Dynamic Routing Inside IPsec VPNs New Threats and Defenses Paul Knight, Nortel Networks
[email protected]
Agenda • Setting the stage – IPsec topology background – Dynamic routing in IPsec
• Attack and Defense – Attacks from the Internet • •
Denial of service Remote access “Split tunnel”
– Internal “branch-to-branch” attacks • •
Routing attacks Misconfigurations
– Requirements: Securing IPsec routing
Dynamic Routing Inside IPsec VPNs- 2 Black Hat Briefings – Paul Knight
IPsec topology background • The IPsec VPN model – What is an “IPsec Gateway’? – What are Tunnel and Transport Modes? – What’s a Security Association?
• IPsec VPN topologies – Not host-to-host – Remote access VPN – Major focus: Multi-site, branch offices
Dynamic Routing Inside IPsec VPNs- 3 Black Hat Briefings – Paul Knight
IPSec VPN models: Hosts and Security Gateways Internet Untrusted Network
Host-to-host (not VPN) IPSec Gateway
IPSec Gateway Internet Untrusted Network
Trusted Network
Trusted Network
“Branch-to-branch” VPN model: between IPsec gateways IPSec Gateway Internet Untrusted Network Trusted Network
“Remote access” VPN model: host to gateway Dynamic Routing Inside IPsec VPNs- 4 Black Hat Briefings – Paul Knight
Two IPSec Modes: Transport and Tunnel Mode Transport Mode IP Header
Original IP IPSec ESP Header Header
Data
Data
Tunnel Mode
Optional Encryption
New IP Header
IPSec ESP Original IP Header Header
Data
Optional Encryption Outer IP Header Inner IP Header Dynamic Routing Inside IPsec VPNs- 5 Black Hat Briefings – Paul Knight
Application of the IPsec modes Host
Host
Internet Untrusted Network
Can use Transport (or Tunnel) Mode between Hosts IPSec Gateway
IPSec Gateway Internet Untrusted Network
Trusted Network
Trusted Network
Can ONLY use Tunnel Mode between Gateways (or extra IP encapsulation inside Transport Mode) – MUST hide IP addresses of trusted networks
Dynamic Routing Inside IPsec VPNs- 6
Black Hat Briefings – Paul Knight
Application of the IPsec modes – Remote Access IPsec Gateway Internet Untrusted Network Trusted Network
SHOULD use Tunnel Mode between host and gateway -Hide IP addresses of trusted networks -Allow remote host to truly join trusted network -IPsec gateway assigns host a tunnel address, like DHCP Alternative: Transport Mode to “Application Level Gateway” -IPsec gateway actually becomes a “host” -Remote host is limited to applications supported by “gateway” -Similar to SSL gateway model; heavy burden on “gateway” Dynamic Routing Inside IPsec VPNs- 7 Black Hat Briefings – Paul Knight
Security Association (SA) • SA = All the information shared between two IPsec systems to establish secure communication – Selection of the security mechanisms: • • • •
ESP or AH protection Ciphering algorithm Hash function Choice of authentication method
– Authentication of the two parties – Choice of the ciphering and authentication keys
Dynamic Routing Inside IPsec VPNs- 8 Black Hat Briefings – Paul Knight
Security Databases • A model to ensure a minimum of interoperability
• RFC 2401 - “Security Architecture for IP” • Two Security Databases maintained on the IPSec system
– Security Policy Database (SPD) – Security Association Database (SAD)
Dynamic Routing Inside IPsec VPNs- 9 Black Hat Briefings – Paul Knight
Security Association Database
• All active Security Associations • For each SA entry, includes :
SAD
– Identifier : • Outer destination IP address • Security Protocol • SPI – Security Parameter Index – Parameters • Authentication algorithm and keys • Encryption algorithm and keys • Lifetime • Security Protocol Mode (tunnel or transport) • Anti-replay service • Link with an associated policy in the SPD Dynamic Routing Inside IPsec VPNs- 10 Black Hat Briefings – Paul Knight
Security Policy Database • Applies to every packet • For each policy entry, includes:
SPD
– Selectors • Destination IP Address • Source IP Address • Name • Transport Layer Protocol (protocol number) • Source and Destination Ports – The policy : • Discard the packet, bypass or process IPSec • For IPSec Processing : - Security Protocol and Mode - Enabled Services (anti-replay, authentication, encryption) - Algorithms (for authentication and/or encryption) – Link to an active SA in the SAD (if it exists)
Dynamic Routing Inside IPsec VPNs- 11 Black Hat Briefings – Paul Knight
Inbound Packet Processing IPSec System
IPSec
IP Header
IP Header Destination IP address
Security Protocol SPI
SAD
1. Identifies the SA in the SAD upon the selectors 2. Read the SA parameters
SPD
3. Performs the enabled IPSec services - Authentication - Decryption - Anti-replay service
4. Identifies the policy according to the selector 5. Check the policy
Dynamic Routing Inside IPsec VPNs- 12 Black Hat Briefings – Paul Knight
Outbound Packet Processing
IPSec System
IP Header
IP IPSec Header
Policy Selectors
SAD
SPD
4. Read the SA parameters specified by the link 5. Computes the IPSec processing
1. Identifies the policy in the SPD according to the selectors 2. Read the policy parameters 3. Initiate new SA if necessary Dynamic Routing Inside IPsec VPNs- 13
Black Hat Briefings – Paul Knight
Agenda • Setting the stage – IPsec topology background – Dynamic routing in IPsec
• Attack and Defense – Attacks from the Internet • •
Denial of service Remote access “Split tunnel”
– Internal “branch-to-branch” attacks • •
Routing attacks Misconfigurations
– Requirements: Securing IPsec routing
Dynamic Routing Inside IPsec VPNs- 14 Black Hat Briefings – Paul Knight
Why is dynamic routing in IPsec VPNs important?
