Each Blackhat conference provides us the opportunity to re-examine the way we think about our security models. Blackhat 2011 has not failed us, with the news from the first few days showing there are rich opportunities for attacking infrastructure systems versus traditional operating systems. There have been several discussions on the Siemens Industrial Control systems and yesterday the announcement was around an OSPF vulnerability. Let’s look at the simple mechanics of the OSPF vulnerability and a mechanism to defend against it that has been available for more than 10 years.
The researcher Gabi Nakibly of the Israel Electronic Warfare Research and Simulation Center identified a problem in the implementation of OSPF accepting false link state advertisements from an untrusted system, i.e. not a router but an attacking endpoint.
There are a few conditions to be met for the OSPF attack to be successful. There are simple ways we can change the attack surface of the infrastructure that we are defending to interrupt the success of this and similar attacks. The attacker must:
• Compromise an existing trusted router
• Have a physical presence on the network under attack
First there is no secure system, so attacks will be found on any operating system. Recommendations for securing the router from compromise follow with standard practices: strong authentication and access controls and controlling physical access to the router.
I think the second point is an easy attack surface to control, and one that I’ve recommended for many years (see: “10 Policies to a More Secure Network“) – control the protocols a user can send into your network to reduce the attack surface. The OSPF attack requires many things, and is only successful if the attacker can send forged OSPF LSAs to your routers. Removing an attacker’s capability to send OSPF updates of any kind reduces the impact that attack has on your network.
At Enterasys we have provided a simple set of controls for the access layer, the switch port or wireless network that a user connects to, that controls the types of protocols a standard user can transmit “to” the network. In the recommended set we have included a port filter that drops network control plane protocols such as OSPF, RIP, BGP, Spanning Tree and SNMP. These simple packet filters that are placed on “user ports” allow implementers to quickly and easily reduce the attack surface of their networks and spend more time on strategic initiatives, such as attending conferences like Black Hat.