NETWORK INFRASTRUCTURE SECURITY

Transcription

1 NETWORK INFRASTRUCTURE SECURITY

2 Network Infrastructure Security Angus Wong Alan Yeung

3 Angus Wong Macao Polytechnic Institute Rua de Luis Gonzaga Gomes Macao Alan Yeung City University of Hong Kong 83 Tat Chee Avenue Kowloon Hong Kong, PR, China ISBN: e-isbn: DOI: / Library of Congress Control Number: Springer Science+Business Media, LLC 2009 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, to proprietary rights. is not to be taken as an expression of opinion as to whether or not they are subject Printed on acid-free paper springer.com

4 About the authors Angus Kin-Yeung Wong obtained his BSc and PhD degrees from City University of Hong Kong, and is currently an associate professor at Macao Polytechnic Institute. Angus is active in research activities, and has served as a reviewer and a technical program committee member in various journals and conferences. Angus is devoted to teaching in tertiary education. In the past, he has taught 11 different courses, ranging from the first year to forth years, and developed five new network related courses to keep students abreast of cutting-edge network technologies. Alan Kai-Hau Yeung obtained his BSc and PhD degrees from The Chinese University of Hong Kong in 1984 and 1995 respectively. He is currently an associate professor at City University of Hong Kong. Since his BSc graduation, he has spent more than 20 years in teaching, managing, designing and research on different areas of computer networks. In the early days of LANs in 1980s, he had the chance to involve in the design and set up of numerous networks. One of them was the largest LAN in Hong Kong at that time. He also frequently provides consultancy services to the networking industry. One notable project was the development of a GSM mobile handset in late 1990s. The team that Alan had involved successfully developed a handset prototype for a listed company in Hong Kong. Alan s extensive experience has helped him to earn professional qualifications like Cisco Certified Network Professional (CCNP), Cisco Certified Academy Instructor (CCAI), and Certified Ethical Hacker (CEH). Angus and Alan have been collaborating in doing network related research for over 10 years. They have successfully obtained grants from universities and governments, and published tens of technical papers. Besides research, they are fond of teaching and sharing with students. Commonly, they were awarded for their teaching contributions. Angus Wong obtained the Macao Polytechnic Insti-

5 tute s Best Teacher Awards in , whereas Alan Yeung obtained the City University of Hong Kong s Teaching Excellence Awards in Another common point of Angus and Alan is that they are both responsible for the establishment and maintenance of Cisco switches and routers learning environment in their own universities. Students learning has proven to be enhanced significantly through their hand-on experience on networking devices.

6 Preface Unlike network information security which is concerned with data confidentiality and integrity by using techniques like cryptography, network infrastructure security is concerned with the protection of the network infrastructure itself, that is, to focus on how to detect and prevent routers or other network devices from being attacked or compromised. Although information assurance is important, it becomes meaningless if the data, no matter how secure its content is, cannot be delivered through the Internet infrastructure to the targeted destination correctly. Since the Internet, in the beginning, was assumed to work in a trustworthy environment, it was designed without much concern for security. As a result, the infrastructure is vulnerable to a variety of security threats and attacks, such as packet spoofing, routing table poisoning and routing loops. One of the reasons why network infrastructure security is important and has drawn much concern in recent years is that attacks to the infrastructure will affect a large portion of the Internet and create a large amount of service disruption. Since our daily operations highly depend on the availability and reliability of the Internet, the security of its infrastructure has become a high priority issue. We believe that the topic will draw much concern, and various countermeasure or solutions will be proposed to secure the infrastructure in the coming years.

