Transcript
Netmanias 기술문서: TPS 서비스를위한가입자인증및보안기술[3] 액세스망보안기술
2007년4월18일
NMC Consulting Group(tech@netmanias.com)
2
Contents
.DHCP/NetBIOS filtering
.MAC Attack
.ARP spoofing
.DHCP security
.Illegal Static IP Address Assignment
.IGMP Join attack
.Wireless LAN security
.Case Study
3
cloud
MTU-Metro
MTU-Metro
100FX
L2 Switch
10/100
L2 Switch
Ntopia SW
…
…
Static route
(default gateway)
GbE
Static route
(default gateway)
1동
100FX/TX
10동
10/100
.NetBIOS Filtering
.DHCP Filtering
.MAC수제한(1)
.중첩VLAN
DHCP server/relay
GbE
L3
DSLAM
VDSL
(20/50Mbps)
DSLAM
100/TX
DHCP
server/relay
ISP
Backbone
그림4 copy
그림3
그림10 copy
AAA
DHCP
그림3
그림4 copy
BRAS
(SER)
POP
CO
1107378_L1
1107378_L1
1107378_L1
1107378_L1
1107378_L1
1107378_L1
1107378_L1
1107378_L1
Ethernet based Access network
4
L2 Switch
(DSLAM)
DHCP server/relay
L3 Switch
Private DHCP Server
1107378_L1
1107378_L1
1107378_L1
그림4 copy
그림3
cloud
MTU-Metro
MTU-Metro
Ntopia SW
ISP
Backbone
그림10 copy
AAA
DHCP
BRAS
(SER)
POP
CO
I can see your computer!!
Filtering: DHCP, NetBIOS
Packet Filtering : DHCP, NetBIOS
5
If I select DHCP Offer 2,
Then ???
L2 Switch
(DSLAM)
DHCP server/relay
L3 Switch
Private DHCP Server
1107378_L1
1107378_L1
그림4 copy
그림3
cloud
MTU-Metro
MTU-Metro
Ntopia SW
ISPBackbone
그림10 copy
AAA
DHCP
BRAS
(SER)
POP
CO
1
1
2
2
1
3
3
DHCP Discover
DHCP Offer form private DHCP server
DHCP Offer from network
Private DHCP Server
6
Host Announcement (Netbios-dgm, udp:138, dmac/dip: broadcast)
Name query (Netbios-ns, udp:137, dmac:broadcast, dip: A)
A:210.16.1.11
B: 210.16.1.12
C: 210.16.1.13
ARP
Name response (Netbios-ns, udp:137, dmac: b, dip : B)
Netbios Session (Netbois-ssn, tcp:139, SYN)
Netbios Session (Netbois-ssn, tcp:139, SYN, ACK)
Netbios Session (Netbois-ssn, tcp:139, ACK)
L2 Switch(DSLAM)
1107378_L1
그림3
1107378_L1
1107378_L1
Netbios Session Service (tcp:139) : 파일공유
NetBIOS Scenario
7
.DHCP Discover message send to only the uplink
.CPU receives the broadcast packets
.UDP Port forwarding rule : 68, 67
.NetBios packet filtering
.CPU receives the broadcast packets
.UDP Port filtering rule : 138, 137
.TCP Port filtering rule : 139
CPU
Broadcast Packets
1107378_L1
1107378_L1
UDP/TCP
Port ?
Switch Fabric
L2 Switch
(DSLAM)
UDP Port filtering rule : 138, 137
TCP Port filtering rule : 139
Host Announcement: NetBIOS-dgm, UDP port 138
Name Query: NetBIOS-ns, UDP port: 137
NetBIOS Session: NetBIOS-ssn, TCP port: 139
UDP Port forwarding rule : 68, 67
DHCP Discover message send to only the uplink
DHCP/NetBIOS Filtering Operation: L2 Switch (DSLAM)
8
.All Packet from Subscriber send to only Uplink (Hair-pin 방지)
.하나의포트가여러VLAN에소속되는설정을통상적으로중첩VLAN이라함
.각가입자포트갂에보안을유지하면서모든가입자가Uplink와의통싞을할수있도록하기위해, untagged multi-VLAN 설정이널리사용된다
L2 Switch
(DSLAM)
DHCP server/relay
L3 Switch
중첩VLAN
1107378_L1
1107378_L1
그림4 copy
그림3
cloud
MTU-Metro
MTU-Metro
Ntopia SW
ISP
Backbone
그림10 copy
AAA
DHCP
BRAS
(SER)
POP
CO
Packets
1107378_L1
중첩VLAN
9
MAC Attack
L2 Switch
(DSLAM)
DHCP server/relay
L3 Switch
1107378_L1
1107378_L1
1107378_L1
그림4 copy
그림3
cloud
MTU-Metro
MTU-Metro
Ntopia SW
ISP
Backbone
그림10 copy
AAA
DHCP
BRAS
(SER)
POP
CO
Hacker
Dsniff: Generate MAC X,Y, … (about 155,000 packets per min !!)
