Ronny L. Bull & Dr. Jeanna Matthews. DerbyCon 4.0. Sept 27th, 2014

Size: px

Start display at page:

Download "Ronny L. Bull & Dr. Jeanna Matthews. DerbyCon 4.0. Sept 27th, 2014"

Elijah Blankenship
6 years ago
Views:

1 Layer 2 Network Security in Virtualized Environments Ronny L. Bull & Dr. Jeanna Matthews DerbyCon 4.0 Sept 27th, 2014

2 The Researchers Ronny Bull Computer Science Ph.D. Graduate Student at Clarkson University Lecturer for the Dept. of Computer Science at SUNY Poly Software Engineer at Exelis Inc. Owner of Adirondack IT Solutions, LLC Dr. Jeanna Matthews Associate Professor for the Dept. of Computer Science at Clarkson University

3 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

4 Abstract Cloud Services Offer customers virtual server hosting in multi-tenant environments Virtual machines are typically all connected to a single virtual networking device within the host Host systems may utilize a virtual bridge or more robust virtual switch for inter-networking virtual machines Software emulated version of physical devices

5 The Question Since all client virtual machines are essentially connected to a virtual version of a physical networking device, do Layer 2 network attacks that typically work on physical devices apply to their virtualized counterparts? Important question to explore: All cloud services that rely on virtualized environments could be vulnerable This includes data centers hosting mission critical or sensitive data!

6 Coke vs Pepsi What if they hosted their data services at the same provider?

7 Coke vs Pepsi What if their virtual servers were co-located on the same host?

8 Coke vs Pepsi What if there was a fairly easy way for one to gain a competitive edge?

9 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

10 Virtualization Overview

11 Virtualization Overview

12 Centralized Virtualization

13 Decentralized Virtualization

14 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

15 Multi-Tenancy Cloud service providers maximize resources Place multiple client VMs on same physical host Share CPU, Memory, Networking, & Storage resources Heterogeneous environments (OS, Services) Client access to VMs varies Some grant full root privileges Installation from scratch by client Pre-canned templates Others restrict setup or build to suit customer needs

16 Multi-Tenancy Service Providers Amazon EC2 Microsoft Azure Google Cloud Services Countless fly by night VPS hosting providers online Brick and mortar data centers serving local clients Similarities Most run some form of Xen (OS Xen, XenServer) Some use VMWare or Hyper-V All share network connectivity between tenants

17 Multi-Tenancy

18 Multi-Tenant Networking

19 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

20 Bridging Physical bridges connect two or more segments at Layer 2 Separate collision domains Maintain MAC address forwarding table for each segment Forward requests based upon destination MAC addresses Do not cross bridge if destination is on same segment as source Cross if destination is on a different segment connected to the bridge

21 Bridging

22 Virtual Bridges Simplest form of virtual networking Uses 802.1d Ethernet Bridging Support built into Linux kernel and bridge-utils userspace package Uses virtual TAP interfaces to connect virtual machines to virtual bridge (ie. tap0) User-space Network Tap Simulates a Layer 2 (link layer) network device

23 Virtual Bridging

24 Switching Physical switches operate at Layer 2 or higher Multi-port bridges Separate collision domains CAM Table Content Addressable Memory Similar to bridge forwarding table Dynamic table that maps MAC addresses to ports Allows switches to intelligently send traffic to connected devices Check frame header for destination MAC and forward Finite amount of memory!

25 Ethernet Frame Preamble 8 Dest. Address 6 Source Address 6 Preamble Dest. Address 6 8 Type / Length 2 Data FCS ~ 4 What the switch needs to match against its CAM

26 Switching

27 Virtual Switches Advanced form of virtual networking Can emulate Layer 2 and higher physical devices Virtual machines connect to vswitch via virtual interfaces (ie. vif0) Similar to tap devices Able to provide services such as QoS VLAN traffic separation Performance & traffic monitoring

