception of usernames and passwords with which an intruder can
Kaeo Expires December 27, 2006 [Page 11]
Internet-Draft OPSEC Practices June 2006
obtain unauthorized access to network devices. It can also include
other information such as logging or configuration information if an
administrator is remotely viewing local logfiles or configuration
information.
2.2.1.2. Offline Cryptographic Attacks
If username/password information was encrypted but the cryptographic
mechanism used made it easy to capture data and break the encryption
key, the device management traffic could be compromised. The traffic
would need to be captured either by eavesdropping on the network or
by being able to divert traffic to a malicious user.
2.2.1.3. Replay Attacks
For a replay attack to be successful, in-band management traffic
would need to first be captured either on-path or diverted to an
attacker to later be replayed to the intended recipient.
2.2.1.4. Message Insertion/Deletion/Modification
Data can be manipulated by someone in control of intermediary hosts.
Forging data is also possible with IP spoofing, where a remote host
sends out packets which appear to come from another, trusted host.
2.2.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts
traffic that is sent from an in-band management system to the
networking infrastructure device and traffic that is sent from the
network infrastructure device to the in-band management system.
2.2.2. Security Practices
All in-band management access to layer 2 and layer 3 devices is
authenticated. The user authentication and authorization is
typically controlled by a AAA server (i.e. RADIUS and/or TACACS+).
Credentials used to determine the identity of the user vary from
static username/password to one-time username/password scheme such as
Secure-ID. Static username/passwords are expired after a specified
period of time, usually 30 days. Every authenticated entity via AAA
is an individual user for greater granularity of control. In some
deployments, the AAA servers used for in-band management
authentication/authorization/accounting are on separate out-of-band
networks to provide a demarcation for any other authentication
functions.
Kaeo Expires December 27, 2006 [Page 12]
Internet-Draft OPSEC Practices June 2006
For backup purposes, there is often a single local database entry for
authentication which is known to a very limited set of key personnel.
It is usually the highest privilege level username/password
combination, which in most cases is the same across all devices.
This local device password is routinely regenerated once every 2-3
months and is also regenerated immediately after an employee who had
access to that password leaves the company or is no longer authorized
to have knowledge of that password.
Each individual user in the AAA database is configured with specific
authorization capability. Specific commands are either individually
denied or permitted depending on the capability of the device to be
accessed. Multiple privilege levels are deployed. Most individuals
are authorized with basic authorization to perform a minimal set of
commands while a subset of individuals are authorized to perform more
privileged commands. Securing the AAA server is imperative and
access to the AAA server itself is strictly controlled. When an
individual leaves the company, his/her AAA account is immediately
deleted and the TACACS/RADIUS shared secret is reset for all devices.
SSH is always used for virtual terminal access to provide for an
encrypted communication channel. There are exceptions due to
equipment limitations which are described in the additional
considerations section.
If SNMP is used for in-band management, it is for read queries only
and restricted to specific hosts. If possible, the view is also
restricted to only send the information that the management station
needs rather than expose the entire configuration file with the read-
only SNMP community. The community strings are carefully chosen to
be difficult to crack and there are procedures in place to change
these community strings between 30-90 days. If systems support two
SNMP community strings, the old string is replaced by first
configuring a second newer community string and then migrating over
from the currently used string to the newer one. Most large ISPs
have multiple SNMP systems accessing their routers so it takes more
then one maintenance period to get all the strings fixed in all the
right systems. SNMP RW is not used and disabled by configuration.
Access control is strictly enforced for infrastructure devices by
using stringent filtering rules. A limited set of IP addresses are
allowed to initiate connections to the infrastructure devices and are
specific to the services which they are to limited to (i.e. SSH and
SNMP).
All in-band device management access is audited and any violations
trigger alarms which initiate automated email, pager and/or telephone
notifications. AAA servers keeps track of the authenticated entity
Kaeo Expires December 27, 2006 [Page 13]
Internet-Draft OPSEC Practices June 2006
as well as all the commands that were carried out on a specific
device. Additionally, the device itself logs any access control
violations (i.e. if an SSH request comes in from an IP address which
is not explicitly permitted, that event is logged so that the
offending IP address can be tracked down and investigations made as
to why it was trying to access a particular infrastructure device)
2.2.3. Security Services
The following security services are offered through the use of the
practices described in the previous section:
o User Authentication - All individuals are authenticated via AAA
services.
o User Authorization - All individuals are authorized via AAA
services to perform specific operations once successfully
authenticated.
o Data Origin Authentication - Management traffic is strictly
filtered to allow only specific IP addresses to have access to the
infrastructure devices. This does not alleviate risk from spoofed
traffic. Using SSH for device access ensures that noone can spoof
the traffic during the SSH session.
o Access Control - In-band management traffic is filtered to allow
only specific IP addresses to have access to the infrastructure
devices.
o Data Integrity - Using SSH provides data integrity and ensures
that no one has altered the management data in transit.
o Data Confidentiality - Using SSH provides data confidentiality.
o Auditing / Logging - Using AAA provides an audit trail for who
accessed which device and which operations were performed.
o DoS Mitigation - Using packet filters to allow only specific IP
addresses to have access to the infrastructure devices. This
limits but does not prevent spoofed DoS attacks directed at an
infrastructure device. Often OOB management is used to lower that
risk.
2.2.4. Additional Considerations
Password selection for any in-band device management protocol used is
critical to ensure that the passwords are hard to guess or break
Kaeo Expires December 27, 2006 [Page 14]
Internet-Draft OPSEC Practices June 2006
using a brute-force attack.