.Dsniff
.Generate 155,000 MAC entry per minute
.MAC table full
.Aggregation 장비에대한MAC flooding attacks
MAC Table Full !!
Home-User
Home-User
Others subscriber can not access to the internet!!
MAC count limitation per subscriber port
Solution
10
ARP Spoofing: IP packet sniffing
L2 Switch(DSLAM)
DHCP server/relay
L3 Switch
1107378_L1
1107378_L1
1107378_L1
그림4 copy
그림3
cloud
MTU-Metro
MTU-Metro
Ntopia SW
ISP
Backbone
그림10 copy
AAA
DHCP
BRAS
(SER)
POP
CO
IP: A
MAC : X
IP: B
MAC : Y
IP: C
MAC : Z
IP : A .C
MAC : X .Y
IP : A .C
MAC : Y .Z
MAC address 를속여서IP packet sniffing
#NAME?
#NAME?
Hacker
Home-User
Home-User
C의MAC Address 가Y 인것으로잘못알고있음
C의MAC을정상적인MAC인
Z 로변경
11
1)ARP reply: 내가바로B(192.168.10.2)이다. ARP spoofing!!!
L2 Switch(DSLAM)
.C는마치자기가B인것처럼A를속인다.
.C는A와B의IP 및MAC정보를미리알고있어야한다.
A .192.168.10.1(11:11:11:11:11:11)
MAC table
192.168.10.2(22:22:22:22:22:22)
B: 192.168.10.2((22:22:22:22:22:22)
MAC table
192.168.10.2(22:22:22:22:22:22)
C : 192.168.10.3(33:33:33:33:33:33)
MAC table
192.168.10.1(11:11:11:11:11:11)
1107378_L1
그림3
1107378_L1
1107378_L1
Hacker
Home-User
Home-User
1
ARP Spoofing (1)
12
.A는C로부터ARP reply (ARP spoofing)를받았을때MAC table에서B에대한정보를변경시킨다.
L2 Switch(DSLAM)
A .192.168.10.1(11:11:11:11:11:11)
MAC table
192.168.10.2(33:33:33:33:33:33)
B: 192.168.10.2((22:22:22:22:22:22)
MAC table
192.168.10.2(22:22:22:22:22:22)
C : 192.168.10.3(33:33:33:33:33:33)
MAC table
192.168.10.1(11:11:11:11:11:11)
1107378_L1
그림3
1107378_L1
1107378_L1
Hacker
Home-User
Home-User
2
2)B의MAC address 가[33:33:33:33:33:33]으로변경되었구나…
ARP Spoofing (2)
13
ARP Spoofing (3)
L2 Switch(DSLAM)
A .192.168.10.1(11:11:11:11:11:11)
MAC table
192.168.10.2(33:33:33:33:33:33)
MAC table
192.168.10.2(22:22:22:22:22:22)
C : 192.168.10.3(33:33:33:33:33:33)
MAC table
192.168.10.1(11:11:11:11:11:11)
1107378_L1
그림3
1107378_L1
1107378_L1
Hacker
Home-User
Home-User
3
Send IP Packet to B
Send IP Packet to B
4
.C는A로부터Spoofed packet (IP data)를받아서ID, PW, E-MAIL, MSN 등의정보를Hacking 한다.
.C는반드시B로패킷을재전송해야한다. Relay를하지않는경우에B에서는마치네트워크가제대로작동하지않는것처럼보인다.
