By a control plane, dynamic operations of a device are commonly understood. Typically it takes the form of network protocols 192.168 l0 1 which operate between network devices (dynamic routing protocols, spanning-tree, first hop redundancy protocols,…). Another typical representative of a control plane operation is event logging. The following sections describe logging and some of the dynamic network protocols more deeply with the main focus on eventual security considerations.
Logging In the context of 192.168 l0 1 information technology
the term Logging refers to a process of maintaining a journal of system’s past events. This informaion (logs) is useful not only for troubleshooting, but is also a very important source of knowledge about common operation of a network, so they should be properly kept and analyzed periodically. In order to be able to effectively extract and correlate the needed information, following criteria should be followed:
• Logs of adequate severity level are being kept.
• A proper time stamp encompasses each log message.
• Logs are centralized on dedicated servers with proper backup policy in place.
Some sources even propose keeping the logs in some “permanent” storage, i.e. print them as they are received. Keeping the logs on a dedicated server, which does not run any other services, effectively limits the possible attack vectors. Most vendors of network devices allow to specify the size of a local log buffer and an external server for the logs to be sent via the Syslog protocol. Furthermore, one of 8 severity levels and one of 192.168 l0 1 facility levels could be chosen so that the administrators could choose not to save messages of low severity and/or distinguish the logs by their facility. SNMP traps and informs could be also used for logging purposes, these are further described in the section.
Dynamic routing protocols
Dynamic routing protocols are divided in two main groups according to their usage — Interior Gateway Protocols (IGP) and Exterior Gateway Protocols (EGP). IGP are to be used for routing within an Autonomous System and to facilitate proper routing within one AS. EGP are to be used in order to facilitate appropriate exchange and decision process on routes between Autonomous Systems. Typical representatives of IGP are Open Shortest Paths First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP) and Routing Information Protocol (RIP). Practically the only representative of EGP in use is Border Gateway Protocol 192.168 l0 1 (BGP), in its current version 4. The taxonomy of dynamic routing protocols is a little bit more complex, the methods of route advertising must to be taken into account for further categorization for more information).
However, this is not important for our considerations, therefore in the rest of this thesis, the distinction made above will be used. As stated above, IGP protocols are used to facilitate routing within an Autonomous System. This effectively means that the relevant protocols are designed to work with a smaller number of routes, while the routes themselves are advertised within the same organization domain. The same origin means that in typical scenarios, it is not necessary to do any nontrivial filtering of the received routes. Another difference between the two groups is that IGP protocols mostly work via discovering their neighbors by sending multicast packets on protocol-enabled interfaces.
The interfaces used to discover neighbors should be chosen with considerations so that the discovery process is not being done on the interfaces where there is not any possible neighbor connected and especially not on interfaces connecting third party devices (routers, user’s desktops, servers,. . . ). One reason is that these packets reveal some of the information about our network, but mainly, the attacker could try to make an adjacency with our router IP 192.168 l0 1 and then possibly tamper with the routing in our network. In order to mitigate this possible threat, authentication should be used within these protocols. Situation is a little bit different regarding EGP protocols, authentication could and should be used too, but neighbors are to be defined explicitly to mitigate the possibility of establishing an unintentional adjacency even when neighbors authentication is not configured — but that definitely does not mean that authentication should not be used in the case of EGP protocols.
Authentication By authentication in terms of dynamic routing protocols (and dynamic network protocols in general), we understand a process of verifying the legitimacy of a received packet (thus the legitimacy of the information it carries). The router does not form an adjacency or does not accept the protocol update messages from the host which does not prove the knowledge of the secret key. Looking back at the distinction made above, in the case of IGP, the shared secret is to be shared between a particular group of the routers while in case of EGP the shared secret is usually (and defi- nitely should be) unique for each and every pair of routers. The following types of authentication are commonly distinguished:
• Null authentication — no authentication takes place.
• Plain-text authentication — the shared secret is sent within every protocol messaged as a plain text, so it could be easily eavesdropped by an attacker who has access to the given link.
• Keyed MD5 authentication — opposed to the previous case, an MD5 hash of the shared secret and part of the message (this varies with the protocol used) is computed and included in the message.
• HMAC authentication — similarly to the previous method, hash functions (MD5, SHA1, SHA256,. . . ) are used to provide authentication and integrity assurance for the exchanged messages, this time using HMAC cryptographic scheme.
Benefit of the latter two against the plain-text authentication is clear, an attacker should not be able to derive the password regardless of the number of protocol messages he is able to intercept. For more information about the authentication within the routing protocols and discussion of their management and technical issues (maintenance of manually con- figured keys and allowance of multiple packets with the same sequence number), refer to. Most importantly, discusses that the MD5 algorithm remains safe to use despite its weaknesses that have been already documented for summarized information). Although some particular issues are outlined, no specific changes of the current state are proposed in the document. Because of that, in this thesis, authentication scheme using 192.168 l0 1 will be considered to be equally secure to the schemes using the other algorithms. In the case of environments where security is paramount, IPSec usage should be considered if applicable.
Spanning tree protocol (STP) for 192.168 l0 1
The main purpose of spanning tree protocol family is to maintain a loopfree topology in a switched network. This is important because of the absence of a parameter which would limit the lifespan of a second layer PDU such as TTL (time-to-live) field of IP header. The protocol should converge to a state in which there is one device elected and then used as the root of the resulting spanning-tree topology.
The following list presents two main categories of possible attacks which take advantage of spanning tree protocol:
• Overtaking the root to redirect a traffic flow — by sending a superior 192.168.II an attacker could try to become a root bridge. Since the root bridge placement on a switched network directs which links on the network are used (and which are blocked in order to maintain a loop-free topology), an attacker could intercept some of the traffic (in fact quite a large percentage of it, based on the actual network topology and the attacker location within it) which flows on a network. Figure 2.2 illustrates how an attacker could intercept some of the traffic by becoming a root bridge (and simulating a multi-homed switch).
• Denial of Service attack — An attacker could easily achieve denial of service by sending a large number of BPDUs which imply specific action in terms of spanning tree protocol. For example, he could send a BPDU with TCN bit set, so the bridges are bound to flush their MAC and ARP tables or simply sent a very large number of general BPDUs. Countermeasures Possible countermeasures which could be applied in order to mitigate the aforementioned threats will be now discussed. They should be used not only to prevent attacks but in connection the other features, like for example Unidirectional Link Detection (UDLD), to maintain stable and resilient STP topology (192.168 l0 1). Names of the mentioned features refer to terminology used by Cisco, but as for other vendors, they are commonly referred to under the same names as presented here.
• BPDU Filter — with BPDU Guard feature enabled on an interface, all BPDU frames are dropped. While this allows us to effectively maintain the boundary of the STP domain by not letting the third party devices connected on that interface to participate on spanning-tree protocol operation in our network, it is not an optimal solution. This is because when BPDUs are dropped without being processed, we are not able to detect an eventual loop on the interface.
• BPDU Guard — BPDU Guard solves the disadvantage of the previous feature by effectively shutting down the interface on which a BPDU has been received.
• Portfast/Edge interface — besides the fact that the interface goes directly into the forwarding state when the link goes up, this feature causes that the switch does not generate BPDUs with TCN bit set when the particular interface changes its state (link goes up or down).
• Control plane policing — with the specific configuration of this feature, we could effectively limit the amount of BPDUs which are allowed to be processed by the device’s CPU per a given amount of time. For more information, refer to section 2.2.8.