Re: [opensuse-security] packet labeling & routing decision based on these labels
Philipp Snizek schrieb:
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
[...]
Or how would you do it?
Thanks for your attention
Hi,
How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too.
Yes, it could, but then the attacker somehow has to learn what the mark looks like. If the attacker doesn't know the gateway will notice the spoofing with the first incoming packet. And thus, alerting the spoofing will not be a problem anymore. The only way I can think of would be a man-in-the-middle attack (e.g. with a notebook that has 2 interfaces set up as a linux bridge).
Which is not too difficult.
No, it isn't.
I also thought about using SECMARK with SELinux but that is too much of a pain and therefore too expensive to build. Also, I do not know whether SECMARK painted packets are painted permanently.
Securing your network from MAC or IP address spoofing may be done by configuring the switches (if they are manageble, of course) - for example by staticly assigning allowed MAC addresses on specific switch ports. If a malicious client can connect to your network and spoof a valid identity it is
This is not working! Every Script Kiddie can fake MAC-Addresses.
ACK
If you want to leave Security to the Switch use 802.1x Port based Authentication with a secure Protocol.
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
already too late to secure protocols like NFS, which are not designed to be used on an insecure network.
This is the design flaw in the network that currently cannot be fixed. That is also why I'm coming up with the idea of marking the packets.
If you have control over Client and Server, why not using AFS instead of NFS? AFS supports strong authentication and _encryption_ of transported Data.
Because we use AFS and we know abouts its security features. However, experiences show that it never has been working really reliably. Imagine that Hosts n may be several hundred machines most probably mounting more than a total of 2000 NFS shares. Even NFS3 has a problem with this sort of load. We thought about using NFS4 but other colleagues made bad experiences. The last alternative would be Samba and CIFS. But that's all too much work. Philipp
Dirk
Thanks, PHilipp
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org <mailto:opensuse-security+unsubscribe@opensuse.org> For additional commands, e-mail: opensuse-security+help@opensuse.org <mailto:opensuse-security+help@opensuse.org>
--
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl
-------------------------------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: opensuse-security@opensuse.org # Dateianhänge: 0 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Monday 16 July 2007 17:30:38 Philipp Snizek wrote:
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
As I said before, you can do with simply allowing no more than one MAC address to appear on a single switch port. You could also set the allowed mack addresses manually. This eliminates the need of authentication (802.1x or not). So no overhead. -- Blade hails you... One night I dreamt a white rose withering a newborn drowning a lifetime loneliness I dreamt all my future. Relived my past And witnessed the beauty of the beast --Nightwish
On Monday 16 July 2007 17:30:38 Philipp Snizek wrote:
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
As I said before, you can do with simply allowing no more than one MAC address to appear on a single switch port. You could also set the allowed mack addresses manually. This eliminates the need of authentication (802.1x or not). So no overhead.
Networks cannot be secured by adding static MAC addresses to a switch (e.g. Cisco 29xx, port security feature). You start the legal client, write down its ip and mac, start your illegal notebook were you are root, spoof the mac and the ip, unplug the network cable from the client, plug it into the notebook. The switch will think you just unplugged and plugged the very same client. Please teach me otherwise should I be wrong. Philipp --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Monday 16 July 2007 19:28:17 Philipp Snizek wrote:
On Monday 16 July 2007 17:30:38 Philipp Snizek wrote:
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
As I said before, you can do with simply allowing no more than one MAC address to appear on a single switch port. You could also set the allowed mack addresses manually. This eliminates the need of authentication (802.1x or not). So no overhead.
Networks cannot be secured by adding static MAC addresses to a switch (e.g. Cisco 29xx, port security feature). You start the legal client, write down its ip and mac, start your illegal notebook were you are root, spoof the mac and the ip, unplug the network cable from the client, plug it into the notebook. The switch will think you just unplugged and plugged the very same client.
Please teach me otherwise should I be wrong.
Philipp
That is correct, but here you have no man-in-the-middle. The trick works just fine when you have the laptop connected to a different end-point, trying to sniff other people's traffic. You are talking about a network that is not phisically secure. Then you do need proper authentication. -- Blade hails you... Teach me passion for I fear it's gone Show me love, hold the lorn So much more I wanted to give to the ones who love me I'm sorry Time will tell (this bitter farewell) I live no more to shame nor me nor you And you... I wish I didn't feel for you anymore... --Nightwish
Hi, Philipp Snizek schrieb:
Philipp Snizek schrieb:
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
[...]
Or how would you do it?
Thanks for your attention
Hi,
How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too.