14
DHCP Attack
가입자가고의로DHCP discovery 메시지내의mac 주소를변경시켜가면서연속적으로망으로유입시키는공격DHCP server의IP 주소고갈되어정상적인가입자에게할당해줄IP가없어지게됨방안1) L2 장비에DHCP message를CPU에서까보는기능추가방안2) L3 장비에DHCP message를CPU에서까보는기능추가=> L2/L3가DHCP discovery 메시지를수싞하면(CPU로꼭올려) DHCP discovery 프레임의src MAC 주소와Payload안의MAC 주소가같은지확인함=> DHCP discovery 프레임의src MAC과Payload안의MAC 주소를동일하게하여공격하는치밀한헤커의경우는어쩔수없다.방안3) L2 장비에DHCP relay 기능을추가=> DHCP option 82 (DHCP relay가DHCP server에게DHCP discovery 메시지가온Port를함께전달하여동일Port로는하나의IP만할당되게함=> DHCP 공격은확실하게방어됨.
15
DHCP Attack: DDoS Attack to DHCP server
BRAS
(SER)
DHCP client
DHCP_request (payload=m1|E=m1)
DHCP_request (payload=m2|E=m1)
1107378_L1
PC
…
Attack 1
DHCP_request (payload=m10000|E=m1)
DHCP_request (payload=m1|E=m1)
DHCP_request (payload=m2|E=m2)
…
DHCP_request (payload=m10000|E=m10000)
DHCP_request (payload=m1|E=m1)
DHCP_request (payload=m1|E=m1)
…
DHCP_request (payload=m1|E=m1)
Attack 2
Attack 3
Hacker
1107378_L1
그림4 copy
그림3
L2 SW
(DSLAM)
L3 SW
DHCP Relay Agent
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
DHCP_request +GI address
cloud_G120
DHCP server
그림10 copy
Ntopia SW
16
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
SER
L2 SW
그림5 copy
그림3
그림3
그림3
그림3
그림3
그림3
그림5 copy
그림5 copy
그림5 copy
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림5 copy
Internet
L2 SW
L3 SW
smb600
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
VDSL
L3 SW
Ntopia
SW
57_4
57_4
57_4
skin4
sho_main
29_2
57_4
57_4
57_4
57_4
Web portal
Control Server
Subscriber DB
ip3
AAA server
Ntopia SW
그림10 copy
DHCP
Server
smb600
1107378_L1
1107378_L1
MAC=m3
{m3: L3: ip3}
…
DHCP Relay
DHCP discover
[S-MAC=L3, D-MAC=Next R]
[SIP=L3, DIP=SER]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m3]
Ethernet broadcast
DHCP discover
[S-MAC=SER, D-MAC=Server]
[SIP=SER, DIP=Server]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP ack
[S-MAC=Server, D-MAC=SER]
[SIP=Server, DIP=L3]
[UDP Dport#=67]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=SER, D-MAC=N]
[SIP=SER, DIP=L3]
[UDP Dport#=68]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=L3, D-MAC=m3]
[SIP=L3, DIP=ip3?]
[UDP Dport#=68]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP offer와DHCP request는생략함
MAC SI_ID IP ID PW Service
m3 c_id3 ip3 --default
MAC 인증요청
PC booting
IP Assignment (신인증)
17
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
SER
L2 SW
그림5 copy
그림3
그림3
그림3
그림3
그림3
그림3
그림5 copy
그림5 copy
그림5 copy
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림5 copy
Internet
L2 SW
L3 SW
smb600
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
VDSL
L3 SW
Ntopia
SW
57_4
57_4
57_4
skin4
sho_main
29_2
57_4
57_4
57_4
57_4
Web portal
Control Server
Subscriber DB
ip3
AAA server
Ntopia SW
그림10 copy
DHCP
Server
smb600
1107378_L1
1107378_L1
MAC=m3
{m1: L3: ip1}
{m2: L3: ip2}
{m3: L3: ip3}
{m4: L3: ip4}
…
DHCP Relay
Ethernet broadcast
MAC SI_ID IP ID PW Service
m1 c_id1 ip1 --default
MAC 인증요청
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m .]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m3]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m2]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m1]
m2 c_id2 ip2 --default
m3 c_id3 ip3 --default
DHCP discover
[S-MAC=L3, D-MAC=Next R]
[SIP=L3, DIP=SER]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP ack
[S-MAC=SER, D-MAC=N]
[SIP=SER, DIP=L3]
[UDP Dport#=68]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP discover
[S-MAC=L3, D-MAC=Next R]
[SIP=L3, DIP=SER]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP discover
[S-MAC=L3, D-MAC=Next R]
[SIP=L3, DIP=SER]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP discover
[S-MAC=L3, D-MAC=Next R]
[SIP=L3, DIP=SER]
[UDP Dport#=67]
[Client MAC=m1]
[relay agent IP=L3]
DHCP ack
[S-MAC=SER, D-MAC=N]
[SIP=SER, DIP=L3]
[UDP Dport#=68]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=SER, D-MAC=N]
[SIP=SER, DIP=L3]
[UDP Dport#=68]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=SER, D-MAC=N]
[SIP=SER, DIP=L3]
[UDP Dport#=68]
[Client MAC=m1]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=L3, D-MAC=m3]
[SIP=L3, DIP=ip3?]