IPsec is considered too difficult to deploy and the common protocol
to provide for confidential in-band management access is SSH. There
are exceptions for using SSH due to equipment limitations since SSH
may not be supported on legacy equipment. Also, in the case where
the SSH key is stored on a route processor card, a re-keying of SSH
would be required whenever the route processor card needs to be
swapped. Some providers feel that this operational impact exceeds
the security necessary and instead use Telnet from trusted inside
hosts (called 'jumphosts' or 'bastion hosts') to manage those
devices. An individual would first SSH to the jumphost and then
Telnet from the jumphost to the actual infrastructure device, fully
understanding that any passwords will be sent in the clear between
the jumphost and the device it is connecting to. All authentication
and authorization is still carried out using AAA servers.
In instances where Telnet access is used, the logs on the AAA servers
are more verbose and more attention is paid to them to detect any
abnormal behavior. The jumphosts themselves are carefully controlled
machines and usually have limited access. Note that Telent is NEVER
allowed to an infrastructure device except from specific jumphosts;
i.e. packet filters are used to ensure that Telnet is only allowed
from specific IP addresses.
With thousands of devices to manage, some ISPs have created automated
mechanisms to authenticate to devices. Kerberos is used to automate
the authentication process. An individual would first log in to a
Kerberized UNIX server using SSH and generate a Kerberos 'ticket'.
This 'ticket' is generally set to have a lifespan of 10 hours and is
used to automatically authenticate the individual to the
infrastructure devices.
In instances where SNMP is used, some legacy devices only support
SNMPv1 which then requires the provider to mandate its use across all
infrastructure devices for operational simplicity. SNMPv2 is
primarily deployed since it is easier to set up than v3.
2.3. Device Out-of-Band Management
Out-of-band management is generally considered to be device access
where the control traffic takes a separate path as the data which
traverses the network. Console access is always architected via an
OOB network. SNMP management is also usually carried out via that
same OOB network infrastructure. Note that many of the security
concerns and practices are the same for OOB management and in-band
management. Most ISPs prefer an OOB management system since access
to the devices which make up this management network are more
Kaeo Expires December 27, 2006 [Page 15]
Internet-Draft OPSEC Practices June 2006
vigilantly protected and considered to be less susceptible to
malicious activity.
2.3.1. Threats / Attacks
For OOB device management, passive attacks are possible if someone
has the capability to intercept data between the management device
and the managed device. The threat is possible if a single
infrastructure device is somehow compromised and can act as a network
sniffer or if it is possible to insert a new device which acts as a
network sniffer.
Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised
or a device can be inserted into the path. For off-path active
attacks, the attack is generally limited to message insertion or
modification.
2.3.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any
of the OOB management data that has been sent in cleartext. This
includes interception of usernames and passwords with which an
intruder can obtain unauthorized access to network devices. It can
also include other information such as logging or configuration
information if an administrator is remotely viewing local logfiles or
configuration information.
2.3.1.2. Offline Cryptographic Attacks
If username/password information was encrypted but the cryptographic
mechanism used made it easy to capture data and break the encryption
key, the OOB management traffic could be compromised. The traffic
would need to be captured either by eavesdropping on the network or
by being able to divert traffic to a malicious user.
2.3.1.3. Replay Attacks
For a replay attack to be successful, the OOB management traffic
would need to first be captured either on-path or diverted to an
attacker to later be replayed to the intended recipient.
2.3.1.4. Message Insertion/Deletion/Modification
Data can be manipulated by someone in control of intermediary hosts.
Forging data is also possible with IP spoofing, where a remote host
sends out packets which appear to come from another, trusted host.
Kaeo Expires December 27, 2006 [Page 16]
Internet-Draft OPSEC Practices June 2006
2.3.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts
traffic that is sent from an OOB management system to the networking
infrastructure device and traffic that is sent from the network
infrastructure device to the OOB management system.
2.3.2. Security Practices
OOB is done via a terminal server at each location. SSH access is
used to get to the terminal server from where sessions to the devices
are initiated. Dial-in access is deployed as a backup if the network
is not available however, it is common to use dial-back, encrypting
modems and/or one-time-password (OTP) modems to avoid the security
weaknesses of plain dial-in access.
All OOB management access to layer 2 and layer 3 devices is
authenticated. The user authentication and authorization is
typically controlled by a AAA server (i.e. RADIUS and/or TACACS+).
Credentials used to determine the identity of the user vary from
static username/password to one-time username/password scheme such as
Secure-ID. Static username/passwords are expired after a specified
period of time, usually 30 days. Every authenticated entity via AAA
is an individual user for greater granularity of control. Note that
often the AAA server used for OOB management authentication is a
separate physical device from the AAA server used for in-band
management user authentication.
For backup purposes, there is often a single local database entry for
authentication which is known to a very limited set of key personnel.
It is usually the highest privilege level username/password
combination, which in most cases is the same across all devices.
This local device password is routinely regenerated once every 2-3
months and is also regenerated immediately after an employee who had
access to that password leaves the company or is no longer authorized
to have knowledge of that password.
Each individual user in the AAA database is configured with specific
authorization capability. Specific commands are either individually
denied or permitted depending on the capability of the device to be
accessed. Multiple privilege levels are deployed. Most individuals
are authorized with basic authorization to perform a minimal set of
commands while a subset of individuals are authorized to perform more
privileged commands.
Some OOB management functions are performed using command line
interface (CLI) scripting. In these scenarios, a dedicated user is
Kaeo Expires December 27, 2006 [Page 17]
Internet-Draft OPSEC Practices June 2006
used for the identity in scripts that perform CLI scripting. Once
authenticated, these scripts control which commands are legitimate
depending on authorization rights of the authenticated individual.
