Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training (1) 2019
0 likes90 views
El documento aborda la seguridad de la infraestructura DHCP, destacando su vulnerabilidad a ciberataques, como el 'spoofing' y el 'DHCP starvation'. Se recomienda el uso de tecnologías de seguridad como 'DHCP snooping' para proteger la red y garantizar que las configuraciones provengan de servidores DHCP de confianza. Además, se mencionan productos de Korenix que implementan estas características de seguridad en sus switches de red.
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training (1) 2019
- 1. Protect Your DHCP Infrastructure from Cyberattacks JJ Sun PSM
- 2. Agenda • IEC62443 IACS standard • Scope and why • DHCP protocol and how it works • DHCP’s Vulnerabilities • Types of Cyberattacks to DHCP • Defense by network security – DHCP Snooping • Korenix products with advanced security features
- 3. IEC62443
- 4. Fundamental But Insecure MAC IP TCP / UDP Applications
- 5. Dynamic Host Configuration Protocol PLC I/O Drive Sensor HMI IPCAdmin station Camera Reader DHCP Server
- 6. DHCP Architecture DHCP Client (MAC bbb.bbb.bbb) DHCP Client (MAC ccc.ccc.ccc) DHCP Server DHCP Client (MAC aaa.aaa.aaa) IP Address Pool / Binding Table 192.168.10.1 aaa.aaa.aaa 192.168.10.2 bbb.bbb.bbb 192.168.10.3 (available) … 192.168.10.100 (available) Policy IP Subnet mask Gateway DNS
- 7. DHCP Client (MAC aaa.aaa.aaa)DHCP Server DHCP Transaction DISCOVER (Broadcast) I am MAC aaa.aaa.aaa. Please assign network configuration for me. REQUEST (Broadcast) Yes, please lease it to me. OFFER (Broadcast) I’m the DHCP server and how about this IP address for you? ACK (Unicast) Done, you can use the IP address now.
- 8. Vulnerabilities and Attacks • DHCP spoofing from client • DHCP spoofing from server • DHCP starvation and DoS • Man-In-The-Middle or Hijacking • Broadcasting • No authentication • No validation
- 9. Malicious Client (MAC ccc.ccc.ccc)DHCP Server OFFER How about this IP address? ACK Done, you can use it now. DISCOVER I am MAC aaa.aaa.aaa. Please assign IP and network configuration for me. REQUEST Yes, please lease it to me. Spoofing From Malicious Client
- 10. DHCP Client (MAC ccc.ccc.ccc)DHCP Server DISCOVER I am MAC aaa.aaa.aaa. please assign IP and network configuration for me. …DISCOVER I am MAC bbb.bbb.bbb. please assign IP and network configuration for me. … DISCOVER I am MAC zzz.zzz.zzz. please assign IP and network configuration for me. … DHCP Starvation
- 11. Malicious Client (MAC ccc.ccc.ccc)DHCP Server DISCOVER I am MAC ccc.ccc.ccc. please assign IP and network configuration for me. …DISCOVER I am MAC ccc.ccc.ccc. please assign IP and network configuration for me. … DISCOVER I am MAC ccc.ccc.ccc. please assign IP and network configuration for me. … Denial Of Service
- 12. DHCP ClientDHCP Server DISCOVER The OFFER from the rogue DHCP server arrives client before the one from legitimate DHCP server. The transcation is scrambled and the network configuration goes wrong. OFFER Rogue DHCP Server Spoofing From Rogue Server
- 13. More Than DHCP Attacks DHCP Client DHCP Server DHCP Client Rogue DHCP Server Gateway IP address Gateway DNS
- 14. Defense By Network Security Goal: • Avoid invalid DHCP messages coming into the network • Make sure that network configurations are given from the trusted DHCP server DHCP Client DHCP Server DHCP Client Rogue DHCP Server Malicious DHCP Client
- 15. DHCP Snooping • A network security technology protects DHCP infrastructure against malicious DHCP sources, either from clients or servers, and to block fake DHCP messages • Network (LAN) switches with this feature snoop DHCP messages to ensure the incoming DHCP messages are valid, it also helps to ensure network configuration are given from the trusted DHCP server • More importantly, beyond guarding DHCP infrastructure, DHCP snooping generates an table including information about a trusted network, which can be further used by other security features
- 16. How DHCP Snooping Works DHCP Client DHCP Server DHCP Client DHCP Client TRUSTED ? ? ?UNTRUSTED
- 17. DHCP Client (MAC ccc.ccc.ccc)DHCP Server I am MAC aaa.aaa.aaa. please assign an IP for me. I am MAC ccc.ccc.ccc. please assign an IP for me. Switch Validate Messages DISCOVER I am a server and here is the IP for you. DISCOVER OFFER ?
- 18. Rogue DHCP Server Fix On Trusted Sources DHCP Client DHCP Server DHCP Client Rogue DHCP Server DHCP Client ? ? ? Rogue DHCP Server
- 19. JetNet with DHCP Snooping Din-Rail switches Layer 2 • JetNet 5612G • JetNet 5620G Rackmount switches Layer 2 • JetNet 5428G • JetNet 6528G • JetNet 6628G • JetNet 6628X Layer 3 • JetNet 7014G • JetNet 7020G Layer 3 • JetNet 6828G • JetNet 7628X
- 20. JetPoE with DHCP Snooping Din-Rail switches Layer 2 • JetNet 5612GP • JetNet 5620GP Rackmount switches Layer 2 • JetNet 5728G-16P • JetNet 5728G-24P • JetNet 6628XP Layer 3 • JetNet 7310G • JetNet 7714G Layer 3 • JetNet 6728G-16P • JetNet 6728G-24P • JetNet 7628XP
- 22. Statistics and Binding Table Address Binding Table Snooping Statistics
- 23. Summary • DHCP infrastructure is insecure by nature. It is crucial and strongly recommended to apply security protection if DHCP is used in an industrial network • Network switches play an important role to protect an DHCP infrastructure. DHCP snooping should be enabled to against different type of spoofing attacks, either from rogue DHCP servers or malicious clients • Addressing IEC62443 the security standard, Korenix has implemented DHCP snooping on both its din-rail switches or rackmount switches, which fit for different level of networks for mission-critical industrial applications
- 24. To Be Continued • Korenix Network Security Webinar – Part 2 MAC IP DHCP APPLICATION