"Linux Gazette...making Linux just a little more fun!"

Exploits are about as prolific as kernel updates. Well okay, maybe not that common. Still, vulnerabilities are abundant for any OS no matter what the platform, and the vulnerabilities in Linux are no exception. The Linux Router Project (and Linux-based routers in general) have some unique security issues that Cisco and other proprietary routers do not have, because of the nature of the PC hardware and the Linux kernel. For example, buffer overflows are common with Linux, while hardware routers are almost immune to them. The LRP sysadmin must take care to recognize and address these vulnerabilities.

So on the one hand we have a different router for everything: ISDN, Ethernet, frame relay T1, xDSL, PPP, ..., even a [cable modem/portmapping router/Ethernet hub with a nifty graphic HTML interface], each device unique and purposeful for each unique and specialized routing application. And the source code and hardware is confidential and proprietary.

On the other hand we have a general purpose x86 processor that can do anything with the right software, and the Linux Router Project is a perfect application. It is creating an open alternative to proprietary routers in the same way that a grass-roots effort made Linux an alternative to proprietary Unices. The LRP is an actual Linux kernel, streamlined to facilitate routing in all its forms, and adaptable to just about any networking situation:

• Speed and efficiency: No bloat, nothing unnecessary. Just routing, routing, routing.
• Disaster/Failure recovery: If for example you have an SMC NIC in your LRP box and it dies, you're able to stick a Netgear in it without trouble; simply load the tulip.o module instead.
• Security: The kernel touches all the hardware, the networking subsystem, the storage, the human interface. I'll get to this in a minute.

Traditionally, firewalls and routers are discrete entities with one box being a router, another box being a filtering firewall, another box a proxy server or what have you. Each service has its own unique hardware, specially designed for the function it performs. In recent times the hardware for these devices started coalescing, much like the way ATA IDE is now built into the motherboard and treated as a part of the motherboard even though four years ago it was an ISA card.

Eventually these multipurpose routers will introduce a new discipline in security --and security means a million things. There's physical security, core (kernel, internal) security, network (routing) security. If the industry avoids proprietary hardware, it should rethink its security. Here's part of the plan:

I. Physical Security

1. Policy. First write a Security and Audit Policy. You can't take over the world unless you have a plan. Enforce it. Start with a map of the network, and list:
   • What services are running on what machines
   • Who gets what access levels
   • Where the machines are located
   • Other rules, e.g., passwords are eight characters one non-alphanumeric, etc.
   ...even detail how often to hand-pass the bright red passwords floppy. When you see all these lists in front of you the rest of the plan flows--when you know what services run where--it's easy to make filtering rules.

2. Backups. Back up the LRP floppy. Don't waste time backing up the conf files, just blow an image (a la 'dd') of the entire disk. It's the best and fastest way to copy it. Be careful because some flavors of the LRP disk are larger than 1.44M and thus need to be mounted on (copied from) /dev/fd0u1680 or similar. Create the device with 'mknod' if you don't see it. There's no such thing as backing up too much.

3. Physical Security and Location. Since the LRP's facsimile for non-volatile RAM is a floppy disk, we need to lock the headless box in a room with no keyboard so no one can flip out the true floppy in favor of a counterfeit. Nor can they flip the floppy out and destroy it: a low-tech DoS attack. This plan works with Ciscos too, though there is no bogus quickboot. If sequestering the computer is not an option, crack the case and move the floppy drive back a couple centimeters. Insert the LRP disk and cover the drive with small plastic faceplate. This is called 'security by obscurity'.

4. Go Up. Real machine rooms have (in addition to restricted access, halon, backup power, air conditioning and wire conduits) devices in racks. Cosmetically the racks and raised floors are for cable management; practically the racks are for air flow, alien invasion, fires, floods, mop buckets, spilled coffee. Put the LRP router on a table. Even an old pallet works.

5. BIOS password. Remember that this box is also a PC. Use BIOS passwords. I'm not sure if any BIOSes on 486 boards have universal passwords so be careful.

II. Core Kernel Security

Vulnerabilities between the Linux kernel and router routers differ. CERT data reports that the most common attacks are denial of service (DoS) and scanning. DoS attacks are easy to do and hard to defeat. Buffer overflows (uncommon) and DoS attacks (common) are possible in both worlds just the same. Port scanning can come from inside or outside. Scanning, though not an 'attack' per se, could easily be construed in a court of law as network reconnaissance, or even a denial of service, depending on the intensity. To my knowledge we have yet to see precedents.