SSH is always used for virtual terminal access to provide for an
encrypted communication channel. There are exceptions due to
equipment limitations which are described in the additional
considerations section.
If SNMP is used for OOB management, it is for read queries only and
restricted to specific hosts. The community strings are carefully
chosen to be difficult to crack and there are procedures in place to
change these community strings between 30-90 days. If systems
support two SNMP strings, a second new string is set and then migrate
over from the 1st to the 2nd. Most large ISPs have multiple SNMP
systems accessing their routers so it takes more then one maintenance
period to get all the strings fixed in all the right systems. SNMP
RW is not used and disabled by configuration.
Access control is strictly enforced for infrastructure devices by
using stringent filtering rules. A limited set of IP addresses are
allowed to initiate connections to the infrastructure devices and are
specific to the services which they are to limited to (i.e. SSH and
SNMP).
All OOB device management access is audited. The AAA server keeps
track of the authenticated entity as well as all the commands that
were carried out on a specific device. Additionally, the device
itself logs any access control violations (i.e. if an SSH request
comes in from an IP address which is not explicitly permitted, that
event is logged so that the offending IP address can be tracked down
and investigations made as to why it was trying to access a
particular infrastructure device)
2.3.3. Security Services
The security services offered for device OOB management are nearly
identical to those of device in-band management. Due to the critical
nature of controlling and limiting device access, many ISPs feel that
physically separating the management traffic from the normal customer
data traffic will provide an added level of risk mitigation and limit
the potential attack vectors. For OOB management, the security
services offered through the use of the practices described in the
previous section are:
o User Authentication - All individuals are authenticated via AAA
services.
Kaeo Expires December 27, 2006 [Page 18]
Internet-Draft OPSEC Practices June 2006
o User Authorization - All individuals are authorized via AAA
services to perform specific operations once successfully
authenticated.
o Data Origin Authentication - Management traffic is strictly
filtered to allow only specific IP addresses to have access to the
infrastructure devices. This does not alleviate risk from spoofed
traffic. Using SSH for device access ensures that noone can spoof
the traffic during the SSH session.
o Access Control - In-band management traffic is filtered to allow
only specific IP addresses to have access to the infrastructure
devices.
o Data Integrity - Using SSH provides data integrity and ensures
that noone has altered the management data in transit.
o Data Confidentiality - Using SSH provides data confidentiality.
o Auditing / Logging - Using AAA provides an audit trail for who
accessed which device and which operations were performed.
o DoS Mitigation - Using packet filters to allow only specific IP
addresses to have access to the infrastructure devices. This
limits but does not prevent spoofed DoS attacks directed at an
infrastructure device. However, the risk is lowered by using a
separate physical network for management purposes.
2.3.4. Additional Considerations
Password selection for any OOB device management protocol used is
critical to ensure that the passwords are hard to guess or break
using a brute-force attack.
IPsec is considered too difficult to deploy and the common protocol
to provide for confidential OOB management access is SSH. There are
exceptions for using SSH due to equipment limitations since SSH may
not be supported on legacy equipment. In some cases changing the
hostname of a device requires an SSH rekey event since the key is
based on some combination of host name, MAC address and time. Also,
in the case where the SSH key is stored on a route processor card, a
re-keying of SSH would be required whenever the route processor card
needs to be swapped. Some providers feel that some of these
operational impacts exceed the security necessary and instead use
Telnet from trusted inside hosts (called 'jumphosts') to manage those
device. An individual would first SSH to the jumphost and then
Telnet from the jumphost to the terminal server before logging in to
the device console. All authentication and authorization is still
Kaeo Expires December 27, 2006 [Page 19]
Internet-Draft OPSEC Practices June 2006
carried out using AAA servers.
In instances where Telnet access is used, the logs on the AAA servers
are more verbose and more attention is paid to them to detect any
abnormal behavior. The jumphosts themselves are carefully controlled
machines and usually have limited access. Note that Telent is NEVER
allowed to an infrastructure device except from specific jumphosts;
i.e. packet filters are used at the console server and/or
infrastructure device to ensure that Telnet is only allowed from
specific IP addresses.
In instances where SNMP is used, some legacy devices only support
SNMPv1 which then requires the provider to mandate its use across all
infrastructure devices for operational simplicity. SNMPv2 is
primarily deployed since it is easier to set up than v3.
2.4. Data Path
This section refers to how traffic is handled which traverses the
network infrastructure device. The primary goal of ISPs is to
forward customer traffic. However, due to the large amount of
malicious traffic that can cause DoS attacks and render the network
unavailable, specific measures are sometimes deployed to ensure the
availability to forward legitimate customer traffic.
2.4.1. Threats / Attacks
Any data traffic can potentially be attack traffic and the challenge
is to detect and potentially stop forwarding any of the malicious
traffic. The deliberately sourced attack traffic can consist of
packets with spoofed source and/or destination addresses or any other
malformed packet which mangle any portion of a header field to cause
protocol-related security issues (such as resetting connections,
causing unwelcome ICPM redirects, creating unwelcome IP options or
packet fragmentations).
2.4.2. Security Practices
Filtering and rate limiting are the primary mechanism to provide risk
mitigation of malicious traffic rendering the ISP services
unavailable. However, filtering and rate limiting of data path
traffic is deployed in a variety of ways depending on how automated
the process is and what the capabilities and performance limitations
of existing deployed hardware are.
