With the third Packet Life contest wrapped up I wanted to take a moment to point out what I hope a number of people noticed independently, if subconsciously. Each contest over the past several months was designed to carry some sort of lesson in security which I'll discuss here.
The first contest challenged participants to identify the access VLAN of the switch port from which the capture was taken. The solution showed how the VLAN ID could be derived from an 802.1t-format spanning tree bridge ID. While this is a novel demonstration, it could present an issue if the integrity of your network design assumes that a malicious attacker won't know what VLAN he is on.
The second contest follows the same vein, illustrating how implementing secured OSPF adjacencies can actually expose the system time configured on a router. While this may seem benign, such information leakage could prove beneficial to an attacker. For example, if I encounter a router whose clock is set to May 14, 2002, I might deduce that a) NTP is not in use and b) the router has been up for 75 days (counting from 1 March 2002, the default date for many IOS versions). It might also be handy to know exactly what time a router thinks it is to assist in certain cryptographic attacks.
And finally, the most recent contest demonstrates how a network can be compromised by the weakest link in its chain of security measures. We saw how, despite the strong authentication and privacy provided by SNMPv3, it's easily negated if the credentials it uses can be gleaned from an insecure protocol like Telnet.
Admittedly, the scenarios in these contest are pretty obscure (if they weren't, what fun would the contests be?). Instead of expecting people to remember the intricacies presented in these specific illustrations, I intended to highlight these abstract points:
- Information leaks are everywhere; assume an attacker knows your network well.
- Securing one entity may expose another to exploitation or unavailability.
- To borrow a cliché, you are only as strong as your weakest link.
Suggestions for the next theme are welcome.