• Like ANY sizable network – without dynamic routing, life is HARD! • It’s to hard to maintain static routes • Hard to set up load balancing • Hard to set up failover • Hard to manage changes • Hard to add new network sites Dynamic Routing Inside IPsec VPNs- 15 Black Hat Briefings – Paul Knight
The IPsec “routing problem” • Usual conversation: – What’s the problem? You can already carry routing protocols over IPsec. – Yes, but you can’t actually use them to ROUTE. – Huh? – The IPsec Security Associations have selectors that determine the traffic they allow. They are like static routes. – Oh… Yeah… I see the problem.
Dynamic Routing Inside IPsec VPNs- 16 Black Hat Briefings – Paul Knight
The IPsec “routing problem” • Dynamic routing in VPNs is a requirement • Tunnel mode is incompatible with dynamic routing – draft-touch-ipsec-vpn-04.txt (IETF – http://www.ietf.org/internet-drafts/X) – draft-wang-cevpn-routing-00.txt – draft-knight-ppvpn-ipsec-dynroute-01.txt
• WHY? Security Associations are created with
selectors Tunnels have built-in “static routes”
• SP and SA Database lookups do the “routing” • SA setup is orders of magnitude slower than
routing change Dynamically changing SA due to routing updates doesn’t scale Dynamic Routing Inside IPsec VPNs- 17 Black Hat Briefings – Paul Knight
Reference topology
Site A CPE
Untrusted Network
Site X CPE
Site Y CPE
Site Z CPE • Typical dynamic routing issues – “Z” adds a new network – New site added (Hub/spoke model) – A link (IPsec connection) breaks; re-route through another site Dynamic Routing Inside IPsec VPNs- 18 Black Hat Briefings – Paul Knight
SP, SA Databases determine “routing” into tunnels – cannot adapt dynamically IPsec Gateway (CPE) at Site A
Site X Untrusted Network
SA pairs – 1 per address range
Site Y Outbound traffic Site Z
SPD SAD
Route exchange possible, but useless… (SPD, SAD control “routing”) Dynamic Routing Inside IPsec VPNs- 19 Black Hat Briefings – Paul Knight
The basic solution • Remove the tunnel’s “static routes” …. HOW? • (1) Use “wild card” in tunnel SAs (allow all traffic) OR • (2) Use encapsulation to make the traffic fit the “static route”, by setting destination address in the encapsulated traffic
– IP-in-IP over Transport (IIPtran) – Generic Routing Encapsulation (GRE) in tunnel or transport • Both approaches are essentially similar in key ways, but (2) is more secure
– IPsec can still apply source/destination selectors – Less chance for errors due to different systems’ dynamic routing abilities • Either way, you must do “routing” (SA selection or encapsulation addressing) outside IPsec, and push traffic into a “VPN Tunnel” (may be Transport Mode)
Dynamic Routing Inside IPsec VPNs- 20 Black Hat Briefings – Paul Knight
Routing outside IPsec:
Each SPD/SAD handles a smaller address selector range IPsec Gateway at Site A
One “VPN Tunnel” SA pair between sites (unless QOS or security requires more)
Site X CPE
SPD
SAD
Site Y CPE
Routing
Outbound traffic Routing Exchange Via OSPF, RIP, etc.