Yes, it could, but then the attacker somehow has to learn what the mark looks like. If the attacker doesn't know the gateway will notice the spoofing with the first incoming packet. And thus, alerting the spoofing will not be a problem anymore. The only way I can think of would be a man-in-the-middle attack (e.g. with a notebook that has 2 interfaces set up as a linux bridge).
Which is not too difficult.
No, it isn't.
I also thought about using SECMARK with SELinux but that is too much of a pain and therefore too expensive to build. Also, I do not know whether SECMARK painted packets are painted permanently.
Securing your network from MAC or IP address spoofing may be done by configuring the switches (if they are manageble, of course) - for example by staticly assigning allowed MAC addresses on specific switch ports. If a malicious client can connect to your network and spoof a valid identity it is
This is not working! Every Script Kiddie can fake MAC-Addresses.
ACK
If you want to leave Security to the Switch use 802.1x Port based Authentication with a secure Protocol.
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
As i understand 802.1x you can use it to only authenticate the Client, Traffic unencrypted, which should be no real Performance Impact. (And maybe thats enough for you.) If you want to encrypt the whole Communication, the Performance Impact on the Network itself will also be not too much harm. Performance Impact is mainly caused in KeyNegotiation, which ist normaly done every 5 Minutes for every Connection. You can set a longer Time, which will be less secure, but anyway, fare more secure as clear Text. You will need some CPU for KeyNegotiation, and little CPU for shifting and xor-ing Payload. Just compare it as HTTP to HTTPS, but more effective due to the long term connections. Maybe this Link helps. http://iase.disa.mil/stigs/whitepaper/802.1x_primer.doc
already too late to secure protocols like NFS, which are not designed to be used on an insecure network.
This is the design flaw in the network that currently cannot be fixed. That is also why I'm coming up with the idea of marking the packets.
If you have control over Client and Server, why not using AFS instead of NFS? AFS supports strong authentication and _encryption_ of transported Data.
Because we use AFS and we know abouts its security features. However, experiences show that it never has been working really reliably. Imagine that Hosts n may be several hundred machines most probably mounting more than a total of 2000 NFS shares. Even NFS3 has a problem with this sort of load. We thought about using NFS4 but other colleagues made bad experiences. The last alternative would be Samba and CIFS.
But that's all too much work.
Philipp
Nice Environment. ;-) Dirk
Dirk
Thanks, PHilipp
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org <mailto:opensuse-security+unsubscribe@opensuse.org> For additional commands, e-mail: opensuse-security+help@opensuse.org <mailto:opensuse-security+help@opensuse.org>
--
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl
-------------------------------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: opensuse-security@opensuse.org # Dateianhänge: 0 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
If you want to leave Security to the Switch use 802.1x Port based Authentication with a secure Protocol.
Yes. That would help it and also stop man in the middle at least between the switch and the Hosts n. have you got experience what performance impact 802.1x has on 1GBit/s ethernet?
As i understand 802.1x you can use it to only authenticate the Client, Traffic unencrypted, which should be no real Performance Impact. (And maybe thats enough for you.)
If you want to encrypt the whole Communication, the Performance Impact on the Network itself will also be not too much harm. Performance Impact is mainly caused in KeyNegotiation, which ist normaly done every 5 Minutes for every Connection. You can set a longer Time, which will be less secure, but anyway, fare more secure as clear Text. You will need some CPU for KeyNegotiation, and little CPU for shifting and xor-ing Payload.
Just compare it as HTTP to HTTPS, but more effective due to the long term connections.
Maybe this Link helps. http://iase.disa.mil/stigs/whitepaper/802.1x_primer.doc
Thanks. Reading this document, 802.1x seems to be built exactly for this purpose.
already too late to secure protocols like NFS, which are not designed to be used on an insecure network.
This is the design flaw in the network that currently cannot be fixed. That is also why I'm coming up with the idea of marking the packets.
If you have control over Client and Server, why not using AFS instead of NFS? AFS supports strong authentication and _encryption_ of transported Data.
Because we use AFS and we know abouts its security features. However, experiences show that it never has been working really reliably. Imagine that Hosts n may be several hundred machines most probably mounting more than a total of 2000 NFS shares. Even NFS3 has a problem with this sort of load. We thought about using NFS4 but other colleagues made bad experiences. The last alternative would be Samba and CIFS.
But that's all too much work.
Philipp
Nice Environment. ;-)
Yes, it is. It keeps 15 admins running. We enjoy. ;) Thank you for your time and input. Philipp --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Boyan Tabakov -
Dirk Schreiner -
Philipp Snizek