Not wishful thinking at all.
Ethernet emulation - also known as transparent LAN services is offered in
some form or different name by both AT&T and Bell up here in the Great White
North and I'm sure in other places. Yes it can be provided to the end user
via fiber but it can also be provided over copper depending on how close
they are to the pop (in the building).
In a nutshell, an Upstream Service Provider provides access from a "smart
building", a building which has a POP and connected to that provider's
Metropolitan Area Network. From there a client can be mapped , usually
through ATM through their provider's network to the World Internet.
This has the advantage of getting higher speeds without a user requiring ATM
capable equipment or the expense of multiple T1s or Fractional T3.
(available up to fast ethernet speeds)
We are beginning to see more and more of these circuits and clients are
starting to order up 2 of these circuits, one from each upstream provider
for redundancy.
We are also beginning to look at using this service with RFC 1483 bridging
and getting the providers to connect the client site using ethernet and then
map the ATM PVC to our own LS-1010 on a current OC-3 (soon to be upped to
OC-12).
This way, we can re-map the client to another core/border router to get
around failures and load balance without having to wait for the upstream
provider to react.
In any event, perhaps our use of HSRP is specialized (meaning unique) to us
as we sort of act like an ISP ourselves and we provide little security to
the larger "intranet" as each customer provides their own firewall.
Therefore the "inside" net is segregated mostly through routing, providing
visibility to routes that we allow to be seen to the Internet and routes
that are seen only on the inside. And this "network" is not a few
buildings, it is national in scope - sort of like a huge DMZ.
Because of this, client's access can be seen by other client's and by the
world at least up to their firewall. Since the firewall is behind the
access routers and those routers could be Ethernet to connect (using HSRP
for failover) then this exploit has potential for us and we are moving to
put those access lists in place.
This may not be all that easy to follow but I can't get into more specifics
for the obvious security reasons.
This whole issue is resulting I think as I said that the LAN and WAN are
fading together. What with GigE being proposed to replace ATM access,
ethernet technologies may soon replace the traditional T1s etc, within
metropolitan areas anyways.
This also presents interesting limits on HSRP because if you have a router
with three ethernet interfaces, 2 out and 1 in, because we're talking
ethernet - it is no longer point-to-point with keepalives going end to end.
If a circuit becomes unavailable HSRP might not see it unless the actual
interface goes down. Therefore the circuit could be down farther up beyond
the local connection (hub/switch.etc) but as long as HSRP see's an interface
in the up/up condition it doesn't care about the actual end point. This
throws a wrench in conventional HSRP thinking and we have to use floating
statics and let routing protocols provide protection for upstream failures.
Anyway, starting to get off topic. Again, for us we have issues and I'm
glad it was posted to the list.
Kevin Wigle
----- Original Message -----
From: "Priscilla Oppenheimer"
To:
Sent: Tuesday, 08 May, 2001 14:54
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> What is Ethernet emulation? It's definitely true that Ethernet is being
> used across long distances, if that's what you mean. With single mode
> fiber-optic cabling, Ethernet can span miles. Physical access is a
> different story in this case, of course. The cables may actually be in
> public places. They would be overhead on poles or underground, I guess,
> though, wouldn't they?
>
> I think it would still be very difficult to wreak havoc. Physical access
> would be difficult, and even if you had it, network-layer hacking would be
> hard to achieve. Wishful thinking? :-]
>
> Thanks
>
> Priscilla
>
> At 02:27 PM 5/9/01, Kevin Wigle wrote:
> >However, Ethernet emulation is becoming quite popular and very price
> >competitive.
> >
> >I have clients who have HSRP running on what would normally be called
"WAN"
> >ports but they are ethernet. The HSRP virtual address is visible to the
> >world and therefore it is vunerable.
> >
> >I agree that traditionally HSRP has been used on the inside interfaces so
> >therefore your vunerability is from the inside where you should have
> >personnel/physical security in place.
> >
> >IPSec is cool but involves more cost to deploy an IPSec capable
IOS/router
> >if you're not already using IPSec. Perhaps this is just another reason
to
> >do so.
> >
> >Someone also commented on the overhead of IPSec encrypting/decrypting
HSRP
> >hellos every 3 seconds. Perhaps adjusting the HSRP timers would
alleviate
> >this.
> >
> >But times they are a changing. The lines between LAN and WAN are
blurring.
> >It seems Brian's solution for an access-list will be a stop gap measure
for
> >now.
> >
> >Kevin Wigle
> >
> >----- Original Message -----
> >From: Priscilla Oppenheimer
> >To:
> >Sent: Tuesday, May 08, 2001 1:38 PM
> >Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >
> > > The HSRP "exploits" aren't anything new. If you have physical access
to
> >the
> > > target LAN, the ability to sniff packets, and the ability to send
> packets,
> > > of course you can wreak havoc. Not only could you send bad HSRP
packets
> >but
> > > you could respond to ARPs, send bad routing protocol packets, etc.
etc.
> > > etc. The only real solutions are physical security and hiring people
you
> > > trust!?
> > >
> > > Also, instead of using HSRP you could use the Virtual Router
Redundancy
> > > Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
> > > replacement for HSRP.
> > > The Security Considerations section explains authentication options,
> > > including using IPSec.
> > >
> > > Priscilla
> > >
> > > At 11:20 PM 5/7/01, Andy Low wrote:
> > > >Hi TAC,
> > > >
> > > >Anyone know of any solutions to the HSRP exploits?
> > > >
> > > >http://www.securityfocus.com/bid/2684
> > > >
> > > >-andy-
> > > >FAQ, list archives, and subscription info:
> > > >http://www.groupstudy.com/list/cisco.html
> > > >Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> > >
> > > ________________________
> > >
> > > Priscilla Oppenheimer
> > > http://www.priscilla.com
> > > FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3758&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
