Check out the new USENIX Web site.

[prev] [up] [next]
Previous: 2 Attacks on ``Classical IP over ATM Networks''
Up: Securing 'Classical IP over ATM Networks'
Next: 4 Conclusions


Subsections


3 Solutions

  Attacks on the ARP service and the ATM based IP spoofing can be prevented, if the ATM switch or, more generally, the ATM network supports mechanisms for access control. Most other discussed attacks can be prevented or mitigated by careful configuration of the ATM switch.

In ATM networks the control on access[*] to the network is shared between hosts and switches. On the other hand in ``legacy LANs'' like Ethernet the access to the network is only controlled by the nodes themselves (CSMA/CD)[*]. This fundamental difference between ATM and ``legacy LANs'' can be used for securing the networks against malicious attacks by providing a controlled access to network resources.

A major part of securing an ATM network relies on the ATM switch. It can be used for filtering certain addresses and to support monitoring of the network. The next sections will show how an ATM network can be secured against the attacks described before.

3.1 Securing the ATMARP Service

  CLIP requires one ATMARP server for each LIS [10]. The ATM address of this server has to be configured on every node in the same LIS. The protection of the ATMARP service requires three steps:

Configuration of an ATMARP Server

An ATMARP server can be installed on a host in the LIS or on an ATM switch. From the security point of view installing an ATMARP server on a host is preferable for multiple reasons. The access to the ATMARP server on a host can be controlled more easily than on an ATM switch. As an ATMARP server on a host is implemented in software, it is easier to expand the ATMARP server with security enhancements for access control and auditing. ATMARP server on ATM switches depend on the firmware of the switch and are therefore difficult to expand. Moreover even though it is convenient to use the ATMARP server of the switch for multiple LISs, this makes it impossible to restrict the access according to the security policy of one LIS.

Configuring static ARP Entries

In the second step the ATMARP server is configured with static ARP entries for every node in the LIS. Each entry consists of the tuple <ATM address, IP address>. This renders the described attack of malicious registration of an address of another node impossible, as static entries cannot be overwritten.

To gain additional security the ATMARP server should be configured to reject registration requests for unknown tuples of <ATM address, IP address>. This can be achieved by turning off the dynamic learning of new <ATM address, IP address> tuples. By these simple measures hostile registration of ARP entries can be prevented.

It has to be noted however that adding new nodes to this network will require manual configuration of the ARP entry.

Auditing of ATMARP Queries

Attempts to register new ARP entries can be identified as either attacks or newly installed machines and should be audited. Also queries for unregistered ARP entries should be audited as this can be an attempt to scan the address-space for possible victims.

Open Issue

  In RFC1577 [10] it is required that every LIS client opens an ATM connection to the ATMARP server and registers its address binding. The ATMARP server will reject the registration if the same binding is already registered for another ATM connection. This attack will also succeed for statically configured <ATM address, IP address> bindings, as the ATMARP server will accept the malicious registration because a valid binding has been supplied. In consequence even with statically configured bindings a client may be blocked from registering after reboot. A solution to this problem is provided in the next section.

3.2 Integration of the Switch into a Firewall Concept

  As described before, an attacker could try to open an ATM connection from an external host to an internal host thereby circumventing a firewall. A firewall concept for an ATM network needs to integrate the switch to prevent these attacks from succeeding. The configuration of the ATM switch has to make sure that connections can only be established between hosts of the same subnetwork (external or internal network). This can be done either by configuring PVCs only[*] or by restricting the signaling of new SVCs with access control list. The configuration of PVCs between all hosts of the same subnetwork yields a very secure configuration, but is hard to administer as adding a host will require the configuration of PVCs to every host in the same subnet. The definition of access lists on the other hand is more flexible and efficient as only few simple rules can restrict the creation of new SVCs. Even adding and removing hosts may not require reconfiguration if the subnets are identified in the access control lists by the use of wildcards.

The following sections describes the secure separation of two subnets - an internal and an external subnet - using access control lists on the signaling protocol. The firewall has two ATM interfaces: one ``fwext'' with the external network and one ``fwint'' with the internal network (see fig. 4).