[UDP Dport#=68]
[Client MAC=m1]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=L3, D-MAC=m3]
[SIP=L3, DIP=ip3?]
[UDP Dport#=68]
[Client MAC=m1]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=L3, D-MAC=m3]
[SIP=L3, DIP=ip3?]
[UDP Dport#=68]
[Client MAC=m1]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=L3, D-MAC=m3]
[SIP=L3, DIP=ip3?]
[UDP Dport#=68]
[Client MAC=m1]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=Server, D-MAC=SER]
[SIP=Server, DIP=L3]
[UDP Dport#=67]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=Server, D-MAC=SER]
[SIP=Server, DIP=L3]
[UDP Dport#=67]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=Server, D-MAC=SER]
[SIP=Server, DIP=L3]
[UDP Dport#=67]
[Client MAC=m3]
[Client IP=ip3]
[relay agent IP=L3]
DHCP ack
[S-MAC=Server, D-MAC=SER]
[SIP=Server, DIP=L3]
[UDP Dport#=67]
[Client MAC=m1]
[Client IP=ip3]
[relay agent IP=L3]
DHCP discover
[S-MAC=SER, D-MAC=Server]
[SIP=SER, DIP=Server]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP discover
[S-MAC=SER, D-MAC=Server]
[SIP=SER, DIP=Server]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP discover
[S-MAC=SER, D-MAC=Server]
[SIP=SER, DIP=Server]
[UDP Dport#=67]
[Client MAC=m3]
[relay agent IP=L3]
DHCP discover
[S-MAC=SER, D-MAC=Server]
[SIP=SER, DIP=Server]
[UDP Dport#=67]
[Client MAC=m1]
[relay agent IP=L3]
DHCP offer와DHCP request는생략함
Hacker
DHCP Attack: IP Exhaustion
18
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
SER
L2 SW
그림5 copy
그림3
그림3
그림3
그림3
그림3
그림3
그림5 copy
그림5 copy
그림5 copy
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림5 copy
Internet
L2 SW
L3 SW
smb600
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
VDSL
L3 SW
Ntopia
SW
57_4
57_4
57_4
skin4
sho_main
29_2
57_4
57_4
57_4
57_4
Web portal
Control Server
Subscriber DB
ip3
AAA server
Ntopia SW
그림10 copy
DHCP
Server
smb600
1107378_L1
1107378_L1
MAC=m3
MAC SI_ID IP ID PW Service
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m .]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m3]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m2]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m1]
L2 Switching Fabric
CPU
DHCP frame header’s srcMAC
!= Payload’s Client MAC
.Drop
L2 Switch
DROP
Broadcast frame
Hacker
Solution (1) : DHCP snooping at L2
19
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
SER
L2 SW
그림5 copy
그림3
그림3
그림3
그림3
그림3
그림3
그림5 copy
그림5 copy
그림5 copy
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림5 copy
Internet
L2 SW
L3 SW
smb600
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
VDSL
L3 SW
Ntopia
SW
57_4
57_4
57_4
skin4
sho_main
29_2
57_4
57_4
57_4
57_4
Web portal
Control Server
Subscriber DB
ip3
AAA server
Ntopia SW
그림10 copy
DHCP
Server
smb600
1107378_L1
1107378_L1
MAC=m3
MAC SI_ID IP ID PW Service
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m .]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m3]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m2]
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m1]
L2 Switching Fabric
CPU
DHCP frame header’s srcMAC
!= Payload’s Client MAC
.Drop
L3 Switch
DROP
Broadcast frame
Hacker
Solution (2): DHCP check at L3
20
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
SER
L2 SW
그림5 copy
그림3
그림3
그림3
그림3
그림3
그림5 copy
그림5 copy
그림5 copy
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림5 copy
Internet
L2 SW
L3 SW
smb600
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
VDSL
L3 SW
Ntopia
SW
57_4
57_4
57_4
skin4
sho_main
29_2
57_4
57_4
57_4
57_4
Web portal
Control Server
Subscriber DB
ip3
AAA server
Ntopia SW
그림10 copy
DHCP
Server
smb600
1107378_L1
1107378_L1
MAC=m3
DHCP discover
[S-MAC=m3, D-MAC=All 1’s]
[SIP=0’s, DIP=All1’s]
[UDP Dport#=67]
[Client MAC=m3]
[Relay Agent Option =
{Circuit ID = Port 1}]
[Relay Agent ID=L2의mgt IP]
DHCP server는“L2의port”당하나의IP를할당해줌.
