dynamic routing inside ipsec vpns
TRANSCRIPT
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
1/40
Dynamic RoutingInside IPsec VPNs
New Threats and Defenses
Paul Knight, Nortel Networks
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
2/40
Dynamic Routing Inside IPsec VPNs- 2
Black Hat Briefings Paul Knight
Agenda
Setting the stage IPsec topology background
Dynamic routing in IPsec
Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel
Internal branch-to-branch attacks Routing attacks Misconfigurations
Requirements: Securing IPsec routing
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
3/40
Dynamic Routing Inside IPsec VPNs- 3
Black Hat Briefings Paul Knight
IPsec topology background
The IPsec VPN model What is an IPsec Gateway?
What are Tunnel and Transport Modes?
Whats a Security Association?
IPsec VPN topologies Not host-to-host
Remote access VPN
Major focus: Multi-site, branch offices
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
4/40
Dynamic Routing Inside IPsec VPNs- 4
Black Hat Briefings Paul Knight
IPSec Gateway
IPSec VPN models:Hosts and Security Gateways
Untrusted Network
Internet
IPSec GatewayIPSec Gateway
Untrusted Network
Internet
Trusted NetworkTrusted Network
Untrusted Network
Internet
Trusted Network
Branch-to-branch VPN model: between IPsec gateways
Remote access VPN model: host to gateway
Host-to-host (not VPN)
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
5/40
Dynamic Routing Inside IPsec VPNs- 5
Black Hat Briefings Paul Knight
Two IPSec Modes:Transport and Tunnel Mode
New IP
Header
IPSec ESP
Header Data
IP Header Data
Tunnel Mode
Original IP
Header
IPSec ESP
Header
Transport Mode
Original IP
Header
Data
Optional Encryption
Optional Encryption
Outer IP Header
Inner IP Header
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
6/40
Dynamic Routing Inside IPsec VPNs- 6
Black Hat Briefings Paul Knight
Application of the IPsec modes
Untrusted Network
Internet
IPSec GatewayIPSec Gateway
Internet
Trusted NetworkTrusted Network
Host Host
Can use Transport (or Tunnel) Mode between Hosts
Can ONLY use Tunnel Mode between Gateways
(or extra IP encapsulation inside Transport Mode)
MUST hide IP addresses of trusted networks
Untrusted Network
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
7/40
Dynamic Routing Inside IPsec VPNs- 7
Black Hat Briefings Paul Knight
Application of the IPsec modes Remote Access
SHOULD use Tunnel Mode between host and gateway-Hide IP addresses of trusted networks-Allow remote host to truly join trusted network-IPsec gateway assigns host a tunnel address, like DHCP
IPsec Gateway
Untrusted Network
Internet
Trusted Network
Alternative: Transport Mode to Application Level Gateway-IPsec gateway actually becomes a host-Remote host is limited to applications supported by gateway-Similar to SSL gateway model; heavy burden on gateway
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
8/40
Dynamic Routing Inside IPsec VPNs- 8
Black Hat Briefings Paul Knight
Security Association (SA)
SA = All the information shared between two IPsecsystems to establish secure communication
Selection of the security mechanisms:
ESP or AH protection Ciphering algorithm Hash function Choice of authentication method
Authentication of the two parties
Choice of the ciphering and authentication keys
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
9/40
Dynamic Routing Inside IPsec VPNs- 9
Black Hat Briefings Paul Knight
Security Databases
A model to ensure a minimum ofinteroperability
RFC 2401 - Security Architecture for IP
Two Security Databases maintained on the
IPSec system
Security Policy Database (SPD)
Security Association Database (SAD)
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
10/40
Dynamic Routing Inside IPsec VPNs- 10
Black Hat Briefings Paul Knight
Security AssociationDatabase
All active Security Associations
For each SA entry, includes : Identifier :
Outer destination IP address Security Protocol
SPI Security Parameter Index Parameters
Authentication algorithm and keys Encryption algorithm and keys Lifetime Security Protocol Mode (tunnel or
transport) Anti-replay service Link with an associated policy in the SPD
SAD
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
11/40
Dynamic Routing Inside IPsec VPNs- 11
Black Hat Briefings Paul Knight
Security Policy Database Applies to every packet
For each policy entry, includes: Selectors
Destination IP Address Source IP Address Name
Transport Layer Protocol (protocol number) Source and Destination Ports The policy :
Discard the packet, bypass or process IPSec For IPSec Processing :
- Security Protocol and Mode
- Enabled Services (anti-replay, authentication,encryption)- Algorithms (for authentication and/or
encryption) Link to an active SA in the SAD (if it exists)
