Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. Those are not realistic concerns. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger... They're not, but they also lack a bunch of features we need. This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Pre-fab appliance type devices always seem to fail at least one of these requirements. They also don't address the separate NICs issue, so if it turns out that that's not a problem anyway, a mini-itx board would be a much better choice for our situation.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 12:46 PM, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. I swear I read this somewhere on the website, but I can't seem to find it now and I'm wondering if the concept is even still valid. The impetus here is that I'm building a router+firewall for a cramped location and it's turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure if that's a good idea, security wise. Any thoughts? It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. -Kimmo
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
2015-07-27 11:46 GMT+02:00 Quartz qua...@sneakertech.com: turning out rather difficult to find a case that's small enough to fit. I'd really like to use an itx system with multiple onboard ethernet jacks and cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure A Lanner FW7525 or even an Alix APU don't seem to be much larger... Best Martin
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Though, of course, if you have been actively developing your system, or if you have already been subject to other root attempts, a root attempt runs a significant risk of crashing it. (And if you have been developing a lot, there's a decent chance you'll have already crashed it so many times that you will not be able to distinguish the root attempt from your own work. Or, maybe you will - it depends on the nature of the update.) -- Raul On Mon, Jul 27, 2015 at 9:52 AM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber na...@mips.inka.de wrote: On 2015-07-27, Quartz qua...@sneakertech.com wrote: Some years ago I remember reading that when using OpenBSD (or any OS, really) as a router+firewall it was considered inadvisable from a security standpoint to have the different networks all attached to a single network card with multiple ethernet ports. The thinking being that it was theoretically possible for an attacker to exploit bugs in the card's chip to short circuit the path and route packets directly across the card in a way pf can't control. It was also suggested that in addition to using different physical cards, the cards should really use different chipsets too, in case an unknown driver bug allows a short circuit. Those are not realistic concerns. Intel 82574L packet of death comes to mind as one example of a bug in the EEPROM that allowed an attacker to bring down an interface: http://blog.krisk.org/2013/02/packets-of-death.html These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Who knows what other bugs in such functionality will be discovered in the future? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. If this is a real concern for you, I think multiple firewalls, one behind the other (and using different chipsets, if you really want to), is a better way to go.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. Well, I'm not convinced that needing to identify the card first is really a requirement- I feel it's more likely an attacker using these techniques would just blast out a bunch of probes and figure it out based on what bounces back, similar concept to port knocking. I wish I could find/remember where on openbsd.org this was mentioned and use the wayback machine or something, because it seemed like whoever wrote about it knew what they were talking about.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Also, that brings up another point wrt motherboards with multiple jacks; are bios attacks something to worry about? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. That's always a possibility yes. If this is a real concern for you, The thing is I don't really know if this should be a realistic concern, that's why I'm asking. A motherboard with multiple ports would certainly be more convenient, but it's not worth it if it would compromise security.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On 2015-07-27, Quartz qua...@sneakertech.com wrote: This is a little off-topic, but I should clarify that although this device's primary purpose is a firewall+router, it also has to provide a handful of other network related services that set a few requirements vis a vis hardware. Depends what they are, but those other services are far more likely to be a problem than a multiport NIC.
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Em 27-07-2015 09:13, Kimmo Paasiala escreveu: It's next to impossible identify the make and model of the NIC that holds an IP address With IPv6 and poor configuration, a remote attacker already have that information. MAC addresses reveal a lot of information about a NIC. Cheers, Giancarlo Razzolini
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 11:10 AM, Quartz qua...@sneakertech.com wrote: These days you have bypass features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Can you elaborate on this? Search for intel nic bypass mode and you'll find lots of details. It's an increasingly common feature in server network adapters. If the host OS is down, the NIC continues forwarding packets between two ports without any processing. Some older implementations used a physical jumper to enable or disable this feature. Now it's all done in software and can even be configured remotely. For example: http://www.lannerinc.com/applications/product-features/lan-bypass
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
Joseph Crivello [josephcrive...@gmail.com] wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. If you are running OpenBSD or Bitrig and you have VT-d enabled, someone is working on bringing iommu functionality to both OSes right now. This can prevent runaway DMA. Kinda cool, ya know!
Re: Firewall question: is using a NIC with multiple jacks considered insecure?
On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello josephcrive...@gmail.com wrote: If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system. (Somewhat of a rhetorical question, but ...) How hard would it be to design and assemble one's own NIC, and use said design to construct one's own switch? (I daydream too much. Right now I'm daydreaming of a switch-on-a-card. It's been a while since I've seen such things advertised, but maybe I'm not looking in the right places nowadays.) -- Joel Rees Be careful when you look at conspiracy. Arm yourself with knowledge of yourself, as well: http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html