SPD
SPD
Untrusted Network
SAD
Site Z CPE SAD
Dynamic Routing Inside IPsec VPNs- 21 Black Hat Briefings – Paul Knight
Tunnel mode = Transport mode + IP encapsulation •
Key concept for dynamic routing
1) Determine “next IPsec hop” of the packet, using policy, based on any criteria the “routing engine” can handle –route to destination (using dynamic information!), protocol, port (socket), even content analysis (URL, etc.)
2) Construct new encapsulating IP header with source/destination of next IPsec hop
3) Pass to IPsec process for TRANSPORT mode processing
•
Resulting packet is equivalent to tunnel mode, but now it is routed using dynamic routing updates Dynamic Routing Inside IPsec VPNs- 22 Black Hat Briefings – Paul Knight
Tunnel mode = Transport mode + IP encapsulation Original IP IPSec ESP Header Header
Remember transport mode? Data Optional Encryption
IP Header
Addresses in new IP header determines where packet goes
IP-in-IP encapsulation New IP Header
Packet looks like Tunnel Mode!
New “Data”
Original IP Header
Transport Mode New IP Header
Data
Data
New “Data”
IPSec ESP Original IP Header Header
Data
Optional Encryption Dynamic Routing Inside IPsec VPNs- 23 Black Hat Briefings – Paul Knight
Routing with VPN tunnels • What is a “VPN TUNNEL?” – An IPsec SA with NO effective address filters – May be IPsec tunnel mode or IP-in-IP over transport mode – It allows ANY IP traffic (unicast/multicast) to pass – It allows routing protocols to pass – Its end points are the IPsec gateway interfaces – It still protects all traffic with encryption – It is like an Ethernet, ATM, or Frame Relay “link” over the Internet, but secured by IPsec
• Since you can’t use the IPsec tunnel definitions or “filters” to select destinations, you MUST route before putting the traffic into an IPsec “VPN tunnel” Dynamic Routing Inside IPsec VPNs- 24 Black Hat Briefings – Paul Knight
Routing with VPN Tunnels: Requirements for IPsec Gateways • Full-power router “inside” the IPsec gateway, with traffic and route filters, even firewalls
• Ability to separate VPN routes from external (untrusted network) and local routes
• Ability to use the endpoint of the IPsec “VPN Tunnel” just like any IP-capable interface – To pass routed traffic – To send and receive routing protocols
Dynamic Routing Inside IPsec VPNs- 25 Black Hat Briefings – Paul Knight
Agenda • Setting the stage – IPsec topology background – Dynamic routing in IPsec
• Attack and Defense – Attacks from the Internet • •
Remote access “Split tunnel” Denial of service
– Internal “branch-to-branch” attacks • •
Routing attacks Misconfigurations
– Requirements: Securing IPsec routing
Dynamic Routing Inside IPsec VPNs- 26 Black Hat Briefings – Paul Knight
Remote Access IPsec VPN routing attack IPsec Gateway Internet Untrusted Network Remote Client
Trusted Network
• Split tunneling
– Captive tunnel: Client’s “default route” points into tunnel to IPsec gateway; other routes not allowed – Split tunnel: Client’s default route is into Internet; specific routes to trusted network are loaded into Client’s routing table by IPsec Gateway
• Denial of Service Attacks
– Various attacks to waste Gateway’s resources (bandwidth, open connections, processing time, etc.) – Not the subject of this talk (but interesting!)
Dynamic Routing Inside IPsec VPNs- 27 Black Hat Briefings – Paul Knight
No Split Tunneling: IPsec Gateway Internet Untrusted Network Remote Client
Trusted Network Internet Host
Firewall
Split Tunneling: IPsec Gateway Internet Untrusted Network Remote Client
Trusted Network Internet Host
Firewall Dynamic Routing Inside IPsec VPNs- 28
Black Hat Briefings – Paul Knight
Why allow split tunneling? • Avoid wasting bandwidth at VPN hub site – Internet traffic of clients would traverse the hub site – (Can be avoided by policy blocking Internet access during remote access, forcing client to logout of VPN)
• Short DHCP/PPPOE leases may require frequent contact to server at client’s ISP – Can’t contact server if all routes point to VPN tunnel
• Convenience of keeping VPN connection up during other Internet access
Dynamic Routing Inside IPsec VPNs- 29 Black Hat Briefings – Paul Knight
Split Tunneling – Potential Attacks • FTP relay through client – Client running FTP server can become conduit from Internet into trusted network – Other similar services running on client – tftp, smtp, or custom relay application, maybe malicious application
• RAT – Remote Access Trojan on client – Back Orifice, etc. – PC Anywhere (not a “Trojan” but same issue) – Allow remote control control of PC, and thus potential access to trusted network Dynamic Routing Inside IPsec VPNs- 30 Black Hat Briefings – Paul Knight
Split Tunneling – Defenses • Prevent split tunneling – Corporate policy decision – Enforcement through Gateway/client software capabilities • •
Gateway sends only default route to client Client s/w reads routing table on client, reports to gateway and/or blocks access if routes are found.