The ISPs which do not have performance issues with their equipment
follow BCP38 [BCP38] and BCP84 [BCP84] guidelines. Null routes and
black-hole triggered routing [BHTR] are used to deter any detected
Kaeo Expires December 27, 2006 [Page 20]
Internet-Draft OPSEC Practices June 2006
malicious traffic streams. Most ISPs consider layer 4 filtering
useful but it is only implemented if performance limitations allow
for it. Layer 4 filtering is typically only when no other option
exists since it does pose a large administrative overhead and ISPs
are very much opposed to acting as the Internet firewall. Netflow is
used for tracking traffic flows but there is some concern whether
sampling is good enough to detect malicious behavior.
Unicast RPF is not consistently implemented. Some ISPs are in
process of doing so while other ISPs think that the perceived benefit
of knowing that spoofed traffic comes from legitimate addresses are
not worth the operational complexity. Some providers have a policy
of implementing uRPF at link speeds of DS3 and below.
2.4.3. Security Services
o User Authentication - Not applicable
o User Authorization - Not applicable
o Data Origin Authentication - When IP address filtering per BCP38
and uRPF are deployed at network edges it can ensure that any
spoofed traffic comes from at least a legitimate IP address and
can be tracked.
o Access Control - IP address filtering and layer 4 filtering is
used to deny forbidden protocols and limit traffic destined for
infrastructure device itself.
o Data Integrity - Not applicable
o Data Confidentiality - Not applicable
o Auditing / Logging - Filtering exceptions are logged for potential
attack traffic.
o DoS Mitigation - Black-hole triggered filtering and rate-limiting
are used to limit the risk of DoS attacks.
2.4.4. Additional Considerations
For layer 2 devices, MAC address filtering and authentication is not
used. This is due to the problems it can cause when troubleshooting
networking issues. Port security becomes unmanageable at a large
scale where 1000s of switches are deployed.
Rate limiting is used by some ISPs although other ISPs believe it is
Kaeo Expires December 27, 2006 [Page 21]
Internet-Draft OPSEC Practices June 2006
not really useful since attackers are not well behaved and it doesn't
provide any operational benefit over the complexity. Some ISPs feel
that rate limiting can also make an attacker's job easier by
requiring the attacker to send less traffic to starve legitimate
traffic that is part of a rate limiting scheme. Rate limiting may be
improved by developing flow-based rate-limiting capabilities with
filtering hooks. This would improve the performance as well as the
granularity over current capabilities.
Lack of consistency regarding the ability to filter, especially with
respect to performance issues cause some ISPs to not implement BCP38
guidelines for ingress filtering. One such example is at edge boxes
where you have up to 1000 T1's connecting into a router with an OC-12
uplink. Some deployed devices experience a large performance impact
with filtering which is unacceptable for passing customer traffic
through. Where performance is not an issue, the ISPs make a tradeoff
between management versus risk.
2.5. Routing Control Plane
The routing control plane deals with all the traffic which is part of
establishing and maintaining routing protocol information.
2.5.1. Threats / Attacks
Attacks on the routing control plane can be both from passive or
active sources. Passive attacks are possible if someone has the
capability to intercept data between the communicating routing peers.
This can be accomplished if a single routing peer is somehow
compromised and can act as a network sniffer or if it is possible to
insert a new device which acts as a network sniffer.
Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised
or a device can be inserted into the path. This may lead to an
attacker impersonating a legitimate routing peer and exchanging
routing information. Unintentional active attacks are more common
due to configuration errors, which cause legitimate routing peers to
feed invalid routing information to other neighboring peers.
For off-path active attacks, the attacks are generally limited to
message insertion or modification which can divert traffic to
illegitimate destinations and cause traffic to never reach its
intended destination.
Kaeo Expires December 27, 2006 [Page 22]
Internet-Draft OPSEC Practices June 2006
2.5.2. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any
of the routing update traffic. This is becoming more of a concern
because many ISPs are classifying addressing schemes and network
topologies as private and proprietary information. It is also a
concern because the routing protocol packets contain information that
may show ways in which routing sessions could be spoofed or hijacked.
This in turn could lead into a man-in-the-middle attack where the
miscreants can insert themselves into the traffic path or divert the
traffic path and violate the confidentiality of user data.
2.5.3. Offline Cryptographic Attacks
If any cryptographic mechanism was used to provide for data integrity
and confidentiality, an offline cryptographic attack could
potentially compromise the data. The traffic would need to be
captured either by eavesdropping on the network or by being able to
divert traffic to a malicious user. Note that by using
cryptographically protected routing information, the latter would
require the cryptographic key to already be compromised anyway so
this attack is only feasible if a device was able eavesdrop and
capture the cryptographically protected routing information.
2.5.4. Replay Attacks
For a replay attack to be successful, the routing control plane
traffic would need to first be captured either on-path or diverted to
an attacker to later be replayed to the intended recipient.
2.5.5. Message Insertion/Deletion/Modification
Routing control plane traffic can be manipulated by someone in
control of intermediate hosts. In addition, traffic can be injected
by forging IP addresses, where a remote router sends out packets
which appear to come from another, trusted router. If enough traffic
is injected to be processed by limited memory routers it can cause a
DoS attack.
2.5.6. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts
traffic that is sent from one routing peer to the other and
communicates on behalf of one of the peers. This can lead to
diversion of the user traffic to either an unauthorized receiving
party or cause legitimate traffic to never reach its intended
destination.