.IP 고갈방지
DHCP 서버가유지하는정보.단말MAC
.할당IP
.Relay IP(L2)
.L2 port 번호
.기타
그림3
{RelayIP:L2port} MAC C_ID IP ID PW Service
ip_l2:p2 m3 c_id7 ip3id3 pw3 6
AAA server
Hacker
Solution (3): DHCP option82
21
Premium 서비스에가입하지않은일반가입자가Premium 가입자의IP를도용하는경우
방안1: L2 장비에서DHCP snooping
=> L2 장비에서DHCP message를CPU에서snoop하여
{정상적으로할당된IP, MAC, Port} table (IP lease table)을유지하여, IP도용차단
방안2:L3 장비(DHCP relay)에서IP lease table 관리
방안3: BRAS (SER)에서DHCP proxy : IP lease table 관리
* YahooBB의경우, 방안1)을채택하여도입예정
Illegal Static IP Address Assignment (IP 도용)
22
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
SER
L2 SW
그림5 copy
그림3
그림3
그림3
그림3
그림3
그림5 copy
그림5 copy
그림5 copy
그림5 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림4 copy
그림5 copy
Internet
L2 SW
L3 SW
smb600
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
그림15
그림11 copy
TV
IP STB
smb600
1107378_L1
VDSL
L3 SW
Ntopia
SW
57_4
57_4
57_4
skin4
sho_main
29_2
57_4
57_4
57_4
57_4
Web portal
Control Server
Subscriber DB
ip3
AAA server
Ntopia SW
그림10 copy
DHCP
Server
smb600
1107378_L1
1107378_L1
MAC=m1
1107378_L1
smb600
그림3
MAC=m2
IP Lease Table 유지
.IP 도용방지
Client MAC
m1
State
Assigned
IP address
ip3
IP address lease table
.
.
N/A
.
.
N/A
Port
1
N/A
N/A
Time remained
4 hour
.
.