• Prevent active relay services or remote control – Break connection if unexpected port is open on client
• Both defenses depend on client software ability to determine true state of client machine.
– Depends on operating system and multitasking, multiprocessing capabilities of client system. Dynamic Routing Inside IPsec VPNs- 31 Black Hat Briefings – Paul Knight
Branch-to-Branch IPsec VPN Routing Issues IPSec Gateway
IPSec Gateway Internet Untrusted Network
Trusted Network
ute? o R t ul Defa
?
Defaul t
Firewall
Route?
Trusted Network Firewall
• Misconfiguration • Default Route issues • Internal Routing Attack Dynamic Routing Inside IPsec VPNs- 32 Black Hat Briefings – Paul Knight
Security risks of incorrect routing in IPsec VPNs • Traffic may be forced over an unprotected path
– May be intercepted
• Traffic goes toward wrong destination – Doesn’t get to correct destination – May be intercepted
• Traffic follows “wrong” path toward correct destination
– May be intercepted
Dynamic Routing Inside IPsec VPNs- 33 Black Hat Briefings – Paul Knight
Attacks on routing • Injection of routes inside a site – Malicious • • •
Routing process running on compromised host or router Redirect traffic toward a compromised system internal to trusted network Redirect via default route over unprotected path through untrusted network
– Misconfiguration • • •
Advertising routes via unprotected path Static routes configured in routers Routed (routing daemon) running on unauthorized hosts
Dynamic Routing Inside IPsec VPNs- 34 Black Hat Briefings – Paul Knight
Protection against routing attacks • Routing authentication • Options for OSPF – Keyed MD5 verifies identity – Digital signature allows tracing of bad route information
• Audit routers for bogus routes • Restrict use of routing protocols on hosts – Use default route instead – Implement redundancy on routers (VRRP) or switches in LAN, not in host routing
Dynamic Routing Inside IPsec VPNs- 35 Black Hat Briefings – Paul Knight
Default route attacks • Where does default route point? – To Internet? – Lost “internal” route can result in traffic being sent over Internet – Particularly problematic if the destination is reachable via Internet
• Key solution: policies on firewall – No traffic to internal destinations goes out through firewall – No traffic from internal source address can com in through firewall
• Harder solution: no default route to Internet – Specific management/advertisement of “allowable” routes
Dynamic Routing Inside IPsec VPNs- 36 Black Hat Briefings – Paul Knight
Securing IPsec Routing – Dynamic Routing Requirements IPsec Gateway at Site A
Firewall functions
Site X CPE
SPD
SAD
Site Y CPE
Routing
SPD
Outbound traffic Routing Exchange Via OSPF, RIP, etc.
SPD
Untrusted Network
SAD
Site Z CPE SAD
Dynamic Routing Inside IPsec VPNs- 37 Black Hat Briefings – Paul Knight
Securing IPsec Routing – Dynamic Routing Requirements • Strong Firewall capabilities – Inbound/outbound – Full range stateful inspection capabilities
• Full router functionality INSIDE the IPsec Gateway – Route filtering to prevent attacks – Ability to separate internal/external routes – Ability to see IPsec peer gateways as next-hop for routes learned via IPsec VPN tunnels
• Apply the routing rules by encapsulating the traffic, with “next IPsec hop” as the destination
Dynamic Routing Inside IPsec VPNs- 38 Black Hat Briefings – Paul Knight
Conclusion: Dynamic IPsec Routing opens new vulnerabilities • The manageability and flexibility of dynamic
routing are important for large networks, BUT:
• It is not enough to just add routing to an IPsec VPN box
• Firewall traffic filtering PLUS full-featured routing capabilities must be integrated into the system
• Remote access IPsec VPN security depends on trusted client software
– To control insecure routing or relay capabilities of client – Use intrusion detection monitoring for verification Dynamic Routing Inside IPsec VPNs- 39 Black Hat Briefings – Paul Knight
Questions???
Thank You!
Dynamic Routing Inside IPsec VPNs- 40 Black Hat Briefings – Paul Knight