We solve these two problems in the kernel with security patches and nmap. Of the main LRP distros, Oxygen kernels include the Openwall patch --in fact Oxygen is continuously upgraded. If you see a vulnerability, rest assured it's in the latest Oxygen. According to David Douthitt, the brain behind Oxygen, the kernel itself protects "against IP spoofing, unusual packet addresses (martians), and [rejects] ICMP redirects and ICMP echo requests." --Even so, standard filtering (network security, below) should include these rules as well.

nmap: I call this SATAN's successor. It's the touchstone security tool. nmap scans any set of TCP or UDP ports on any set of IP addresses to test and find vulnerabilities in your own network. nmap reveals unnecessary services running on the LRP box. There are unnecessary services running on some out-of-the-box LRP distros (e.g., discard, daytime, time). A quick trip to SecurityFocus.com or Rootshell.com can tell you how to exploit them.

CERT does not discuss other common vulnerabilities from your own users on your own network such as filesystem security or sniffing. Filesystem stuff like fdisk, mke2fs or fstab does not warrant discussion here (though I do suggest that LRP developers include the chattr command with future LRP releases that allow non-root logins), and sniffing won't matter if you only log into the LRP box from the console. --Whoops, it's headless! We will worry about sniffing.

Ethernet sniffing is dangerous. In many cases it is possible to sniff other logical networks on shared cable modem Ethernet segments. Maybe even your neighbor's dynamic PPP connection from another dialup. Viruses and scans and every one of the eleventeen thousand "UNICODE bugs" are already so rampant we can expect sniffing to become much more common and widespread --maybe become a category for CERT if it isn't already. It's interesting how a lack of IP addresses peripherally facilitates cracking...

Encryption and authentication (ssh, ssl, smime, PGP) circumvent sniffing. But since any encryption can be broken over time the best we can hope for is that our data becomes obsolete before the encryption does. We protect the data for the most important window possible --such as a telnet session. Who cares if someone decodes it a year from now? Too many routers rely on password authentication that is subject to brute force attacks or worse, depending on the interface. Here the LRP wins. It supports ssh.

III. Network and External Routing Security

Schema for a typical business infrastructure border router:

• Prevent RFC1918 private network addresses (192.168.0.0 and friends) from entering or leaving
• Block unapproved routing protocols to and from any destination
• Block access to NETBIOS over TCP/IP ports
• Block source-routed packets
• Prohibit spoofing of internal networks
• Filter or reject all TCP packets that are not connection open attempts
• Allow ICMPs to particular IP addresses
• Permit internal machines to service internal machines, especially nameservice and ssh
• Allow ssh to all hosts that support it
• Drop and log everything else

The short answer is: "Block Everything." Allow access only to ports where services are running, such as port 80 for the webserver, port 22 for ssh. Wrap and chroot whenever possible (e.g., BIND). Running X on Internet-accessible machines is a big no-no.

Back to routing. Routing is not an easy task for the beginner, hence we have HTML interfaces for Circuit City routers and such. We also have Windows(tm). For others we have the LRP. The text-based LRP menu interface presents familiar annotated /etc/conf.files --simple for the Linux (Unix, Freenix) user but intimidating as a cryptic command line for anyone else. Other one-disk router approaches hold the same disadvantageous learning curve. However, the LRP brings the mysterious Routing Tao closer to geeks than other routers: The commands are familiar. Unlike a Cisco command line 'conf term', LRP configurations and commands don't get old and stale after not touching them for a year. For the non-geek the trade off between a thousand dollar router and the LRP is money versus time.

So you can buy a specialized router router, or you can tweak your vacuum-tube hardware and add wizbang features and compile modules into the LRP kernel and customize. The tradeoff is flexibility versus security. The LRP replaces non-volatile RAM with a floppy and embedded hardware with a kernel: Just keep some special security challenges in mind.

Mark Fevola

Copyright © 2001, Mark Fevola.
Copying license http://www.linuxgazette.com/copying.html
Published in Issue 67 of Linux Gazette, June 2001