  Figure 4:  Firewall in an ATM Environment

Firewall in an ATM Environment


3.2.1 Access Control on Signaling

  Switches take an active part in opening ATM connections. Therefore ATM switches can be used to increase security by restricting the hosts ability to open connections to other hosts. The filters are similar to the rules that can be defined in packet screens. But these two filters differ in two important aspects: packet screens filter every packet whereas ATM switches restrict the creation of new ATM connections -- no filtering occurs after successful setup of a connection. Rules in packet screens can be formulated on hosts (IP addresses) and services (TCP/UDP ports) whereas ATM switches only have access to the ATM addresses of the communicating hosts. The ATM switches have no control over type of IP-based service that will be accessed by the hosts. The filters on ATM addresses are sufficient for the intended use, as hosts will be grouped together by their ATM addresses and a firewall will be used for additional filters depending on the type of service.

As the filters on the switch rely on ATM addresses only, both the internal and the external network may have complex topologies (e.g. multiple interconnected switches). It is sufficient to configure the filters on the switch that is connected to the firewall. Figure 4 shows a simplified setup with only one switch.

The following restrictions have to be imposed by the ATM switch:

With this configuration all communication between the internal and the external network must cross the firewall.

3.2.2 Sample Configuration for a Cisco LS 1010 Switch

The advantages of filter rules in ATM switches are described with the following example. The example network consist of three hosts on the internal network (``int1-3''), three hosts on the external network (``ext1-3''), one firewall with two interfaces (``fwint'' and ``fwext'') and one ATM switch (``atmsw'').

Definition of Symbolic Names for ATM Addresses

Symbolic names are easier to comprehend and therefore reduce the risks of misconfigurations:

atm template-alias fwint  
       4700918100000000e0f7df1901080020827e6100
atm template-alias fwext  
       4700918100000000e0f7df1901080020827c5100
atm template-alias int1   
       4700918100000000e0f7df1901080020827b8100
atm template-alias int2   
       4700918100000000e0f7df1901080020825ca100
atm template-alias int3   
       4700918100000000e0f7df190108002082a9f100
atm template-alias atmsw  
       4700918100000000e0f7df1901f9f9f9f9f9f900
atm template-alias ext1   
       4700918100000000e0f7df1901080020827be100
atm template-alias ext2   
       4700918100000000e0f7df190108002082564100
atm template-alias ext3   
       4700918100000000e0f7df19010800208254d100

In this example we choose to explicitly list all hosts in the filter rules. For larger networks wildcards should be used to select groups of hosts with just one rule.

Definition of Simple Access Control Lists

The keywords permit and deny can be used to describe which hosts are allowed to use the signaling protocol to open a connection:

# internal hosts are allowed to reach 
#                other internal hosts
atm filter-set inHosts	permit	fwint
atm filter-set inHosts	permit	int1
atm filter-set inHosts	permit	int2
atm filter-set inHosts	permit	int3
atm filter-set inHosts	permit	atmsw
atm filter-set inHosts	deny default

# Hosts not listed (external hosts) 
# are not allowed to reach internal hosts
atm filter-set exHosts deny  fwint
atm filter-set exHosts deny  int1
atm filter-set exHosts deny  int2
atm filter-set exHosts deny  int3
atm filter-set exHosts deny  atmsw
atm filter-set exHosts permit default

atm filter-exp intern inHosts
atm filter-exp extern exHosts

Unknown hosts will be treated like external hosts and cannot reach internal hosts. As only internal ATM addresses are necessary for the configuration the solution is applicable to both LANs and WANs.

If the ATMARP server has been configured as internal host, the address filters are sufficient to prevent an external attacker from directly connecting to the ATMARP server (see section 3.1). The combination of a secure ATMARP server and the use of address filters on switches to direct the access to the network through a firewall is a good choice for defending against the denial of service attacks discussed in sections 2.2 and 2.5.