Kaeo Expires December 27, 2006 [Page 23]
Internet-Draft OPSEC Practices June 2006
2.5.7. Security Practices
Securing the routing control plane takes many features which are
generally deployed as a system. MD5 authentication is used by some
ISPs to validate the sending peer and to ensure that the data in
transit has not been altered. Some ISPs only deploy MD5
authentication at customer's request. Additional sanity checks to
ensure with reasonable certainty that the received routing update was
originated by a valid routing peer include route filters and the
Generalized TTL Security Mechanism (GTSM) feature [GTSM] (sometimes
also referred to as the TTL-Hack). Note that validating whether a
legitimate peer has the authority to send the contents of the routing
update is a difficult problem that needs yet to be resolved.
In the case of BGP routing, a variety of policies are deployed to
limit the propagation of invalid routing information. These include:
incoming and outgoing prefix filters for BGP customers, incoming and
outgoing prefix filters for peers and upstream neighbors, incoming
AS-PATH filter for BGP customers, outgoing AS-PATH filter towards
peers and upstream neighbors, route dampening and rejecting selected
attributes and communities. Consistency between these policies
varies greatly although there is a trend to start depending on AS-
PATH filters because they are much more manageable than the large
numbers of prefix filters that would need to be maintained. Many
ISPs also do not propagate interface IP addresses to further reduce
attack vectors on routers and connected customers.
2.5.8. Security Services
o User Authentication - Not applicable
o User Authorization - Not applicable
o Data Origin Authentication - By using MD5 authentication and/or
the TTL-hack a routing peer can be reasonably certain that traffic
originated from a valid peer.
o Access Control - Route filters, AS-PATH filters and prefix limits
are used to control access to specific parts of the network.
o Data Integrity - By using MD5 authentication a peer can be
reasonably certain that the data has not been modified in transit
but there is no mechanism to prove the validity of the routing
information itself.
o Data Confidentiality - Not implemented
Kaeo Expires December 27, 2006 [Page 24]
Internet-Draft OPSEC Practices June 2006
o Auditing / Logging - Filter exceptions are logged.
o DoS Mitigation - Many DoS attacks are mitigated using a
combination of techniques including: MD5 authentication, the GTSM
feature, filtering routing advertisements to bogons and filtering
routing advertisements to one's own network.
2.5.9. Additional Considerations
So far the primary concern to secure the routing control plane has
been to validate the sending peer and to ensure that the data in
transit has not been altered. Although MD5 routing protocol
extensions have been implemented which can provide both services,
they are not consistently deployed amongst ISPs. Two major
deployment concerns have been implementation issues where both
software bugs and the lack of graceful re-keying options have caused
significant network down times. Also, some ISPs express concern that
deploying MD5 authentication will itself be a worse DoS attack victim
and prefer to use a combination of other risk mitigation mechanisms
such as GTSM and route filters.
Route filters are used to limit what routes are believed from a valid
peer. Packet filters are used to limit which systems can appear as a
valid peer. Due to the operational constraints of maintaining large
prefix filter lists, many ISPs are starting to depend on BGP AS-PATH
filters to/from their peers and upstream neighbors. Additionally,
some large ISPs require that routes be registered in an Internet
Routing Registry [IRR] which can then be part of the RADB - a public
registry of routing information for networks in the Internet that can
be used to generate filter lists. Some ISPs, especially in europe,
require registered routes before agreeing to become an eBGP peer with
someone.
IPsec is not deployed since the operational management aspects of
ensuring interoperability and reliable configurations is too complex
and time consuming to be operationally viable. There is also limited
concern to the confidentiality of the routing information. The
integrity and validity of the updates are of much greater concern.
There is concern for manual or automated actions which introduce new
routes and can affect the entire routing domain.
2.6. Software Upgrades and Configuration Integrity / Validation
Software upgrades and configuration changes are usually performed as
part of either in-band or OOB management functions. However, there
are additional considerations to be taken into account which are
enumerated in this section.
Kaeo Expires December 27, 2006 [Page 25]
Internet-Draft OPSEC Practices June 2006
2.6.1. Threats / Attacks
Attacks performed on system software and configurations can be both
from passive or active sources. Passive attacks are possible if
someone has the capability to intercept data between the network
infrastructure device and the system which is downloading or
uploading the software or configuration information. This can be
accomplished if a single infrastructure device is somehow compromised
and can act as a network sniffer or if it is possible to insert a new
device which acts as a network sniffer.
Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised
or a device can be inserted into the path. For off-path active
attacks, the attacks are generally limited to message insertion or
modification where the attacker may wish to load illegal software or
configuration files to an infrastructure device.
2.6.2. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any
of the software image or configuration information. The software
image may give an indication of exploits which the device is
vulnerable to while the configuration information can inadvertently
lead attackers to identify critical infrastructure IP addresses and
passwords.
2.6.3. Offline Cryptographic Attacks
If any cryptographic mechanism was used to provide for data integrity
and confidentiality, an offline cryptographic attack could
potentially compromise the data. The traffic would need to be
captured either by eavesdropping on the network or by being able to
divert traffic to a malicious user.
2.6.4. Replay Attacks
For a replay attack to be successful, the software image or
configuration file would need to first be captured either on-path or
diverted to an attacker to later be replayed to the intended
recipient.
2.6.5. Message Insertion/Deletion/Modification
Software images and configuration files can be manipulated by someone
in control of intermediate hosts. By forging an IP address and
impersonating a valid host which can download software images or
Kaeo Expires December 27, 2006 [Page 26]
Internet-Draft OPSEC Practices June 2006
configuration files, invalid files can be downloaded to an
infrastructure device. An invalid software image or configuration
file can cause a device to hang and become inoperable. Spoofed
configuration files can be hard to detect, especially when the only
added command is to allow a miscreant access to that device by
entering a filter allowing a specific host access and configuring a
local username/password database entry for authentication to that
device.
