Building

How to go ahead with future end of life Windows (2003) Servers

Server operating systems with an OS, for which vendor support has ended, come with many risks that have to be considered and addressed. The primary goal should be always to decommission or migrate the majority of end-of-life (EoL) servers to OS versions, supported by the vendor. Here it should be noted that a migration to an up-to-date OS should be preferably done before your organization enters the end of life of that software 😉

However, it must be considered that a number of servers cannot be migrated or shut down (easily) and must remain operational and accessible. Based on a customer project in 2014 we developed a high-level security concept for the secure operation of end-of-life Windows servers. We published this concept in our latest newsletter. You will find it here (https://www.ernw.de/download/newsletter/ERNW_Newsletter_47_Security_Concept_for_End-of-Life_Windows_Servers_signed.pdf)

 

Continue reading “How to go ahead with future end of life Windows (2003) Servers”

Continue reading
Building

IPv6-related Requirements for Security Devices

This is the sequel to the similar post on “IPv6-related Requirements for the Internet Uplink or MPLS Networks“. As mentioned there these requirements were created in the course of an RfP for network security services. The goal of this document was to provide a check list of IPv6-related requirements that security devices being part of the individual providers’ offerings have to fulfill in order to fully support the future IPv6 network.  Continue reading “IPv6-related Requirements for Security Devices”

Continue reading
Events

Troopers 15 TelcoSecDay – First Talks

At Troopers15 there will be another TelcoSecDay, like in the years before (2014, 2013, 2012). Here’s the first three talks (of overall 5-6):

Luca Bruno: Through the Looking-Glass, and What Eve Found There

Synopsis: Traditionally, network operators have provided some kind of public read-only access to their current view of the BGP routing table, by the means of a “looking glass”.
In this talk we inspect looking glass instances from a security point of view, showing many shortcomings and flaws which could let a malicious entity take control of critical devices connected to them. In particular, we will highlight how easy it is for a low-skilled attacker to gain access to core routers within multiple ISP infrastructures.

Markus Vervier: Borrowing Mobile Network Identities –  Just Because We Can

Synopsis: This talk features an attack that enables active cloning of mobile identities.
It is shown how to patch a baseband firmware for Android devices to implement a virtual SIM card. Additionally different methods enabling access to the SIM card on unmodified Android devices are presented. Running a mobile network authentication algorithm on a SIM card in a first device and forwarding the result to a patched baseband on a second device allows the second device to retrieve valid authentication tokens. The second device can use these tokens to authenticate to the mobile network without having permanent access to the SIM card.
This results in taking over mobile network identities of others as well as in possibilities to evade surveillance by rapidly changing network identities.

Bio: Markus Vervier is a security researcher from Germany. Having more than 10 years of experience in penetration testing, source code auditing and network security, he was involved in finding vulnerabilities in banking systems as well as operating system features such as BSD Securelevels.

 
Tobias Engel: Securing the SS7 Interconnect

Synopsis: Recent disclosures made public a reality long known to telco network operators: Once an attacker gains access to SS7, there are almost no barriers against spying on subscribers and committing billing fraud. sternraute is currently developing an SS7/MAP application level firewall to be deployed by operators. This talk will look at the different approaches our firewall employs to detect and filter illegitimate traffic and what operators can do beyond that to protect their customers and networks.

Bio: Tobias Engel, born in 1974, is founder and managing partner of Berlin-based sternraute GmbH, which develops security products for mobile networks. As an active member of Germany’s Chaos Computer Club,he repeatedly called attention to security vulnerabilities in ICTsystems. For many years, Engel has been a consultant and software developer for various companies in the IT and telecommunications sector.

===

We’ll finalize the agenda in the upcoming days and publish details as for the other talks then, too. Stay tuned…
Have a good one

Enno

 

 

 

Continue reading
Building

Is RFC 6939 Support Finally Here – Checking the Implementation of the “Client Link Layer Address Option” in DHCPv6

One of the main DHCPv6 enhancements – fyi: we have already discussed DHCPv6 in some other posts – many practitioners have been waiting for quite some time now, is full support of RFC 6939 (Client Link-Layer Address Option in DHCPv6) by network devices (acting as relays) and DHCPv6 servers. RFC 6939 support would allow a number of things which large organizations use in their DHCPv4 based networks, incl.