SPD
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
12/40
Dynamic Routing Inside IPsec VPNs- 12
Black Hat Briefings Paul Knight
Inbound Packet Processing
IP
HeaderIPSec
DestinationIP address
Security Protocol
SPI
1. Identifies the SA
in the SAD upon
the selectors
IPSec System
SAD
2. Read the SA
parameters
3. Performs the enabled
IPSec services
- Authentication
- Decryption
- Anti-replay service
SPD
4. Identifies the policy
according to the
selector
5. Check the policy
IP
Header
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
13/40
Dynamic Routing Inside IPsec VPNs- 13
Black Hat Briefings Paul Knight
Outbound PacketProcessing
IP
Header
PolicySelectors
IPSec System
SAD SPD
1. Identifies the policy in the SPD
according to the selectors
2. Read the policy parameters
4. Read the SA
parameters specified
by the link
5. Computes the
IPSec processing 3. Initiate new SA if necessary
IP
HeaderIPSec
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
14/40
Dynamic Routing Inside IPsec VPNs- 14
Black Hat Briefings Paul Knight
Agenda
Setting the stage IPsec topology background
Dynamic routing in IPsec
Attack and Defense Attacks from the Internet Denial of service Remote access Split tunnel
Internal branch-to-branch attacks
Routing attacks Misconfigurations
Requirements: Securing IPsec routing
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
15/40
Dynamic Routing Inside IPsec VPNs- 15
Black Hat Briefings Paul Knight
Why is dynamic routing inIPsec VPNs important?
Like ANY sizable network without dynamic routing, life isHARD!
Its to hard to maintain static routes
Hard to set up load balancing
Hard to set up failover
Hard to manage changes
Hard to add new network sites
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
16/40
Dynamic Routing Inside IPsec VPNs- 16
Black Hat Briefings Paul Knight
The IPsec routing problem
Usual conversation: Whats the problem? You can already carry routing
protocols over IPsec.
Yes, but you cant actually use them to ROUTE. Huh?
The IPsec Security Associations have selectors thatdetermine the traffic they allow. They are like staticroutes.
Oh Yeah I see the problem.
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
17/40
Dynamic Routing Inside IPsec VPNs- 17
Black Hat Briefings Paul Knight
The IPsec routing problem
Dynamic routing in VPNs is a requirement
Tunnel mode is incompatible with dynamic routing draft-touch-ipsec-vpn-04.txt (IETF http://www.ietf.org/internet-drafts/X) draft-wang-cevpn-routing-00.txt draft-knight-ppvpn-ipsec-dynroute-01.txt
WHY? Security Associations are created withselectors Tunnels have built-in static routes
SP and SA Database lookups do the routing
SA setup is orders of magnitude slower thanrouting changeDynamically changing SA due torouting updates doesnt scale
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
18/40
Dynamic Routing Inside IPsec VPNs- 18
Black Hat Briefings Paul Knight
Untrusted
NetworkSite ACPE
Site X
CPE
Site Y
CPE
Site Z
CPE
Reference topology
Typical dynamic routing issues Z adds a new network
New site added (Hub/spoke model)
A link (IPsec connection) breaks; re-route through another site
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
19/40
Dynamic Routing Inside IPsec VPNs- 19
Black Hat Briefings Paul Knight
SAD
SA pairs 1 per address range
Outbound
traffic
Site X
Site Y
Site Z
SP, SA Databases determine routinginto tunnels cannot adapt dynamically
IPsec Gateway (CPE) at Site A
Untrusted
Network
SPD
Route exchange possible, but useless (SPD, SAD control routing)
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
20/40
Dynamic Routing Inside IPsec VPNs- 20
Black Hat Briefings Paul Knight
The basic solution
Remove the tunnels static routes . HOW?
(1) Use wild card in tunnel SAs (allow all traffic) OR (2) Use encapsulation to make the traffic fit the static route, by
setting destination address in the encapsulated traffic
IP-in-IP over Transport (IIPtran)
Generic Routing Encapsulation (GRE) in tunnel ortransport
Both approaches are essentially similar in key ways, but (2) is moresecure
IPsec can still apply source/destination selectors
Less chance for errors due to different systemsdynamic routing abilities
Either way, you must do routing (SA selection or encapsulationaddressing) outside IPsec, and push traffic into a VPN Tunnel(may be Transport Mode)
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
21/40
Dynamic Routing Inside IPsec VPNs- 21
Black Hat Briefings Paul Knight
SPD
SPD
SPD
SAD
Outbound
traffic
Site X
CPE
Site Y
CPE
Site Z
CPE
Routing outside IPsec:Each SPD/SAD handles a smaller address selector range
One VPN Tunnel SA pair
between sites (unless QOSor security requires more)IPsec Gateway at Site A
SAD
SAD
Routing
UntrustedNetwork
RoutingExchangeVia OSPF,RIP, etc.
