Confirming what I had heard, that Canada has a much better grasp of last
mile solutions.
Brian
----- Original Message -----
From: "Kevin Wigle"
To:
Sent: Tuesday, May 08, 2001 11:46 PM
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> Not wishful thinking at all.
>
> Ethernet emulation - also known as transparent LAN services is offered in
> some form or different name by both AT&T and Bell up here in the Great
White
> North and I'm sure in other places. Yes it can be provided to the end
user
> via fiber but it can also be provided over copper depending on how close
> they are to the pop (in the building).
>
> In a nutshell, an Upstream Service Provider provides access from a "smart
> building", a building which has a POP and connected to that provider's
> Metropolitan Area Network. From there a client can be mapped , usually
> through ATM through their provider's network to the World Internet.
>
> This has the advantage of getting higher speeds without a user requiring
ATM
> capable equipment or the expense of multiple T1s or Fractional T3.
> (available up to fast ethernet speeds)
>
> We are beginning to see more and more of these circuits and clients are
> starting to order up 2 of these circuits, one from each upstream provider
> for redundancy.
>
> We are also beginning to look at using this service with RFC 1483 bridging
> and getting the providers to connect the client site using ethernet and
then
> map the ATM PVC to our own LS-1010 on a current OC-3 (soon to be upped to
> OC-12).
>
> This way, we can re-map the client to another core/border router to get
> around failures and load balance without having to wait for the upstream
> provider to react.
>
> In any event, perhaps our use of HSRP is specialized (meaning unique) to
us
> as we sort of act like an ISP ourselves and we provide little security to
> the larger "intranet" as each customer provides their own firewall.
> Therefore the "inside" net is segregated mostly through routing, providing
> visibility to routes that we allow to be seen to the Internet and routes
> that are seen only on the inside. And this "network" is not a few
> buildings, it is national in scope - sort of like a huge DMZ.
>
> Because of this, client's access can be seen by other client's and by the
> world at least up to their firewall. Since the firewall is behind the
> access routers and those routers could be Ethernet to connect (using HSRP
> for failover) then this exploit has potential for us and we are moving to
> put those access lists in place.
>
> This may not be all that easy to follow but I can't get into more
specifics
> for the obvious security reasons.
>
> This whole issue is resulting I think as I said that the LAN and WAN are
> fading together. What with GigE being proposed to replace ATM access,
> ethernet technologies may soon replace the traditional T1s etc, within
> metropolitan areas anyways.
>
> This also presents interesting limits on HSRP because if you have a router
> with three ethernet interfaces, 2 out and 1 in, because we're talking
> ethernet - it is no longer point-to-point with keepalives going end to
end.
> If a circuit becomes unavailable HSRP might not see it unless the actual
> interface goes down. Therefore the circuit could be down farther up
beyond
> the local connection (hub/switch.etc) but as long as HSRP see's an
interface
> in the up/up condition it doesn't care about the actual end point. This
> throws a wrench in conventional HSRP thinking and we have to use floating
> statics and let routing protocols provide protection for upstream
failures.
>
> Anyway, starting to get off topic. Again, for us we have issues and I'm
> glad it was posted to the list.
>
>
> Kevin Wigle
>
>
> ----- Original Message -----
> From: "Priscilla Oppenheimer"
> To:
> Sent: Tuesday, 08 May, 2001 14:54
> Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> > What is Ethernet emulation? It's definitely true that Ethernet is being
> > used across long distances, if that's what you mean. With single mode
> > fiber-optic cabling, Ethernet can span miles. Physical access is a
> > different story in this case, of course. The cables may actually be in
> > public places. They would be overhead on poles or underground, I guess,
> > though, wouldn't they?
> >
> > I think it would still be very difficult to wreak havoc. Physical access
> > would be difficult, and even if you had it, network-layer hacking would
be
> > hard to achieve. Wishful thinking? :-]
> >
> > Thanks
> >
> > Priscilla
> >
> > At 02:27 PM 5/9/01, Kevin Wigle wrote:
> > >However, Ethernet emulation is becoming quite popular and very price
> > >competitive.
> > >
> > >I have clients who have HSRP running on what would normally be called
> "WAN"
> > >ports but they are ethernet. The HSRP virtual address is visible to
the
> > >world and therefore it is vunerable.
> > >
> > >I agree that traditionally HSRP has been used on the inside interfaces
so
> > >therefore your vunerability is from the inside where you should have
> > >personnel/physical security in place.
> > >
> > >IPSec is cool but involves more cost to deploy an IPSec capable
> IOS/router
> > >if you're not already using IPSec. Perhaps this is just another reason
> to
> > >do so.
> > >
> > >Someone also commented on the overhead of IPSec encrypting/decrypting
> HSRP
> > >hellos every 3 seconds. Perhaps adjusting the HSRP timers would
> alleviate
> > >this.
> > >
> > >But times they are a changing. The lines between LAN and WAN are
> blurring.
> > >It seems Brian's solution for an access-list will be a stop gap measure
> for
> > >now.
> > >
> > >Kevin Wigle
> > >
> > >----- Original Message -----
> > >From: Priscilla Oppenheimer
> > >To:
> > >Sent: Tuesday, May 08, 2001 1:38 PM
> > >Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> > >
> > >
> > > > The HSRP "exploits" aren't anything new. If you have physical access
> to
> > >the
> > > > target LAN, the ability to sniff packets, and the ability to send
> > packets,
> > > > of course you can wreak havoc. Not only could you send bad HSRP
> packets
> > >but
> > > > you could respond to ARPs, send bad routing protocol packets, etc.
> etc.
> > > > etc. The only real solutions are physical security and hiring people
> you
> > > > trust!?
> > > >
> > > > Also, instead of using HSRP you could use the Virtual Router
> Redundancy
> > > > Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
> > > > replacement for HSRP.
> > > > The Security Considerations section explains authentication options,
> > > > including using IPSec.
> > > >
> > > > Priscilla
> > > >
> > > > At 11:20 PM 5/7/01, Andy Low wrote:
> > > > >Hi TAC,
> > > > >
> > > > >Anyone know of any solutions to the HSRP exploits?
> > > > >
> > > > >http://www.securityfocus.com/bid/2684
> > > > >
> > > > >-andy-
> > > > >FAQ, list archives, and subscription info:
> > > > >http://www.groupstudy.com/list/cisco.html
> > > > >Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> > > >
> > > >
> > > > ________________________
> > > >
> > > > Priscilla Oppenheimer
> > > > http://www.priscilla.com
> > > > FAQ, list archives, and subscription info:
> > >http://www.groupstudy.com/list/cisco.html
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> >
> >
> > ________________________
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3760&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
