tag:blogger.com,1999:blog-4088979.post5274500773351189753..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Monitor Your RoutersRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-20505695796846708442007-01-29T14:18:00.000-05:002007-01-29T14:18:00.000-05:00I've been thinking about ways to enumerate the leg...I've been thinking about ways to enumerate the legitimate communication partners for my router, and blocking all else. (Naturally, not blocking transit traffic.) Spoofing would be a problem as Vivek mentions.<br /><br />There's a beautiful anti-spoofing technique I am looking into. It's only useful for routers, for the most part (maybe in a SAN as well). Drop everything with TTL < 255. <br /><br />You only do BGP with neighbors, right? You might collect SNMP from distant boxes, but that's an easy exception to put in, and a harder one for the attacker to discover or guess. A simple IP based ACL will fail when an attacker runs a traceroute and discovers who your neighbors are. But they can't spoof them AND ensure their packets show up with a TTL of 255. Unless the neighboring router is owned, of course. But the TTL limit sure narrows the list of suspects even in that case. <br /><br />I heard about it at ISOI-2 last week.JimmytheGeekhttps://www.blogger.com/profile/14515949902737764574noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91945142931990885742007-01-25T23:24:00.000-05:002007-01-25T23:24:00.000-05:00jon,
The ACLs suggested as a workaround are too c...jon,<br /><br />The ACLs suggested as a workaround are too cumbersome to implement. If you have a IP address based ACL, it wont help because the killer packet can be spoofed.<br /><br />Richard,<br /><br />When you say "trusted platform", do you mean something that is completely external to the network elements ? If the untrusted network and the trusted platform are able to communicate (eg via routes that exist between the two), would it compromise the trust worthiness of the platform ? <br />I would love to hear your views on this.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-28982973166238680102007-01-25T17:34:00.000-05:002007-01-25T17:34:00.000-05:00When the 3 Cisco advisories came out the other day...When the 3 Cisco advisories came out the other day, I (like everyone else), jumped all over them. Fortunately the version(s) that we happen to be running are not vulnerable.<br /><br />The Cisco advisory is a bit unclear -- yes , the packet must be sent to a physical/virtual IPv4 address on the device, but what if ACLs exist? I'd like to think that if an ACL dropped the packet, that would prevent this vulnerability from being exploitable. <br /><br />With that thinking in mind, the threat is considerably narrowed. Sure, there are some situations where you cannot simply block all inbound traffic to your routers addresses as there are legitimate reasons to, for example, allow in ICMP pings and PIM. But, I'm fairly certain that most of the time you could restrict who needs access to those services, and in the end the only way to get traffic past an ACL and to the vulnerable device is to be "trusted" in the first place. There is still a threat, but not an "OMG drop everything and upgrade" sort of threat.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-61593616751261055952007-01-25T14:28:00.000-05:002007-01-25T14:28:00.000-05:00Rob -- in my last comment I didn't mean to imply "...Rob -- in my last comment I didn't mean to imply "you" as "Rob." I was referring to anyone who believes in 100% prevention.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-55030172670048260842007-01-25T14:08:00.000-05:002007-01-25T14:08:00.000-05:00Anyone can make a router "trusted". The question ...Anyone can make a router "trusted". The question is whether it is worthy of trust, i.e., "trustworthy." No one can do that. I increase my level of trust in a device as the opportunities for other parties to interact with it decrease. I thought I'd discussed this before but I cannot find a reference now. The bottom line is that 100% prevention is impossible, and if you don't believe that then you aren't in touch with reality.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-2075048188679494462007-01-25T10:40:00.000-05:002007-01-25T10:40:00.000-05:00" We should design architectures such that all nod..." We should design architectures such that all nodes within our control can be independently and passively observed by a trusted platform."<br /><br />Why not make nodes like routers trusted themselves? What makes the box observing the nodes trusted? <br /><br />I am tempted to say that if you did so, you would then check host data first, but you would not have incidents to begin with, if the node in question was trusted to begin with, because you then have prevention rather than remediation.Anonymousnoreply@blogger.com