Dynamic Routing Inside Ipsec Vpns

Dynamic Routing Inside IPsec VPNs New Threats and Defenses Paul Knight, Nortel Networks [email protected]

Agenda • Setting the stage – IPsec topology background – Dynamic routing in IPsec

• Attack and Defense – Attacks from the Internet • •

Denial of service Remote access “Split tunnel”

– Internal “branch-to-branch” attacks • •

Routing attacks Misconfigurations

– Requirements: Securing IPsec routing

Dynamic Routing Inside IPsec VPNs- 2 Black Hat Briefings – Paul Knight

IPsec topology background • The IPsec VPN model – What is an “IPsec Gateway’? – What are Tunnel and Transport Modes? – What’s a Security Association?

• IPsec VPN topologies – Not host-to-host – Remote access VPN – Major focus: Multi-site, branch offices

Dynamic Routing Inside IPsec VPNs- 3 Black Hat Briefings – Paul Knight

IPSec VPN models: Hosts and Security Gateways Internet Untrusted Network

Host-to-host (not VPN) IPSec Gateway

IPSec Gateway Internet Untrusted Network

Trusted Network

Trusted Network

“Branch-to-branch” VPN model: between IPsec gateways IPSec Gateway Internet Untrusted Network Trusted Network

“Remote access” VPN model: host to gateway Dynamic Routing Inside IPsec VPNs- 4 Black Hat Briefings – Paul Knight

Two IPSec Modes: Transport and Tunnel Mode Transport Mode IP Header

Original IP IPSec ESP Header Header

Data

Data

Tunnel Mode

Optional Encryption

New IP Header

IPSec ESP Original IP Header Header

Data

Optional Encryption Outer IP Header Inner IP Header Dynamic Routing Inside IPsec VPNs- 5 Black Hat Briefings – Paul Knight

Application of the IPsec modes Host

Host

Internet Untrusted Network

Can use Transport (or Tunnel) Mode between Hosts IPSec Gateway

IPSec Gateway Internet Untrusted Network

Trusted Network

Trusted Network

Can ONLY use Tunnel Mode between Gateways (or extra IP encapsulation inside Transport Mode) – MUST hide IP addresses of trusted networks

Dynamic Routing Inside IPsec VPNs- 6

Black Hat Briefings – Paul Knight

Application of the IPsec modes – Remote Access IPsec Gateway Internet Untrusted Network Trusted Network

SHOULD use Tunnel Mode between host and gateway -Hide IP addresses of trusted networks -Allow remote host to truly join trusted network -IPsec gateway assigns host a tunnel address, like DHCP Alternative: Transport Mode to “Application Level Gateway” -IPsec gateway actually becomes a “host” -Remote host is limited to applications supported by “gateway” -Similar to SSL gateway model; heavy burden on “gateway” Dynamic Routing Inside IPsec VPNs- 7 Black Hat Briefings – Paul Knight

Security Association (SA) • SA = All the information shared between two IPsec systems to establish secure communication – Selection of the security mechanisms: • • • •

ESP or AH protection Ciphering algorithm Hash function Choice of authentication method

– Authentication of the two parties – Choice of the ciphering and authentication keys

Dynamic Routing Inside IPsec VPNs- 8 Black Hat Briefings – Paul Knight

Security Databases • A model to ensure a minimum of interoperability

• RFC 2401 - “Security Architecture for IP” • Two Security Databases maintained on the IPSec system

– Security Policy Database (SPD) – Security Association Database (SAD)

Dynamic Routing Inside IPsec VPNs- 9 Black Hat Briefings – Paul Knight

Security Association Database

• All active Security Associations • For each SA entry, includes :

SAD

– Identifier : • Outer destination IP address • Security Protocol • SPI – Security Parameter Index – Parameters • Authentication algorithm and keys • Encryption algorithm and keys • Lifetime • Security Protocol Mode (tunnel or transport) • Anti-replay service • Link with an associated policy in the SPD Dynamic Routing Inside IPsec VPNs- 10 Black Hat Briefings – Paul Knight

Security Policy Database • Applies to every packet • For each policy entry, includes:

SPD

– Selectors • Destination IP Address • Source IP Address • Name • Transport Layer Protocol (protocol number) • Source and Destination Ports – The policy : • Discard the packet, bypass or process IPSec • For IPSec Processing : - Security Protocol and Mode - Enabled Services (anti-replay, authentication, encryption) - Algorithms (for authentication and/or encryption) – Link to an active SA in the SAD (if it exists)

