Found quite an interesting story on slashdot a few days ago: http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
Apparently the aging Border Gateway Protocol, which is used within the Internets backbone, has a potentially large flaw / vulnerability in its design.
Due to BGP being designed to be used in a trusted environment where every server is considered to be legitimate, it will trust a unknown server and route traffic through it if told it has a better route. As is shown in the article above, this is able to be exploited to gain complete access to all traffic being routed on that segment of the Internet.
Should this be a cause for concern? Most probably, yes. Whilst encrypted data isn't really affected by this, the web is still basically all unencrypted, with the exception of a few banking and specific services. Hell, even Hotmail is by default only using encryption whilst the username and password is authenticated.
This brings up once again just how easily data can be garnered from unsuspecting users, who have quite a false sense of security in the Internet.
What is really interesting is the fact this flaw was made known to Governments 10 years ago, and yet nothing was done. Not really a fan of conspiracy theories, but this does bring up some rather interesting thoughts...
Tuesday, September 2, 2008
Thursday, August 21, 2008
pfsense and Smoothwall
So heres my dilemna for a project I'm working on.
I need a rather broad solution covering DNS, proxying, firewalling, VPN (both site to site and LDAP integrated user access), DHCP, supporting multiple DMZ servers along with routing support. This will act as the centre point for a 40 person network. Clearly hardware wise this will have to be quite a strong system, with load balancing being a possibility, at minimum hardware failover.
For the network security class we got asked to take a look at two firewall solutions, so whilst comparing them I also tried to see how well they would fit into the above requirements.
The firewalls looked at were pfsense and Smoothwall Express 3.0.
Lets start with pfsense.
At this point, for both the network security class and the project needs, pfsense seems to be the winner.
I need a rather broad solution covering DNS, proxying, firewalling, VPN (both site to site and LDAP integrated user access), DHCP, supporting multiple DMZ servers along with routing support. This will act as the centre point for a 40 person network. Clearly hardware wise this will have to be quite a strong system, with load balancing being a possibility, at minimum hardware failover.
For the network security class we got asked to take a look at two firewall solutions, so whilst comparing them I also tried to see how well they would fit into the above requirements.
The firewalls looked at were pfsense and Smoothwall Express 3.0.
Lets start with pfsense.
- It is an open source effort, based on FreeBSD. I have little experience with BSD, compared to quite solid knowledge of Red Hat which Smoothwall is based on top of.
- Its feature set is huge, and rather all encompassing.
- Full Firewalling functionality, including stateful inspection and fingerprinting.
- NAT support, which I may or may not implement at this level within the above mentioned project.
- pfsense does support hardware failover, however the backup server does nothing normally, and only kicks in in the case of failure on the main server. IT also requires another static public IP, which could be a problem depending on the ADSL package I end up going with.
- Load Balancing is supported, only equal however. The ADSL lines I will be going with for the project will be balanced using a Billion Biguard 30, so this is only really important for DMZ servers etc.
- VPN: This is probably going to be the deal breaker. pfsense supports site to site links, along with PPTP style links including RADIUS server support, exactly what I need.
- DHCP serving is present, along with some proxying abilities.
- As this is namely a firewall, its Firewall is quite full featured just like pfsense, including stateful inspection.
- NAT support is a bit of an unknown, and not explicitly mentioned, but this is probably not a huge deal as I will have the Biguard 30 handle this.
- Basic DHCP serving is supported, and due to its being based on RHEL, this shouldn't be that hard to expand apon.
- Proxy support is quite limited, but my proxy needs only include basic http proxying.
- Heres the big problem: VPN support is very limited in the free package. Site to Site is supported, but there is no included support for PPTP or RADIUS authentication.
- Multiple DMZ servers are also not supported, so another requirement is not met.
- No inbuilt hardware failover.
At this point, for both the network security class and the project needs, pfsense seems to be the winner.
Wednesday, August 6, 2008
Intro + DNS BailiWicked
Welcome to my brand new blog!
(yay >_>)
My name is Andrew Herzog, and I am a IT Network Security student in Australia within TAFE.
This is something of a forced effort, I really don't enjoy writing my thoughts down for the world to see... but hey might as well make the best of it.
Within this blog all I'll really be doing is putting into the blogosphere some of my (not so important) thoughts on Networking, security and some of the more interesting vulnerabilities and hardware/ software I encounter as I complete my studies.
So now that introductions are out of the way, lets get right into something that is quite common news already, but hey I only really discovered the depths of the vulnerability and exploits of it today.
Unpatched DNS servers have been found to be easily exploitable using Kaminsky's DNS poisoning flaw. What this means is that its rather easy at the moment to launch a man in the middle attack against clients.
Metasploit is what seems to be an awesome set of tools which are used to discover vulnerabilities within your network. Within 15 days of this DNS poisoning flaw being discovered Metasploit already included modules which could be used to inject fake DNS records into DNS servers.
http://blog.metasploit.com/2008/07/bailiwicked.html
Now what really scares me at this point is this post including a video I discovered along with Metasploit.
http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html
Evilgrade uses this DNS exploit along with another flaw within many applications update mechanisms. The list is rather surprising as well, iTunes, MacOS, openOffice just to name a few. So an attacker uses metasploit to inject fake dns records onto the dns server used by the end user, then when the user begins an update instead of finding the software's website they are redirected to a malicious site, complete with a hacked executable provided by evilgrade ready to create the backdoor.
Call me misguided, but I never quite realised just how easy some of this was until recently. Its truly mind boggling how easy this attack is, just about anyone even slightly tech savvy could use it.
(yay >_>)
My name is Andrew Herzog, and I am a IT Network Security student in Australia within TAFE.
This is something of a forced effort, I really don't enjoy writing my thoughts down for the world to see... but hey might as well make the best of it.
Within this blog all I'll really be doing is putting into the blogosphere some of my (not so important) thoughts on Networking, security and some of the more interesting vulnerabilities and hardware/ software I encounter as I complete my studies.
So now that introductions are out of the way, lets get right into something that is quite common news already, but hey I only really discovered the depths of the vulnerability and exploits of it today.
Unpatched DNS servers have been found to be easily exploitable using Kaminsky's DNS poisoning flaw. What this means is that its rather easy at the moment to launch a man in the middle attack against clients.
Metasploit is what seems to be an awesome set of tools which are used to discover vulnerabilities within your network. Within 15 days of this DNS poisoning flaw being discovered Metasploit already included modules which could be used to inject fake DNS records into DNS servers.
http://blog.metasploit.com/2008/07/bailiwicked.html
Now what really scares me at this point is this post including a video I discovered along with Metasploit.
http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html
Evilgrade uses this DNS exploit along with another flaw within many applications update mechanisms. The list is rather surprising as well, iTunes, MacOS, openOffice just to name a few. So an attacker uses metasploit to inject fake dns records onto the dns server used by the end user, then when the user begins an update instead of finding the software's website they are redirected to a malicious site, complete with a hacked executable provided by evilgrade ready to create the backdoor.
Call me misguided, but I never quite realised just how easy some of this was until recently. Its truly mind boggling how easy this attack is, just about anyone even slightly tech savvy could use it.
Subscribe to:
Posts (Atom)
