Re: Dhcp security
From: Cory Stoker (cory_at_clearnetsec.com)
Date: 01/28/05
- Previous message: Miroslaw Slawek Chorazy: "Re: Users "bypassing" Group Policy restrictions"
- In reply to: Pidgorny, Slav: "RE: Dhcp security"
- Next in thread: skander.ben.mansour_at_accenture.com: "RE: Dhcp security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 18:11:46 -0700 To: <focus-ms@securityfocus.com>
Ah very good. I enjoyed your paper thoroughly. This does go to show how
hard "true" end-point security is going to be. I think this is mostly due
to the nature of internal networks being designed as open, i.e. Plug in your
computer and off you go. Your method could be used in many ways. All the
products I mentioned have many attack vectors to circumvent security except
for maybe the Cisco NAC stuff which places you into a quarantine zone that
is enforced on another device.
One of the ways to circumvent the scanning of Microsoft clients via RPC or
remote registry is to redirect the RPC ports to a "clean" host which could
be another host/Vmware client or if I am admin of the host AND I know what
the scans are looking for I could possibly send forged responses. Also when
using an installed agent, which would theoretically try to verify the
information it finds, I could design a program like a device driver in
Windows (a rootkit) that would feed the agent false or modified results. Of
course these attacks have all sorts of costs associated with carrying them
off but, if a scan was the only thing stopping someone from gaining internal
access to a server illegitimately with my non-compliant/allowed device, the
right people could carry some of these attacks off. Of course most of the
products out there right now do not mention trying to stop malicious
attackers, just the odd worm or two plus vulnerable systems.
One thing I particularly note about having a common quarantine network
segment is that if a host is infected with the virus du jour, then other
devices sitting in the same quarantine segment (i.e. waiting to be tested,
actively being tested, failed tests, etc.) are all openly exposed to be
infected (albeit potentially for a shorter duration).
-Cory Stoker
On 1/27/05 3:50 PM, "Pidgorny, Slav" <slav.pidgorny@anz.com> wrote:
> http://sl.mvps.org/docs/802dot1x.htm
>
> Note that only physical connection is required - all the necessary information
> to create the "shadow host" can be sniffed. Shadow host will receive DHCP
> leases and bypass any MAC controls in place.
>
> * Microsoft has plans to implement NAP for 802.1x, as well as for DHCP and
> IPsec. Choosing IPsec over 802.1x and especially DHCP is a good idea though.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Miroslaw Slawek Chorazy: "Re: Users "bypassing" Group Policy restrictions"
- In reply to: Pidgorny, Slav: "RE: Dhcp security"
- Next in thread: skander.ben.mansour_at_accenture.com: "RE: Dhcp security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