Dynamic Routing Inside IPsec VPNs- 11 Black Hat Briefings – Paul Knight

Inbound Packet Processing IPSec System

IPSec

IP Header

IP Header Destination IP address

Security Protocol SPI

SAD

1. Identifies the SA in the SAD upon the selectors 2. Read the SA parameters

SPD

3. Performs the enabled IPSec services - Authentication - Decryption - Anti-replay service

4. Identifies the policy according to the selector 5. Check the policy

Dynamic Routing Inside IPsec VPNs- 12 Black Hat Briefings – Paul Knight

Outbound Packet Processing

IPSec System

IP Header

IP IPSec Header

Policy Selectors

SAD

SPD

4. Read the SA parameters specified by the link 5. Computes the IPSec processing

1. Identifies the policy in the SPD according to the selectors 2. Read the policy parameters 3. Initiate new SA if necessary Dynamic Routing Inside IPsec VPNs- 13

Black Hat Briefings – Paul Knight

Agenda • Setting the stage – IPsec topology background – Dynamic routing in IPsec

• Attack and Defense – Attacks from the Internet • •

Denial of service Remote access “Split tunnel”

– Internal “branch-to-branch” attacks • •

Routing attacks Misconfigurations

– Requirements: Securing IPsec routing

Dynamic Routing Inside IPsec VPNs- 14 Black Hat Briefings – Paul Knight

Why is dynamic routing in IPsec VPNs important?

• Like ANY sizable network – without dynamic routing, life is HARD! • It’s to hard to maintain static routes • Hard to set up load balancing • Hard to set up failover • Hard to manage changes • Hard to add new network sites Dynamic Routing Inside IPsec VPNs- 15 Black Hat Briefings – Paul Knight

The IPsec “routing problem” • Usual conversation: – What’s the problem? You can already carry routing protocols over IPsec. – Yes, but you can’t actually use them to ROUTE. – Huh? – The IPsec Security Associations have selectors that determine the traffic they allow. They are like static routes. – Oh… Yeah… I see the problem.

Dynamic Routing Inside IPsec VPNs- 16 Black Hat Briefings – Paul Knight

The IPsec “routing problem” • Dynamic routing in VPNs is a requirement • Tunnel mode is incompatible with dynamic routing – draft-touch-ipsec-vpn-04.txt (IETF – http://www.ietf.org/internet-drafts/X) – draft-wang-cevpn-routing-00.txt – draft-knight-ppvpn-ipsec-dynroute-01.txt

• WHY? Security Associations are created with

selectors  Tunnels have built-in “static routes”

• SP and SA Database lookups do the “routing” • SA setup is orders of magnitude slower than

routing change Dynamically changing SA due to routing updates doesn’t scale Dynamic Routing Inside IPsec VPNs- 17 Black Hat Briefings – Paul Knight

Reference topology

Site A CPE

Untrusted Network

Site X CPE

Site Y CPE

Site Z CPE • Typical dynamic routing issues – “Z” adds a new network – New site added (Hub/spoke model) – A link (IPsec connection) breaks; re-route through another site Dynamic Routing Inside IPsec VPNs- 18 Black Hat Briefings – Paul Knight

SP, SA Databases determine “routing” into tunnels – cannot adapt dynamically IPsec Gateway (CPE) at Site A

Site X Untrusted Network

SA pairs – 1 per address range

Site Y Outbound traffic Site Z

SPD SAD

Route exchange possible, but useless… (SPD, SAD control “routing”) Dynamic Routing Inside IPsec VPNs- 19 Black Hat Briefings – Paul Knight

The basic solution • Remove the tunnel’s “static routes” …. HOW? • (1) Use “wild card” in tunnel SAs (allow all traffic) OR • (2) Use encapsulation to make the traffic fit the “static route”, by setting destination address in the encapsulated traffic

– IP-in-IP over Transport (IIPtran) – Generic Routing Encapsulation (GRE) in tunnel or transport • Both approaches are essentially similar in key ways, but (2) is more secure

– IPsec can still apply source/destination selectors – Less chance for errors due to different systems’ dynamic routing abilities • Either way, you must do “routing” (SA selection or encapsulation addressing) outside IPsec, and push traffic into a “VPN Tunnel” (may be Transport Mode)

Dynamic Routing Inside IPsec VPNs- 20 Black Hat Briefings – Paul Knight

Routing outside IPsec:

Each SPD/SAD handles a smaller address selector range IPsec Gateway at Site A

One “VPN Tunnel” SA pair between sites (unless QOS or security requires more)

Site X CPE

SPD

SAD

Site Y CPE

Routing

Outbound traffic Routing Exchange Via OSPF, RIP, etc.