7 Goal of writing This book aims to promote network infrastructure security by describing the vulnerabilities of some network infrastructure devices, particularly switches and routers, through various examples of network attack. The examples will be well illustrated in detail so that the operations and principles behind them are clearly revealed. To avoid serving as a hacking guide, the attack steps are described from the conceptual view. That is, we will write something like "If an attacker injects a packet with a fake source address, the server will believe the attacker is the right client Though some topics in this book have been covered in other books, the primary focus of them is information security or the ways of configuring the network devices. In writing this book, we attempt to emphasize on the network infrastructure security and draw the attention about it in the field. On the other hand, the network vulnerabilities and attacks mentioned in this book are mainly based on protocol exploitation, not on software bugs or computer viruses that are usually dependent on the particular platform, brand of router, operating system, version, etc.

8 Not goal of writing The purpose of this book is not to report new security flaws of network infrastructure devices. Most of the attacks discussed in this book have been already identified in the field, and the corresponding countermeasures have been proposed. If administrators are aware of the countermeasures, the attacks can be prevented. Security has a large scope, and so has network infrastructure security. This book does not attempt to provide an exhaustive list of attack methods of network infrastructure and their countermeasures. Actually, it is difficult, if not impossible to write a single book covering the vulnerabilities of all kinds of network protocols on network devices with different brands model running different versions of OSes. On the other hand, to make the book concise, it does not thoroughly explain TCP/IP or network protocols; nor does the book teach the full operations of switches or routers. Nonetheless, the basic idea of them will be covered to facilitate the discussion of the topics. Assumptions The readers are assumed to have basic understanding on computer networks and TCP/IP, and would like to learn more about the security of the major part of a computer network the network infrastructure. On the other hand, since IP is the most common protocol in the network layer, this book only covers IP routers (i.e., routing based on IP). Similarly, since Ethernet is the most popular media access protocol, the switches mentioned in this book refer to Ethernet switches.

9 Audience The book can be used as a text for undergraduate courses at senior levels, or for postgraduate courses. It can also be used for engineer/practitioners for advancing their knowledge on network infrastructure security. In general, network infrastructure security is an area of great interest to IP service providers, network operators, IP equipment vendors, software developers, and university instruction at the both graduate and undergraduate levels. Specifically, The people in the information security field can benefit being acquainted with another aspect of security network infrastructure security. The people already in the field of network infrastructure security can benefit from having a resource exclusively for the topic. The people in the network field can benefit from acquiring more information about the security of the devices (switches and routers) they are dealing with everyday. The teachers in Universities can benefit from having the syllabuses of network related courses enriched with the topics of network infrastructure security. Since this book does not focus on a particular platform or brand of network devices but the general principle of network infrastructure security, it is suitable for a wide range of readership.

10 Chapter design The organization of this book is straightforward -- from lower to higher layer, and from basic concept of network infrastructure security to the research solution to future network device design. Therefore, this book is recommended to be read from chapter to chapter. Firstly, we explain what is network infrastructure security in Chapter 1. Then, we discuss the vulnerabilities of network infrastructure devices starting from data link, network, to application layers in Chapters 2, 3 to 4 respectively. It is followed by Chapter 5 in which the proof-of-concept demonstrations (by practical step by step procedure) of the vulnerabilities are provided. Finally, to fundamentally protect the network infrastructure, a new approach in designing network devices is proposed in Chapter 6. The following gives the general description of each chapter.

11 Table of Content 1. Introduction to Network Infrastructure Security Internet infrastructure Key components in the Internet infrastructure Internet infrastructure security 2. Network Infrastructure Security -- Switching Introduction How Switches can be Attacked 3. Network Infrastructure Security Routing Introduction Overview of Internet Routing External and internal attacks RIP Attacks and Countermeasures OSPF Attacks and Countermeasures BGP Attacks and Countermeasures Network Infrastructure Security -- Address Configuration and Naming Introduction DHCP Attack DNS Attack 5. Experiments for Illustrating Network Infrastructure Attacks Purpose of the Chapter Attack Experiments Protecting Network Infrastructure A New Approach 6.1 Purpose of the Chapter Analysis on Security Problems of Network Infrastructure Steps in Hacking Network Infrastructure Flat Network Design Model and Masquerading A New Model to Protect Network Infrastructure 238 Index 263