[opensuse-security] packet labeling & routing decision based on these labels
Hi I have this scenario: Subnet A Hosts n ----- Gateway ----- Fileservers NFS Hosts n: mark packets Gateway: uses mark to make routing desicion Hosts n get their IP address via DHCP (IP address lease decision based on the client's MAC address). It is extremely simple to attach a notebook to Subnet A, spoof a legal client's IP and MAC addresses get UID and username and do the worst. Over the weekend I tried packet marking using iptables mark and connmark targets to label pakets at the Hosts n (iptables output -j MARK rule) and to have the Gateway based on these labels decide what to do with the pakets (ip rule with fwmark). I stopped trying when I found out that the labels are not given permanently when a marked packet leaves the interface of a host n. As I very much like the idea of labeling packets I wonder whether such a concept is possible with other linux tools. Or how would you do it? Thanks for your attention Philipp --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
Hosts n get their IP address via DHCP (IP address lease decision based on the client's MAC address). It is extremely simple to attach a notebook to Subnet A, spoof a legal client's IP and MAC addresses get UID and username and do the worst.
Over the weekend I tried packet marking using iptables mark and connmark targets to label pakets at the Hosts n (iptables output -j MARK rule) and to have the Gateway based on these labels decide what to do with the pakets (ip rule with fwmark). I stopped trying when I found out that the labels are not given permanently when a marked packet leaves the interface of a host n.
As I very much like the idea of labeling packets I wonder whether such a concept is possible with other linux tools.
Or how would you do it?
Thanks for your attention
Hi, How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too. Securing your network from MAC or IP address spoofing may be done by configuring the switches (if they are manageble, of course) - for example by staticly assigning allowed MAC addresses on specific switch ports. If a malicious client can connect to your network and spoof a valid identity it is already too late to secure protocols like NFS, which are not designed to be used on an insecure network. Best regards. -- Blade hails you... Oh how I wish For soothing rain Oh how I wish to dream again --Nightwish
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
Hosts n get their IP address via DHCP (IP address lease decision based on the client's MAC address). It is extremely simple to attach a notebook to Subnet A, spoof a legal client's IP and MAC addresses get UID and username and do the worst.
Over the weekend I tried packet marking using iptables mark and connmark targets to label pakets at the Hosts n (iptables output -j MARK rule) and to have the Gateway based on these labels decide what to do with the pakets (ip rule with fwmark). I stopped trying when I found out that the labels are not given permanently when a marked packet leaves the interface of a host n.
As I very much like the idea of labeling packets I wonder whether such a concept is possible with other linux tools.
Or how would you do it?
Thanks for your attention
Hi,
How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too.
Yes, it could, but then the attacker somehow has to learn what the mark looks like. If the attacker doesn't know the gateway will notice the spoofing with the first incoming packet. And thus, alerting the spoofing will not be a problem anymore. The only way I can think of would be a man-in-the-middle attack (e.g. with a notebook that has 2 interfaces set up as a linux bridge). I also thought about using SECMARK with SELinux but that is too much of a pain and therefore too expensive to build. Also, I do not know whether SECMARK painted packets are painted permanently.
Securing your network from MAC or IP address spoofing may be done by configuring the switches (if they are manageble, of course) - for example by staticly assigning allowed MAC addresses on specific switch ports. If a malicious client can connect to your network and spoof a valid identity it is already too late to secure protocols like NFS, which are not designed to be used on an insecure network.
This is the design flaw in the network that currently cannot be fixed. That is also why I'm coming up with the idea of marking the packets. Thanks, PHilipp --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Philipp Snizek schrieb:
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
[...]
Or how would you do it?
Thanks for your attention
Hi,
How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too.
Yes, it could, but then the attacker somehow has to learn what the mark looks like. If the attacker doesn't know the gateway will notice the spoofing with the first incoming packet. And thus, alerting the spoofing will not be a problem anymore. The only way I can think of would be a man-in-the-middle attack (e.g. with a notebook that has 2 interfaces set up as a linux bridge).
Which is not too difficult.
I also thought about using SECMARK with SELinux but that is too much of a pain and therefore too expensive to build. Also, I do not know whether SECMARK painted packets are painted permanently.
Securing your network from MAC or IP address spoofing may be done by configuring the switches (if they are manageble, of course) - for example by staticly assigning allowed MAC addresses on specific switch ports. If a malicious client can connect to your network and spoof a valid identity it is
This is not working! Every Script Kiddie can fake MAC-Addresses. If you want to leave Security to the Switch use 802.1x Port based Authentication with a secure Protocol.
already too late to secure protocols like NFS, which are not designed to be used on an insecure network.
This is the design flaw in the network that currently cannot be fixed. That is also why I'm coming up with the idea of marking the packets.
If you have control over Client and Server, why not using AFS instead of NFS? AFS supports strong authentication and _encryption_ of transported Data. Dirk
Thanks, PHilipp
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org <mailto:opensuse-security+unsubscribe@opensuse.org> For additional commands, e-mail: opensuse-security+help@opensuse.org <mailto:opensuse-security+help@opensuse.org>
-- TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl -------------------------------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: opensuse-security@opensuse.org # Dateianhänge: 0 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Monday 16 July 2007 16:10:04 Philipp Snizek wrote:
On Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
I have this scenario:
Subnet A Hosts n ----- Gateway ----- Fileservers NFS
Hosts n: mark packets Gateway: uses mark to make routing desicion
Hosts n get their IP address via DHCP (IP address lease decision based on the client's MAC address). It is extremely simple to attach a notebook to Subnet A, spoof a legal client's IP and MAC addresses get UID and username and do the worst.
Over the weekend I tried packet marking using iptables mark and connmark targets to label pakets at the Hosts n (iptables output -j MARK rule) and to have the Gateway based on these labels decide what to do with the pakets (ip rule with fwmark). I stopped trying when I found out that the labels are not given permanently when a marked packet leaves the interface of a host n.
As I very much like the idea of labeling packets I wonder whether such a concept is possible with other linux tools.
Or how would you do it?
Thanks for your attention
Hi,
How are you using the marks? If a client can spoof the IP and MAC address, it could do so with the marks too.
Yes, it could, but then the attacker somehow has to learn what the mark looks like. If the attacker doesn't know the gateway will notice the spoofing with the first incoming packet. And thus, alerting the spoofing will not be a problem anymore.
Spoofing the mark is as easy as spoofing the IP and MAC.
The only way I can think of would be a man-in-the-middle attack (e.g. with a notebook that has 2 interfaces set up as a linux bridge). I also thought about using SECMARK with SELinux but that is too much of a pain and therefore too expensive to build. Also, I do not know whether SECMARK painted packets are painted permanently.
You don't need to have two network interfaces to do a man-in-the-middle attack. And that is the beauty of it - it is so simple:) You do that with IP and MAC spoofing and is as simple as running a little tool, publicly available. -- Blade hails you... I know my dreams are made of you Of you and only for you --Nightwish
participants (3)
-
Boyan Tabakov -
Dirk Schreiner -
Philipp Snizek