SPD

SPD

Untrusted Network

SAD

Site Z CPE SAD

Dynamic Routing Inside IPsec VPNs- 21 Black Hat Briefings – Paul Knight

Tunnel mode = Transport mode + IP encapsulation •

Key concept for dynamic routing

1) Determine “next IPsec hop” of the packet, using policy, based on any criteria the “routing engine” can handle –route to destination (using dynamic information!), protocol, port (socket), even content analysis (URL, etc.)

2) Construct new encapsulating IP header with source/destination of next IPsec hop

3) Pass to IPsec process for TRANSPORT mode processing

•

Resulting packet is equivalent to tunnel mode, but now it is routed using dynamic routing updates Dynamic Routing Inside IPsec VPNs- 22 Black Hat Briefings – Paul Knight

Tunnel mode = Transport mode + IP encapsulation Original IP IPSec ESP Header Header

Remember transport mode? Data Optional Encryption

IP Header

Addresses in new IP header determines where packet goes

IP-in-IP encapsulation New IP Header

Packet looks like Tunnel Mode!

New “Data”

Original IP Header

Transport Mode New IP Header

Data

Data

New “Data”

IPSec ESP Original IP Header Header

Data

Optional Encryption Dynamic Routing Inside IPsec VPNs- 23 Black Hat Briefings – Paul Knight

Routing with VPN tunnels • What is a “VPN TUNNEL?” – An IPsec SA with NO effective address filters – May be IPsec tunnel mode or IP-in-IP over transport mode – It allows ANY IP traffic (unicast/multicast) to pass – It allows routing protocols to pass – Its end points are the IPsec gateway interfaces – It still protects all traffic with encryption – It is like an Ethernet, ATM, or Frame Relay “link” over the Internet, but secured by IPsec

• Since you can’t use the IPsec tunnel definitions or “filters” to select destinations, you MUST route before putting the traffic into an IPsec “VPN tunnel” Dynamic Routing Inside IPsec VPNs- 24 Black Hat Briefings – Paul Knight

Routing with VPN Tunnels: Requirements for IPsec Gateways • Full-power router “inside” the IPsec gateway, with traffic and route filters, even firewalls

• Ability to separate VPN routes from external (untrusted network) and local routes

• Ability to use the endpoint of the IPsec “VPN Tunnel” just like any IP-capable interface – To pass routed traffic – To send and receive routing protocols

Dynamic Routing Inside IPsec VPNs- 25 Black Hat Briefings – Paul Knight

Agenda • Setting the stage – IPsec topology background – Dynamic routing in IPsec

• Attack and Defense – Attacks from the Internet • •

Remote access “Split tunnel” Denial of service

– Internal “branch-to-branch” attacks • •

Routing attacks Misconfigurations

– Requirements: Securing IPsec routing

Dynamic Routing Inside IPsec VPNs- 26 Black Hat Briefings – Paul Knight

Remote Access IPsec VPN routing attack IPsec Gateway Internet Untrusted Network Remote Client

Trusted Network

• Split tunneling

– Captive tunnel: Client’s “default route” points into tunnel to IPsec gateway; other routes not allowed – Split tunnel: Client’s default route is into Internet; specific routes to trusted network are loaded into Client’s routing table by IPsec Gateway

• Denial of Service Attacks

– Various attacks to waste Gateway’s resources (bandwidth, open connections, processing time, etc.) – Not the subject of this talk (but interesting!)

Dynamic Routing Inside IPsec VPNs- 27 Black Hat Briefings – Paul Knight

No Split Tunneling: IPsec Gateway Internet Untrusted Network Remote Client

Trusted Network Internet Host

Firewall

Split Tunneling: IPsec Gateway Internet Untrusted Network Remote Client

Trusted Network Internet Host

Firewall Dynamic Routing Inside IPsec VPNs- 28

Black Hat Briefings – Paul Knight

Why allow split tunneling? • Avoid wasting bandwidth at VPN hub site – Internet traffic of clients would traverse the hub site – (Can be avoided by policy blocking Internet access during remote access, forcing client to logout of VPN)

• Short DHCP/PPPOE leases may require frequent contact to server at client’s ISP – Can’t contact server if all routes point to VPN tunnel

• Convenience of keeping VPN connection up during other Internet access

Dynamic Routing Inside IPsec VPNs- 29 Black Hat Briefings – Paul Knight

Split Tunneling – Potential Attacks • FTP relay through client – Client running FTP server can become conduit from Internet into trusted network – Other similar services running on client – tftp, smtp, or custom relay application, maybe malicious application

• RAT – Remote Access Trojan on client – Back Orifice, etc. – PC Anywhere (not a “Trojan” but same issue) – Allow remote control control of PC, and thus potential access to trusted network Dynamic Routing Inside IPsec VPNs- 30 Black Hat Briefings – Paul Knight

Split Tunneling – Defenses • Prevent split tunneling – Corporate policy decision – Enforcement through Gateway/client software capabilities • •

Gateway sends only default route to client Client s/w reads routing table on client, reports to gateway and/or blocks access if routes are found.