28 Virtual Switching

29 Virtual Switches Variety of virtual switches available Typically bound to certain environments Open vswitch OS Xen, Citrix XenServer, KVM, Prox-Mox Cisco Nexus 1000V Series VMWare vsphere, MS Hyper-V (add-on) MS Hyper-V Virtual Switch Microsoft Hyper-V All are considered as enterprise level solutions

30 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

31 Layer 2 Network Attacks MAC Flooding Flood switch with numerous random MAC addresses to fill the CAM table buffer Forces switch into fail safe mode (a.k.a. Hub mode) All frames forwarded to all connected devices Breaks collision domain separation Works well on most physical switches Can be mitigated by enforcing port security on physical switches Feature only currently available on Cisco Nexus 1000V 'Non-Free' version (VMWare Essentials Plus)

32 Layer 2 Network Attacks VLAN Hopping Frames can be modified to allow traffic to hop VLANs Gain unauthorized access to portions of network Modify VLAN tag to put attacker on target network Requires access to default VLAN or trunk port Can be mitigated by strict VLAN configuration of physical switch ports

33 Layer 2 Network Attacks DHCP Attacks Rogue DHCP server is placed on the network Allows attackers to perform man-in-the-middle attacks Get clients to associate with rogue services DNS TFTP Can create DoS situations Duplicate addressing Can be mitigated by enforcing static addressing

34 Layer 2 Network Attacks ARP Spoofing Broadcast fake Address Resolution Protocol messages to a network Can be used to hijack traffic destined for another host Eavesdropping Man-in-the-middle attacks Also can be used to perform DoS attacks on a server Can be mitigated by using static ARP entries

35 Multi-Tenant Cloud Malicious VM

36 Multi-Tenant Cloud Malicious VM

37 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

38 Test Environment A.K.A. SUNY Poly Cloud Security Research Lab

39 Demo MAC Flooding attack on Bridged interface MAC Flooding attack on Virtual Switched interface Gentoo, OS Xen, Linux Kernel Bridging Gentoo, OS Xen, Latest Open vswitch MAC Flooding attack on Virtual Switched interface (enterprise) Citrix XenServer Uses an older implementation of Open vswitch

40 Coke vs Pepsi What if there was a fairly easy way for one to gain a competitive edge?

41 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

42 Results (MAC Flooding - Bridged)

43 Results (MAC Flooding OVS 2.0.0)

44 Results (MAC Flooding - Overall) Hypervisor Virtual Switch Vulnerable OS Xen 4.3 Linux 802.1d Bridging No OS Xen 4.3 Open vswitch Yes OS Xen 4.3 Open vswitch Yes Citrix XenServer 6.2 Open vswitch Yes M.S. Server 2008 R2 w/hyperv M.S. Hyper-V Free MS Hyper-V Switch No MS Hyper-V Switch No Vmware vsphere (ESXi) 5.5 Default vswitch N/A

45 Conclusion All Layer 2 vulnerabilities discussed were targeted towards the virtual networking devices not the hypervisors themselves Results show that virtual networking devices CAN be just as vulnerable as their physical counterparts Further research and experimentation is necessary to find out more similarities XenServer and any other solutions utilizing Open vswitch are vulnerable out of the box!

46 Conclusion A single malicious virtual machine has the potential to sniff all traffic passing over a virtual switch This can pass through the virtual switch and affect physically connected devices allowing traffic from other parts of the network to be sniffed as well! Significant threat to the confidentiality, integrity, and availability (CIA) of data passing over a network in a virtualized muli-tenant environment

47 Acknowledgments Special thanks to the following people: My Ph.D. Advisor, Dr. Jeanna Matthews Nick Merante, and his SUNY Poly DogNet student admins My Cloud Security Research Lab assistants: Dylan Long and Dan Spier Chris Urban, SUNY Poly Computer Science Dept. chair SUNY Poly Research Foundation SUNY Poly NCS Club!

48 Presentation Outline Abstract Virtualization Overview Multi-Tenancy Virtual Networking Bridges Switches Layer 2 Network Attacks Demo Results Discussion

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments Dr. Ronny L. Bull, Ph.D. Utica College Nexus Seminar Series Nov 10th 2017 About Me Ph.D. in Computer Science from Clarkson