  • reservations (assigning a kind-of fixed DHCP address based on the MAC address of a system which in turn allows for “centralized administration of somewhat static addresses”).
  • correlation of IPv4 and IPv6 addresses of a given host identified by its MAC address.
  • (some type) of security enforcement based on the MAC address of a host gathered in the course of a DHCP exchange (see for example slide #29 of this presentation of the IPv6 deployment at CERN, btw: slide #9 might be helpful when discussing IPv6 transition plans with your CIO. or not).

So far it seemed very few components support RFC 6939. When Tim Martin mentioned at Cisco Live that Cisco devices running IOS XE support it by default, we decided go to the lab ;-).

Continue reading “Is RFC 6939 Support Finally Here – Checking the Implementation of the “Client Link Layer Address Option” in DHCPv6”

Continue reading
Building

Using Android without Google, Part 1

We’re using our smart phones every day to manage contacts, calendar entries, e-mail, and social communication (please note that we at ERNW still have a strict “no company data on smartphones/tablets” – which includes email). Everything is easy to use and automated syncing provides access to our data from anywhere. Data is stored in most cases on premises of a cloud service provided by the OS vendor of your smart phone – mostly Google, Apple or Microsoft. You don’t need to pay for this service – and the cloud provider could use your data for personalization and service improvements.

But from a security point of view (or just because you don’t want to share your personal information with the cloud provider) one probably wants to use all those features with a service on your own infrastructure.

Continue reading “Using Android without Google, Part 1”

Continue reading
Building

IPv6-related Requirements for the Internet Uplink or MPLS Networks

We’re currently involved in a complex RfP procedure for global network services of a large organization. As part of that we were asked to define a list of IPv6 related requirements as for the  Internet uplink and MPLS circuit connections. The involved service providers/carrier offerings will be checked to comply with those.

Continue reading “IPv6-related Requirements for the Internet Uplink or MPLS Networks”

Continue reading
Building

The Persistent Problem of State in IPv6 (Security)

I’ve discussed the heavy complexity of IPv6 and its negative impact on security architectures relying on state  – you know, “stateful” firewalls and the like 😉 – before (here and here. btw, the widely discussed IPv6-related network outage at MIT last year was a state problem as well: switches keeping track of multicast groups, of which in turn many existed due privacy extensions combined with the unfortunate relationship of MLD and ND).

One of the conclusions I’ve drawn in the past was recommending to minimize the amount of state one might use within security architectures in the IPv6 world. First, this is bad news for quite some well-established security controls that need a certain amount of state to work properly, like IDPS systems – which subsequently have hard times to work properly in IPv6 networks.
Secondly there’s another severe caveat. As I fully realized yesterday, at Cisco Live Europe, in Andrew Yourtchenko‘s excellent breakout session on “Advanced IPv6 Security in the Core”, this carries some consequences for stateless (and hence: seemingly “unaffected”) security controls, too.

Continue reading “The Persistent Problem of State in IPv6 (Security)”

Continue reading
Breaking

Evasion of Cisco ACLs by (Ab)Using IPv6 & Discussion of Mitigation Techniques

This is a guest post of Antonios Atlasis.

During our blogpost regarding DHCPv6 Guard evasion, one of the side-effects was that Access Control Lists (ACLs) configured to block access to UDP ports 546 can be evaded by abusing (again) IPv6 Extension headers. Having that in mind, we decided to check the effectiveness of Cisco IPv6 ACLs under various scenarios. Our goal was to examine whether the IPv6 ACLs of Cisco routers can be evaded, as well as under which conditions this can take place. To this end, several representative scenarios from enterprise environments or other potential ones are examined.

Continue reading “Evasion of Cisco ACLs by (Ab)Using IPv6 & Discussion of Mitigation Techniques”

Continue reading