• Prevent active relay services or remote control – Break connection if unexpected port is open on client

• Both defenses depend on client software ability to determine true state of client machine.

– Depends on operating system and multitasking, multiprocessing capabilities of client system. Dynamic Routing Inside IPsec VPNs- 31 Black Hat Briefings – Paul Knight

Branch-to-Branch IPsec VPN Routing Issues IPSec Gateway

IPSec Gateway Internet Untrusted Network

Trusted Network

ute? o R t ul Defa

?

Defaul t

Firewall

Route?

Trusted Network Firewall

• Misconfiguration • Default Route issues • Internal Routing Attack Dynamic Routing Inside IPsec VPNs- 32 Black Hat Briefings – Paul Knight

Security risks of incorrect routing in IPsec VPNs • Traffic may be forced over an unprotected path

– May be intercepted

• Traffic goes toward wrong destination – Doesn’t get to correct destination – May be intercepted

• Traffic follows “wrong” path toward correct destination

– May be intercepted

Dynamic Routing Inside IPsec VPNs- 33 Black Hat Briefings – Paul Knight

Attacks on routing • Injection of routes inside a site – Malicious • • •

Routing process running on compromised host or router Redirect traffic toward a compromised system internal to trusted network Redirect via default route over unprotected path through untrusted network

– Misconfiguration • • •

Advertising routes via unprotected path Static routes configured in routers Routed (routing daemon) running on unauthorized hosts

Dynamic Routing Inside IPsec VPNs- 34 Black Hat Briefings – Paul Knight

Protection against routing attacks • Routing authentication • Options for OSPF – Keyed MD5 verifies identity – Digital signature allows tracing of bad route information

• Audit routers for bogus routes • Restrict use of routing protocols on hosts – Use default route instead – Implement redundancy on routers (VRRP) or switches in LAN, not in host routing

Dynamic Routing Inside IPsec VPNs- 35 Black Hat Briefings – Paul Knight

Default route attacks • Where does default route point? – To Internet? – Lost “internal” route can result in traffic being sent over Internet – Particularly problematic if the destination is reachable via Internet

• Key solution: policies on firewall – No traffic to internal destinations goes out through firewall – No traffic from internal source address can com in through firewall

• Harder solution: no default route to Internet – Specific management/advertisement of “allowable” routes

Dynamic Routing Inside IPsec VPNs- 36 Black Hat Briefings – Paul Knight

Securing IPsec Routing – Dynamic Routing Requirements IPsec Gateway at Site A

Firewall functions

Site X CPE

SPD

SAD

Site Y CPE

Routing

SPD

Outbound traffic Routing Exchange Via OSPF, RIP, etc.

SPD

Untrusted Network

SAD

Site Z CPE SAD

Dynamic Routing Inside IPsec VPNs- 37 Black Hat Briefings – Paul Knight

Securing IPsec Routing – Dynamic Routing Requirements • Strong Firewall capabilities – Inbound/outbound – Full range stateful inspection capabilities

• Full router functionality INSIDE the IPsec Gateway – Route filtering to prevent attacks – Ability to separate internal/external routes – Ability to see IPsec peer gateways as next-hop for routes learned via IPsec VPN tunnels

• Apply the routing rules by encapsulating the traffic, with “next IPsec hop” as the destination

Dynamic Routing Inside IPsec VPNs- 38 Black Hat Briefings – Paul Knight

Conclusion: Dynamic IPsec Routing opens new vulnerabilities • The manageability and flexibility of dynamic

routing are important for large networks, BUT:

• It is not enough to just add routing to an IPsec VPN box

• Firewall traffic filtering PLUS full-featured routing capabilities must be integrated into the system

• Remote access IPsec VPN security depends on trusted client software

– To control insecure routing or relay capabilities of client – Use intrusion detection monitoring for verification Dynamic Routing Inside IPsec VPNs- 39 Black Hat Briefings – Paul Knight

Questions???

Thank You!

Dynamic Routing Inside IPsec VPNs- 40 Black Hat Briefings – Paul Knight