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
22/40
Dynamic Routing Inside IPsec VPNs- 22
Black Hat Briefings Paul Knight
Tunnel mode =Transport mode + IP encapsulation
Key concept for dynamic routing
1) Determine next IPsec hop of the packet, usingpolicy, based on any criteria the routing enginecan handle route to destination (using dynamic
information!), protocol, port (socket), even contentanalysis (URL, etc.)
2) Construct new encapsulating IP header withsource/destination of next IPsec hop
3) Pass to IPsec process for TRANSPORT modeprocessing
Resulting packet is equivalent to tunnel mode, butnow it is routed using dynamic routing updates
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
23/40
Dynamic Routing Inside IPsec VPNs- 23
Black Hat Briefings Paul Knight
Tunnel mode =Transport mode + IP encapsulation
New IP
Header
IPSec ESP
HeaderData
Transport Mode
Original IP
Header
Optional Encryption
IP Header Data
IP-in-IP encapsulation
Original IP
HeaderData
New IP
Header
Addresses in new
IP header determines
where packet goes
Original IPHeader
IPSec ESP
HeaderData
Optional Encryption
New Data
Remember transport mode?
Packet looks like
Tunnel Mode!
New Data
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
24/40
Dynamic Routing Inside IPsec VPNs- 24
Black Hat Briefings Paul Knight
Routing with VPN tunnels
What is a VPN TUNNEL? An IPsec SA with NO effective address filters
May be IPsec tunnel mode or IP-in-IP over transport mode
It allows ANY IP traffic (unicast/multicast) to pass
It allows routing protocols to pass Its end points are the IPsec gateway interfaces
It still protects all traffic with encryption
It is like an Ethernet, ATM, or Frame Relay link over theInternet, but secured by IPsec
Since you cant use the IPsec tunnel definitions orfilters to select destinations, you MUST routebefore putting the traffic into an IPsec VPN tunnel
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
25/40
Dynamic Routing Inside IPsec VPNs- 25
Black Hat Briefings Paul Knight
Routing with VPN Tunnels:Requirements for IPsec Gateways
Full-power router inside the IPsec gateway, withtraffic and route filters, even firewalls
Ability to separate VPN routes from external(untrusted network) and local routes
Ability to use the endpoint of the IPsec VPNTunnel just like any IP-capable interface
To pass routed traffic
To send and receive routing protocols
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
26/40
Dynamic Routing Inside IPsec VPNs- 26
Black Hat Briefings Paul Knight
Agenda
Setting the stage IPsec topology background
Dynamic routing in IPsec
Attack and Defense Attacks from the Internet Remote access Split tunnel Denial of service
Internal branch-to-branch attacks
Routing attacks Misconfigurations
Requirements: Securing IPsec routing
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
27/40
Dynamic Routing Inside IPsec VPNs- 27
Black Hat Briefings Paul Knight
Remote Access IPsec VPN routing attack
Split tunneling Captive tunnel: Clients default route points into tunnel to IPsec
gateway; other routes not allowed
Split tunnel: Clients default route is into Internet; specific routes totrusted network are loaded into Clients routing table by IPsecGateway
Denial of Service Attacks
Various attacks to waste Gateways resources (bandwidth, openconnections, processing time, etc.)
Not the subject of this talk (but interesting!)
IPsec Gateway
Untrusted Network
Internet
Trusted NetworkRemote Client
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
28/40
Dynamic Routing Inside IPsec VPNs- 28
Black Hat Briefings Paul Knight
No Split Tunneling:
IPsec Gateway
Untrusted Network
Internet
Trusted NetworkRemote Client
Firewall
Internet
Host
Split Tunneling:IPsec Gateway
Untrusted Network
Internet
Trusted NetworkRemote Client
Firewall
Internet
Host
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
29/40
Dynamic Routing Inside IPsec VPNs- 29
Black Hat Briefings Paul Knight
Why allow split tunneling?