2.6.6. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts
traffic that is sent between the infrastructure device and the host
used to upload/download the system image or configuration file. He/
she can then act on behalf of one or both of these systems.
If an attacker obtained a copy of the software image being deployed,
he could potentially exploit a known vulnerability and gain access to
the system. From a captured configuration file, he could obtain
confidential network topology information or even more damaging
information if any of the passwords in the configuration file were
not encrypted.
2.6.7. Security Practices
Images and configurations are stored on specific hosts which have
limited access. All access and activity relating to these hosts are
authenticated and logged via AAA services. When uploaded/downloading
any system software or configuration files, either TFTP, FTP or SCP
can be used. Where possible, SCP is used to secure the data transfer
and FTP is generally never used. All SCP access is username/password
authenticated but since this requires an interactive shell, most ISPs
will use shared key authentication to avoid the interactive shell.
While TFTP access does not have any security measures, it is still
widely used especially in OOB management scenarios. Some ISPs
implement IP-based restriction on the TFTP server while some custom
written TFTP servers will support MAC-based authentication. The MAC-
based authentication is more common when using TFTP to bootstrap
routers remotely using TFTP.
In most environments scripts are used for maintaining the images and
configurations of a large number of routers. To ensure the integrity
of the configurations, every hour the configuration files are polled
and compared to the previously polled version to find discrepancies.
In at least one environment these tools are Kerberized to take
advantage of automated authentication (not confidentiality).
Kaeo Expires December 27, 2006 [Page 27]
Internet-Draft OPSEC Practices June 2006
Filters are used to limit access to uploading/downloading
configuration files and system images to specific IP addresses and
protocols.
The software images perform CRC-checks and the system binaries use
the MD5 algorithm to validate integrity. Many ISPs expressed
interest in having software image integrity validation based on the
MD5 algorithm for enhanced security.
In all configuration files, most passwords are stored in an
obfuscated format. This includes passwords for user authentication,
MD5 shared secrets, AAA server shared secrets, NTP shared secrets,
etc. For older software which may not support this functionality,
configuration files may contain some passwords in readable format.
Most ISPs mitigate any risk of password compromise by either storing
these configuration files without the password lines or by requiring
authenticated and authorized access to the configuration files which
are stored on protected OOB management devices.
Automated security validation is performed on infrastructure devices
using nmap and nessus to ensure valid configuration against many of
the well-known attacks.
2.6.8. Security Services
o User Authentication - All users are authenticated before being
able to download/upload any system images or configuration files.
o User Authorization - All authenticated users are granted specific
privileges to download or upload system images and/or
configuration files.
o Data Origin Authentication - Filters are used to limit access to
uploading/downloading configuration files and system images to
specific IP addresses.
o Access Control - Filters are used to limit access to uploading/
downloading configuration files and system images to specific IP
addresses and protocols.
o Data Integrity - All systems use either a CRC-check or MD5
authentication to ensure data integrity.
o Data Confidentiality - If the SCP protocol is used then there is
confidentiality of the downloaded/uploaded configuration files and
system images.
Kaeo Expires December 27, 2006 [Page 28]
Internet-Draft OPSEC Practices June 2006
o Auditing / Logging - All access and activity relating to
downloading/uploading system images and configuration files are
logged via AAA services and filter exception rules.
o DoS Mitigation - TBD
2.6.9. Additional Considerations
Where the MD5 algorithm is not used to perform data integrity
checking of software images and configuration files, ISPs have
expressed an interest in having this functionality. IPsec is
considered too cumbersome and operationally difficult to use for data
integrity and confidentiality.
2.7. Logging Considerations
Although logging is part of all the previous sections, it is
important enough to be covered as a separate item. The main issues
revolve around what gets logged, how long are logs kept and what
mechanisms are used to secure the logged information while it is in
transit and while it is stored.
2.7.1. Threats / Attacks
Attacks on the logged data can be both from passive or active
sources. Passive attacks are possible if someone has the capability
to intercept data between the recipient logging server and the device
the logged data originated from. This can be accomplished if a
single infrastructure device is somehow compromised and can act as a
network sniffer or if it is possible to insert a new device which
acts as a network sniffer.
Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised
or a device can be inserted into the path. For off-path active
attacks, the attacks are generally limited to message insertion or
modification which can alter the logged data to keep any compromise
from being detected or to destroy any evidence which could be used
for criminal prosecution.
2.7.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any
of the logging data which is in transit on the network. This could
lead to privacy violations if some of the logged data has not been
sanitized to disallow any data that could be a violation of privacy
to be included in the logged data.
Kaeo Expires December 27, 2006 [Page 29]
Internet-Draft OPSEC Practices June 2006
2.7.1.2. Offline Cryptographic Attacks
If any cryptographic mechanism was used to provide for data integrity
and confidentiality, an offline cryptographic attack could
potentially compromise the data. The traffic would need to be
captured either by eavesdropping on the network or by being able to
divert traffic to a malicious user.
2.7.1.3. Replay Attacks
For a replay attack to be successful, the logging data would need to
first be captured either on-path or diverted to an attacker and later
replayed to the recipient. [is reply handled by syslog protocol?]
2.7.1.4. Message Insertion/Deletion/Modification
Logging data could be injected, deleted or modified by someone in
control of intermediate hosts. Logging data can also be injected by
forging packets from either legitimate or illegitimate IP addresses.
