|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI: Active and Passive attacksHere's the promised message on active and passive attacks - again, this is IMHO, and "not* posted as a WG co-chair. It's important for people other than the security experts to be involved in this issue. -- Symmetry and Opportunity Passive monitoring/eavesdropping attacks are often symmetric - if the attacker can see the traffic from Alice to Bob, there's a good chance that s/he can see the traffic in the reverse direction, at least on LANs. WANs are more complex, and asymmetric routes do turn up in multi-provider scenarios (e.g., "hot- potato" routing). Note that this whole discussion of symmetric vs. asymmetric vulnerability is assuming that bidirectional authentication is an important case. In contrast, active attacks often have asymmetric characteristics in that the attacker's location makes one of the communicating parties more vulnerable. The scenario discussed earlier of taking over a router/network node that's actually on the communication path strikes me as unusual in contrast to using a node (esp. end-system) not on the communication path to do the dirty work. The result is often asymmetric vulnerability - for example if the attack is based on impersonation via a bogus ARP response, the attacker has to be on the same LAN segment (incl. VLAN) as the victim, and in many cases will only be able to attack one of the two communicating parties in this fashion. The shrinking size of LAN segments (e.g., as layer 3 forwarding replaces Ethernet bridges) suggests that the two communicating parties not being on the same LAN is an important case (and limiting this ARP vulnerability is another reason to reduce the size of LAN segments). -- Combined Active/Passive Attacks A protocol that's vulnerable to a passive attack is also vulnerable to some combined active/passive attacks that can be considerably simpler than a fully active attack. For example, the attacker may have to monitor a *lot* of iSCSI traffic for before seeing a login. This can be improved via a well-placed TCP RST to drop the connection - if the Initiator policy is to replace the connection in short order, the login traffic will show up soon. CHAP is vulnerable to this attack - DH-CHAP is not, as it requires a full active impersonation or man-in-the-middle attack that requires significantly more iSCSI code/knowledge, and SRP is even better. -- Attack Detection If bidirectional authentication is in use, both the full passive monitoring attack and the TCP RST active/passive attack on CHAP cannot be detected by the iSCSI participants. In contrast, an active impersonation or man-in-the middle attack on DH-CHAP or SRP is detectable because the attacker fails to authenticate when required to do so (although a clueful attacker won't even try this on SRP, as there's nothing to be gained, in contrast to DH-CHAP). Having provided three examples in which prevention of passive attacks can be valuable in "raising the bar" on an attacker, even for a protocol that's vulnerable to active attacks, I'll stop here and invite others to comment. Thanks, --David --------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 42 South St., Hopkinton, MA 01748 +1 (508) 249-6449 *NEW* FAX: +1 (508) 497-8500 black_david@emc.com Cell: +1 (978) 394-7754 ---------------------------------------------------
Home Last updated: Tue Apr 30 15:18:26 2002 9894 messages in chronological order |