Avoid wasting bandwidth at VPN hub site Internet traffic of clients would traverse the hub site
(Can be avoided by policy blocking Internet access
during remote access, forcing client to logout of VPN) Short DHCP/PPPOE leases may require frequent
contact to server at clients ISP
Cant contact server if all routes point to VPN tunnel
Convenience of keeping VPN connection upduring other Internet access
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
30/40
Dynamic Routing Inside IPsec VPNs- 30
Black Hat Briefings Paul Knight
Split Tunneling Potential Attacks
FTP relay through client Client running FTP server can become
conduit from Internet into trusted network
Other similar services running on client tftp,smtp, or custom relay application, maybemalicious application
RAT Remote Access Trojan on client Back Orifice, etc.
PC Anywhere (not a Trojan but same issue)
Allow remote control control of PC, and thuspotential access to trusted network
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
31/40
Dynamic Routing Inside IPsec VPNs- 31
Black Hat Briefings Paul Knight
Split Tunneling Defenses
Prevent split tunneling Corporate policy decision Enforcement through Gateway/client software
capabilities Gateway sends only default route to client Client s/w reads routing table on client, reports to
gateway and/or blocks access if routes are found.
Prevent active relay services or remote control Break connection if unexpected port is open on client
Both defenses depend on client software abilityto determine true state of client machine. Depends on operating system and multitasking,
multiprocessing capabilities of client system.
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
32/40
Dynamic Routing Inside IPsec VPNs- 32
Black Hat Briefings Paul Knight
Branch-to-Branch IPsec VPNRouting Issues
Misconfiguration
Default Route issues
Internal Routing Attack
IPSec GatewayIPSec Gateway
Internet
Trusted Network
Trusted Network
Untrusted Network
Firewall
DefaultRoute?
Firewall
DefaultR
oute? ?
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
33/40
Dynamic Routing Inside IPsec VPNs- 33
Black Hat Briefings Paul Knight
Security risks of incorrect routingin IPsec VPNs
Traffic may be forced over an unprotectedpath
May be intercepted
Traffic goes toward wrong destination Doesnt get to correct destination
May be intercepted
Traffic follows wrong path toward correct
destination May be intercepted
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
34/40
Dynamic Routing Inside IPsec VPNs- 34
Black Hat Briefings Paul Knight
Attacks on routing
Injection of routes inside a site Malicious
Routing process running on compromised host or router
Redirect traffic toward a compromised system internal totrusted network Redirect via default route over unprotected path through
untrusted network
Misconfiguration
Advertising routes via unprotected path Static routes configured in routers Routed (routing daemon) running on unauthorized hosts
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
35/40
Dynamic Routing Inside IPsec VPNs- 35
Black Hat Briefings Paul Knight
Protection against routing attacks
Routing authentication
Options for OSPF Keyed MD5 verifies identity
Digital signature allows tracing of bad routeinformation
Audit routers for bogus routes
Restrict use of routing protocols on hosts
Use default route instead Implement redundancy on routers (VRRP) or
switches in LAN, not in host routing
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
36/40
Dynamic Routing Inside IPsec VPNs- 36
Black Hat Briefings Paul Knight
Default route attacks
Where does default route point? To Internet? Lost internal route can result in traffic being sent over
Internet Particularly problematic if the destination is reachable via
Internet
Key solution: policies on firewall No traffic to internal destinations goes out through firewall No traffic from internal source address can com in through
firewall
Harder solution: no default route to Internet Specific management/advertisement of allowable routes
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
37/40
Dynamic Routing Inside IPsec VPNs- 37
Black Hat Briefings Paul Knight
Securing IPsec Routing Dynamic Routing Requirements
SPD
SPD
SPD
SAD
Outbound
traffic
Site X
CPE
Site Y
CPE
Site Z
CPE
IPsec Gateway at Site A
SAD
SAD
Routing
Untrusted
Network
RoutingExchangeVia OSPF,RIP, etc.
Firewall
functions
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
38/40
Dynamic Routing Inside IPsec VPNs- 38
Black Hat Briefings Paul Knight
Strong Firewall capabilities Inbound/outbound
Full range stateful inspection capabilities
Full router functionality INSIDE the IPsec Gateway Route filtering to prevent attacks Ability to separate internal/external routes
Ability to see IPsec peer gateways as next-hop for routeslearned via IPsec VPN tunnels
Apply the routing rules by encapsulating the traffic,with next IPsec hop as the destination
Securing IPsec Routing Dynamic Routing Requirements
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
39/40
-
8/14/2019 Dynamic Routing Inside IPsec VPNs
40/40
Questions???
Thank You!