2.7.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts
traffic that is sent between the infrastructure device and the
logging server or traffic sent between the logging server and the
database which is used to archive the logged data. Any unauthorized
access to logging information could lead to knowledge of private and
proprietary network topology information which could be used to
compromise portions of the network. An additional concern is having
access to logging information which could be deleted or modified so
as to cover any traces of a security breach.
2.7.2. Security Practices
Logging is mostly performed on an exception auditing basis when it
comes to filtering (i.e. traffic which is NOT allowed is logged).
This is to assure that the logging servers are not overwhelmed with
data which would render most logs unusable. Typically the data
logged will contain the source and destination IP addresses and layer
4 port numbers as well as a timestamp. The syslog protocol is used
to transfer the logged data between the infrastructure device to the
syslog server. Many ISPs use the OOB management network to transfer
syslog data since there is virtually no security performed between
the syslog server and the device. All ISPs have multiple syslog
servers - some ISPs choose to use separate syslog servers for varying
infrastructure devices (i.e. one syslog server for backbone routers,
one syslog server for customer edge routers, etc.)
Kaeo Expires December 27, 2006 [Page 30]
Internet-Draft OPSEC Practices June 2006
The timestamp is derived from NTP which is generally configured as a
flat hierarchy at stratum1 and stratum2 to have less configuration
and less maintenance. Each router is configured with one stratum1
peer both locally and remotely.
In addition to logging filtering exceptions, the following is
typically logged: Routing protocol state changes, all device access
(regardless of authentication success or failure), all commands
issued to a device, all configuration changes and all router events
(boot-up/flaps).
The main function of any of these log messages is to see what the
device is doing as well as to try and ascertain what certain
malicious attackers are trying to do. Some ISPs put in passive
devices to see routing updates and withdrawals and not rely solely on
the device for log files. This provides a backup mechanism to see
what is going on in the network in the event that a device may
'forget' to do syslog if the CPU is busy.
The logs from the various syslog server devices are generally
transferred into databases at a set interval which can be anywhere
from every 10 minutes to every hour. One ISP uses Rsync to push the
data into a database and then the information is sorted manually by
someone SSH'ing to that database.
2.7.3. Security Services
o User Authentication - Not applicable
o User Authorization - Not applicable
o Data Origin Authentication - Not implemented
o Access Control - Filtering on logging host and server IP address
to ensure that syslog information only goes to specific syslog
hosts.
o Data Integrity - Not implemented
o Data Confidentiality - Not implemented
o Auditing / Logging - This entire section deals with logging.
o DoS Mitigation - Logs are useful in providing traceback
information to potentially trace the attack to as close to the
source as possible.
Kaeo Expires December 27, 2006 [Page 31]
Internet-Draft OPSEC Practices June 2006
2.7.4. Additional Considerations
There is no security with syslog and ISPs are fully cognizant of
this. IPsec is considered too operationally expensive and cumbersome
to deploy. Syslog-ng and stunnel are being looked at for providing
better authenticated and integrity protected solutions. Mechanisms
to prevent unauthorized personnel from tampering with logs is
constrained to auditing who has access to the logging servers and
files.
ISPs expressed requirements for more than just UDP syslog.
Additionally, they would like more granular and flexible facilities
and priorities, i.e. specific logs to specific servers. Also, a
common format for reporting standard events so that they don't have
to modify parsers after each upgrade of vendor device or software.
2.8. Filtering Considerations
Although filtering has been covered under many of the previous
sections, this section will provide some more insights to the
filtering considerations that are currently being taken into account.
Filtering is now being categorized into three specific areas: data
plane, management plane and routing control plane.
2.8.1. Data Plane Filtering
Data plane filters control the traffic that traverses through a
device and affect transit traffic. Most ISPs deploy these kinds of
filters at the customer facing edge devices to mitigate spoofing
attacks.
2.8.2. Management Plane Filtering
Management filters control the traffic to and from a device. All of
the protocols which are used for device management fall under this
category and includes SSH, Telnet, SNMP, NTP, http, DNS, TFTP, FTP,
SCP and Syslog. This type of traffic is often filtered per interface
and is based on any combination of protocol, source and destination
IP address and source and destination port number. Some devices
support functionality to apply management filters to the device
rather than to the specific interfaces (e.g. receive ACL or loopback
interface ACL) which is gaining wider acceptance. Note that logging
the filtering rules can today place a burden on many systems and more
granularity is often required to more specifically log the required
exceptions.
IPv6 networks require the use of specific ICMP messages for proper
protocol operation. Therefore, ICMP cannot be completely filtered to
Kaeo Expires December 27, 2006 [Page 32]
Internet-Draft OPSEC Practices June 2006
and from a device. Instead, granular ICMPv6 filtering is always
deployed to allow for specific ICMPv6 types to be sourced or destined
to a network device.
2.8.3. Routing Control Plane Filtering
Routing filters are used to control the flow of routing information.
In IPv6 networks, some providers are liberal in accepting /48s due to
the still unresolved multihoming issues. Any announcement received
that is longer than a /48 for IPv6 routing and a /24 for IPv4 routing
is filtered out of eBGP. Note that this is for non-customer traffic.
Most ISPs will accept any agreed upon prefix length from its
customer(s).
2.9. Denial of Service Tracking / Tracing
Denial of Service attacks are an ever increasing problem and require
vast amounts of resources to combat effectively. Some large ISPs do
not concern themselves with attack streams that are less than 1G in
bandwidth - this is on the larger pipes where 1G is essentially less
than 5% of offered load. This is largely due to the large amounts of
DDoS traffic which continually requires investigation and mitigation.