MAC C_ID IP ID PW Service
m1 c_id7 ip3id3 pw3 6
Authenticated,
Dynamically allocated
IP= 200.200.200.88
MAC = m1
Unauthenticated &
statically configured
IP= 200.200.200.88
MAC = m2
ip3
Hacker
Solution: IP Lease Table
23
IGMP Join attack: IGMP DDOS attack
Basic Channels: 1~50
Premium Channels: 51, 52, 53
Multicast group number limitation per port
.IGMP Join Attack
.L3 SW <-> L2 SW(DSLAM) 구갂대역폭을점유
.L2, L3 SW에서IGMP operation을하기위한CPU 부하증가
.Solution: L2 SW(or DSLAM)에서가입자Port 당IGMP join 될수있는Group 수를제한
.Example) VT의경우DSLAM port 당동시에2 개로제한
BRAS
(SER)
1107378_L1
Hacker
1107378_L1
그림4 copy
그림3
L2 SW
(DSLAM)
L3 SW
IGMP
그림10 copy
Ntopia SW
IP-TV
Headend
PIM-SM
IGMP snooping
IGMP/PIM-SM
IGMP join (CH1)
IGMP join (CH2)
IGMP join (CH3)
IGMP join (CH53)
…
1) BW 낭비
2) L2/L3 SW CPU load 증가
cloud_G120
IP Core(Premium)
24
cloud_G120
Wireless Security
Non-Wireless LAN Authentication = Everyone can uses the Wireless LAN Service.Wireless LAN service stealing
x31_top
wireless
ap
AP
Non-Wireless Subscriber
Hacker
Home-User
x31_top
wireless
802.11 Associate
802.11 Association
802.11
DHCP request
DHCP Ack
Non-wireless subscribers can use Wireless LAN Service thru normal AP
Problem Description: Non-Wireless LAN Authentication
DHCP Server
L3 SW
DSLAM/
L2 SW
Ntopia SW
BRAS
(SER)
Internet
25
x31_top
wireless
ap
SSID (Service Set Identifier): Wireless LAN을통해전송되는패킷들의각헤더에붙는고유식별자무선장치들이BSS (Basic service set)에접속할때사용하는텍스트데이터로서하나의무선랜을다른무선랜으로부터구분해준다. 즉, Wireless LAN 단말에서접속을요구하는SSID가AP에미리설정된SSID와동일하지않으면AP는무선접속을허용하지않는다. AP 의일반적인기본설정은자싞의SSID 를Broadcast 하는것임.
x31_top
wireless
DHCP
TFTP
AAA
L2 SW(DSLAM)
BRAS
IP/MPLS Core
AP
1. Static SSID = KT_WLAN01
(SSID 숨김모드)
2. SSID = KT_WLAN01
Attacker
3. Connection Request
(SSID = KT_WLAN01)
5. Connection Accept
4. Wireless authentication based SSID
If received SSID == AP SSID ?
Accept
6. Connection Request
(SSID = XXX)
7. Wireless authentication based SSID
If received SSID == AP SSID ?
Discard
AP(IAD)는wireless endpoint 에서수싞한SSID를자싞의SSID 값과비교하여무선접속허용여부를결정
Problem 1) AP설치시에가입자별로고유한SSID를IAD 에설정해야함
Problem 2) 가입자는무선네트워크접속프로그램에서자싞의SSID를설정을해야함
(not Plug-and-Play)
Problem 3) Attacker 가무선구갂데이터모니터링툴을사용하면SSID 유출될수있음
Problem 4) 무선구갂의트래픽에대한보안을제공하지않음
DHCP Operation
cloud_G120
Ethernet
Backhaul
Hacker
Proposed Wireless LAN Authentication(1): Static SSID
26
x31_top
wireless
ap
x31_top
wireless
IAD
1. Set allowed Mac address list
Attacker
2. Connection Request
(MAC = 00-01-00-55-66-77)
4. Connection Accept
Problem 1) AP설치시에접속가능한단말의MAC address를AP에설정해야함
Problem 2) 미리등록하지않은단말을사용하면접속불가
.Wireless 단말의이동성없음(other house)
Problem 3) Attacker 가무선구갂데이터모니터링툴을사용하면MAC address 가유출될수있음
Problem 4) 무선구갂의트래픽에대한보안을제공하기않음
00-01-00-55-66-77
00-01-00-55-66-88
MAC : 00-01-00-55-66-77
MAC : 00-01-00-AA-BB-CC
3. Authentication based MAC
If received MAC == Allowed MAC ?