Applying Filters to Interfaces

The filters must be applied to the interfaces[*]. On an interface connected to an internal host the following commands must be applied:

atm access-group intern in
atm access-group intern out

On all external interfaces these two commands must be applied:

atm access-group extern in
atm access-group extern out

3.2.3 Extension of the Concept

The above configuration separates the ATM network into two virtual networks the internal and the external network. This concept can be extended to separate multiple virtual networks. To which network a host belongs is simply a matter of configuration. A host may therefore belong to a virtual network depending on its communication and security requirements rather than depending on its physical location.

This feature of ATM networks makes it easier to structure networks depending on security requirements. If all these subnets are connected by one or multiple central firewalls, this concept will allow for very secure networks in the future.

3.3 Mitigation of Bandwidth Allocation Attacks

 The combination of firewall, access control lists for signaling on the switch, and the secure ATMARP server is sufficient to establish a secure `Classical IP over ATM' network. Figure 5 shows an extension to the setup discussed in section 4. The switch used for access control to the secure network is also used to connect other LISs (``external'') to the Internet. As there is only one physical wire to the Internet access point (connected to the ``ex'' interface of the switch) it is still possible that the available bandwidth over this wire is allocated by an attacker (visualized with a dashed line between H1 and H2). The internal hosts will not be able to connect to the Internet or will perform at least very poorly.


  Figure 5:  Bandwidth Allocation for SVC between two External Hosts

Bandwidth Allocation


There are two solutions that can address this problem. Both solutions require a careful configuration of the switch.

3.3.1 Limiting the available Bandwidth for each Traffic Class

Modern switches support the configuration of bandwidth resources for different traffic classes. Thus it may be possible to configure the ``fwext'' interface of the switch (figure 5) so that only a certain amount of bandwidth is available for CBR or VBR traffic. In essence this will not prevent the described attack but will reduce the impact, as the administrator can make sure that there is always enough bandwidth available for connections to the Internet.

3.3.2 Configure a Permanent Virtual Connection

Another way to make sure that the internal network is always able to connect to the Internet is to configure a permanent virtual connection between switch and the Internet access point (router or switch). Typical switches provide a way to assign quality of service to PVCs. This is sufficient to allocate a certain amount of bandwidth to the PVC so that an attacker can only compete for the remaining bandwidth.

The main drawback of both solutions is that the administrator must have access to all intermediate switches in order to configure either a PVC to the Internet access point or limit the available bandwidth for demanding traffic classes (CBR/VBR). This may be impossible if the switches belong to different administration domains. Moreover the access to all the intermediate switches must be restricted to prevent reconfiguration by an attacker.

3.4 Static Switch Configuration

Both the ILMI based attacks and the attacks on the switch (see section 2.6 and 2.7) can be prevented by static switch configuration. For example the administrator may configure individual ports of a switch as UNI ports. This prohibits changes to the port settings by a peer as described in section 2.6. It should be noted that this is a local configuration that needs to be applied to one switch only. This configuration will prevent a workstation which is connected to a port of the switch to use the P-NNI protocol for attacks on the switch.

Since there is still the chance that malicious routing information is propagated by other switches over a NNI link the switch is still vulnerable. One (interim) solution to this problem is the use of the `Interim Inter-switch Signaling Protocol' (IISP) instead of P-NNI at the NNI interface unless the authentication has been addressed by the P-NNI designers. The IISP only supports statically configured routes, thus making it impossible to insert malicious information by sending messages to the switch. The major drawback of this solution is the burden of managing the static routing tables for fast scaling networks. IISP networks are also very error prone. If an intermediate switch goes offline all static routes through this switch are no longer usable.

A switch may also support the configuration of static ATM addresses at individual ports. This can prevent the registration of additional (unexpected) addresses at a switch port. This also makes sure that a workstation will only be able to register with a predefined address that matches a desired filter rule on the switch (see section 3.2).


[prev] [up] [next]
Previous: 2 Attacks on ``Classical IP over ATM Networks''
Up: Securing 'Classical IP over ATM Networks'
Next: 4 Conclusions

Carsten Benecke, Uwe Ellermann / DFN-FWL