At last count the number of hosts making up large distributed DoS
botnets exceeded 1 million hosts.
New techniques are continually evolving to automate the process of
detecting DoS sources and mitigating any adverse effects as quickly
as possible. At this time, ISPs are using a variety of mitigation
techniques including: sink hole routing, black-hole triggered
routing, uRPF and rate limiting. Each of these techniques will be
detailed below.
2.9.1. Sink Hole Routing
Sink hole routing refers to injecting a more specific route for any
known attack traffic which will ensure that the malicious traffic is
redirected to a valid device or specific system where it can be
analyzed.
2.9.2. Black-Hole Triggered Routing
Black-hole triggered routing is a technique where the BGP routing
protocol is used to propagate routes which in turn redirects attack
traffic to the null interface where it is effectively dropped. This
technique is often used in large routing infrastructures since BGP
can propagate the information in a fast effective manner as opposed
to using any packet-based filtering techniques on hundreds or
thousands of routers.
Kaeo Expires December 27, 2006 [Page 33]
Internet-Draft OPSEC Practices June 2006
2.9.3. Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating
whether an incoming packet has a legitimate source address or not.
It has two modes: strict mode and loose mode. In strict mode, uRPF
checks whether the incoming packet has a source address that matches
a prefix in the routing table, and whether the interface expects to
receive a packet with this source address prefix. If the incoming
packet fails the unicast RPF check, the packet is not accepted on the
incoming interface. Loose mode uRPF is not as specific and the
incoming packet is accepted if there is any route in the routing
table for the source address.
uRPF is not used on interfaces that are likely to have routing
asymmetry, meaning multiple routes to the source of a packet.
Usually for ISPs, uRPF is placed at the customer edge of a network.
2.9.4. Rate Limiting
Rate limiting refers to allocating a specific amount of bandwidth or
packets per second to specific traffic types. This technique is
widely used to mitigate well-known protocol attacks such as the TCP-
SYN attack where a large number of resources get allocated for
spoofed TCP traffic. Although this technique does not stop an
attack, it can sometimes lessen the damage and impact on a specific
service. However, it can also make the impact of a DDoS attack much
worse if the rate limiting is impacting (i.e. discarding) more
legitimate traffic.
Kaeo Expires December 27, 2006 [Page 34]
Internet-Draft OPSEC Practices June 2006
3. Security Considerations
This entire document deals with current security practices in large
ISP environments. As a synopsis, a table is shown below which
summarizes the operational functions which are to be protected and
the security services which currently deployed security practices
offer: [ Table to be added ]
4. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828,
May 2000.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
July 2003.
Kaeo Expires December 27, 2006 [Page 35]
Internet-Draft OPSEC Practices June 2006
Appendix A. Acknowledgments
The editor gratefully acknowledges the contributions of: George
Jones, who has been instrumental in providing guidance and direction
for this document and the insighful comments from Ross Callon, Ron
Bonica, Gaurab Upadhaya, Warren Kumari and the numerous ISP operators
who supplied the information which is depicted in this document.
Kaeo Expires December 27, 2006 [Page 36]
Internet-Draft OPSEC Practices June 2006
Appendix B. Protocol Specific Attacks
This section will enumerate many of the traditional protocol based
attacks which have been observed over the years to cause malformed
packets and/or exploit protocol deficiencies.
B.1. Layer 2 Attacks
o ARP Flooding
B.2. IPv4 Attacks
o IP Stream Option
o IP Address Spoofing
o IP Source Route Option
o IP Short header
o IP Malformed Packet
o Ip Bad Option
o Ip Address Session Limit
o Fragmenmts - too many
o Fragments - large offset
o Fragments - same offset
o Fragments - reassembly with different offsets (TearDrop Attac)
o Fragments - reassembly off by one IP header (Nestea Attack)
o Fragment - flooding only initial fragment (Rose Attack)
o IGMP oversized packet
o ICMP Source Quench
o ICMP Mask Request
o ICMP Large Packet (> 1472)
Kaeo Expires December 27, 2006 [Page 37]
Internet-Draft OPSEC Practices June 2006
o ICMP Oversized packet (>65536)
o ICMP Flood
o ICMP Broadcast w/ Spoofed Source (Smurf Attack)
o ICMP Error Packet Flood
o ICMP Spoofed Unreachable
o TCP Packet without Flag
o TCP Oversized Packet
o TCP FIN bit with no ACK bit
o TCP Packet with URG/OOB flag (Nuke Attack)
o SYN Fragments
o SYN Flood
o SYN with IP Spoofing (Land Attack)
o SYN and FIN bits set
o TCP port scan attack
o UDP spoofed broadcast echo (Fraggle Attack)
o UDP attack on diag ports (Pepsi Attack)
B.3. IPv6 Attacks
Any of the above-mentioned IPv4 attacks could be used in IPv6
networks with the exception of any fragmentation and broadcast
traffic, which operate differently in IPv6.
Today, IPv6 enabled hosts are starting to be used to create IPv6
tunnels which can effectively hide botnet and other malicious traffic
if firewalls and network flow collection tools are not capable of
detecting this traffic.
Kaeo Expires December 27, 2006 [Page 38]
Internet-Draft OPSEC Practices June 2006
Author's Address
Merike Kaeo
Double Shot Security, Inc.
3518 Fremont Avenue North #363
Seattle, WA 98103
U.S.A.
Phone: +1 310 866 0165
Email: merike@doubleshotsecurity.com
Kaeo Expires December 27, 2006 [Page 39]
Internet-Draft OPSEC Practices June 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Kaeo Expires December 27, 2006 [Page 40]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/