Accept
6. Authentication based MACIf received MAC == Allowed MAC ?Discard
5. Connection Request
(MAC = 00-01-00-AA-BB-CC)
DHCP Operation
Hacker
DHCP
TFTP
AAA
L2 SW
(DSLAM)
BRAS
IP/MPLS Core
cloud_G120
Ethernet
Backhaul
Proposed Wireless LAN Authentication(2): MAC-based Authentication
27
x31_top
wireless
ap
DHCP
TFTP
AAA
IAD
802.11 Associate
Initial Wireless LAN Subscriber Information Registration
User name, password
802.11 Association
802.11
EAPoL Start
EAP = Extensible Authentication Protocol
EAPoL = EAP Over LAN (Ether type = 888E)
WEP : Wired Equivalent Privacy
EAP Response (Identify)
Radius Access Request (Identify)
Radius Access Challenge (MD5 Challenge : MD5 Key)
EAP Request (Identify)
EAP Request (MD5 Challenge : MD5 Key)
EAP Response (MD5 encrypted User ID/PW)
Radius Access Request (MD5 encrypted User ID/PW)
Radius Accept (OK)
EAP Success
Open Port
Closed Port
EAP-MD5 : One-way User ID/Password Encryption
Problem 1)Wireless LAN 서비스제공을위한Authentication Server 필요
Problem 2)One-way Authentication 로인하여보안에취약함
Authentication based User ID/Password
DHCP Operation
L2 SW
(DSLAM)
BRAS
IP/MPLS Core
cloud_G120
Ethernet
Backhaul
Proposed Wireless LAN Authentication(3)
: User ID/Password Authentication (802.1x EAP-MD5)
28
x31_top
wireless
ap
DHCP
TFTP
AAA
(TLS 인증서버)
IAD
802.11 Associate
Initial Wireless LAN Subscriber Information Registration
User name, password
802.11 Association
802.11
EAPoL Start
EAP Response (Identy)
Radius Access Request (Identy)
Radius Access Challenge (TLS : Start)
EAP Request (Identy)
EAP Request (TLS : Start)
EAP Response (TLS : Client Hello, Server 인증서요구)
Radius Access Request (TLS : Client Hello, Server 인증서요구)
Closed Port
EAP-TLS : Two-way Encryption
Radius Access Challenge (TLS : Server Hello, Server 인증서정보)
EAP Request (TLS : Server Hello, Server 인증서정보)
EAP Response (TLS : Client 인증서정보{user id/pw})
Radius Access Request (TLS : Client 인증서정보{user id/pw})
EAP Request (TLS : Change Cipher Spec)
Radius Access Challenge (TLS : Change Cipher Spec)
EAP Response (TLS : no data)
Radius Access Request (TLS :no data)
Radius Accept (OK)
EAP Success
Open Port
Problem 1)EAP-TLS를지원하는AAA Server가필요함
Problem 2)인증서관리시스템(CA : Certificate Authority) 이필요함
DHCP Operation
Authentication based User ID/Password
CA
L2 SW
(DSLAM)
BRAS
IP/MPLS Core
cloud_G120
Ethernet
Backhaul
Proposed Wireless LAN Authentication(4)
: User name/Password Authentication (IEEE 802.1x EAP-TLS)
29
Network Stumbler (Wireless LAN monitoring tool)
netstumbler
Internet을통해손쉽게Wireless LAN monitoring tool을얻을수있으며, 이를통해서Air 구갂에서주고받는패킷의MAC address와SSID를쉽게알아낼수있음
30
KT Wireless LAN Authentication (NETSPOT: 400,000)
ER(RS38K)
Netspot 인증서버
(WIMS)
Subscriber
AP
DHCP Discovery
MAC=m3
DHCP ack (m3, ip3)
MAC=m3
IP=ip3
Services
Booting
SSID: Service Set IDentifier
Service (Internet,…)
small3300daAP
L3 SW
DSLAM/
L2 SW
DHCP Server
Ntopia SW
EAPOL-Start
EAPOL-Request (SSID)
EAPOL-Response (MyID)
RADIUS Access Request
RADIUS Access Challenge (Attr. Type: EAP, EAP Code: Request, EAP Type: MD5 Challenge)
EAPOL-Request
EAPOL-Response
(MD5 hashed ID/PW)
RADIUS Access Request (Attr. Type: EAP, EAP Code: Response, EAP Type: MD5 Challenge)
RADIUS Access Accept (Attr. Type: EAP, EAP Code: Success)
EAPOL-Success
802.1x
Authentication
IP Allocation
Service Name
Service Region
Subscribers (2004.12)
Service ID
Family
Home, Hotspot Zone
240,000
Multiple User ID
Solo
Home, Hotspot Zone
30,000
One User ID
Pop
Hotspot Zone
130,000
One User ID
Total
400,000
.SSID : “NETSPOT” (SSID Hidden Mode : Subscriber set SSID as “NETSPOT”)
.User Authentication : -Home, Hotspot subscriber: 802.1x EAP-MD5
31
Tele2-Versatel (1/2)
32
Tele2-Versatel (2/2)
33
End of Document