Firewall question: is using a NIC with multiple jacks considered insecure?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Firewall question: is using a NIC with multiple jacks considered insecure?

quartz-2
Some years ago I remember reading that when using OpenBSD (or any OS,
really) as a router+firewall it was considered inadvisable from a
security standpoint to have the different networks all attached to a
single network card with multiple ethernet ports. The thinking being
that it was theoretically possible for an attacker to exploit bugs in
the card's chip to short circuit the path and route packets directly
across the card in a way pf can't control. It was also suggested that in
addition to using different physical cards, the cards should really use
different chipsets too, in case an unknown driver bug allows a short
circuit.

I swear I read this somewhere on the website, but I can't seem to find
it now and I'm wondering if the concept is even still valid. The impetus
here is that I'm building a router+firewall for a cramped location and
it's turning out rather difficult to find a case that's small enough to
fit. I'd really like to use an itx system with multiple onboard ethernet
jacks and cram it into something like a MiniBox M350 or Antec ISK110,
but I'm not sure if that's a good idea, security wise. Any thoughts?

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Martin Schröder
2015-07-27 11:46 GMT+02:00 Quartz <[hidden email]>:
> turning out rather difficult to find a case that's small enough to fit. I'd
> really like to use an itx system with multiple onboard ethernet jacks and
> cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure

A Lanner FW7525 or even an Alix APU don't seem to be much larger...

Best
   Martin

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Christian Weisgerber
In reply to this post by quartz-2
On 2015-07-27, Quartz <[hidden email]> wrote:

> Some years ago I remember reading that when using OpenBSD (or any OS,
> really) as a router+firewall it was considered inadvisable from a
> security standpoint to have the different networks all attached to a
> single network card with multiple ethernet ports. The thinking being
> that it was theoretically possible for an attacker to exploit bugs in
> the card's chip to short circuit the path and route packets directly
> across the card in a way pf can't control. It was also suggested that in
> addition to using different physical cards, the cards should really use
> different chipsets too, in case an unknown driver bug allows a short
> circuit.

Those are not realistic concerns.

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

quartz-2
In reply to this post by Martin Schröder
>> turning out rather difficult to find a case that's small enough to fit. I'd
>> really like to use an itx system with multiple onboard ethernet jacks and
>> cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure
>
> A Lanner FW7525 or even an Alix APU don't seem to be much larger...

They're not, but they also lack a bunch of features we need.

This is a little off-topic, but I should clarify that although this
device's primary purpose is a firewall+router, it also has to provide a
handful of other network related services that set a few requirements
vis a vis hardware. Pre-fab appliance type devices always seem to fail
at least one of these requirements. They also don't address the separate
NICs issue, so if it turns out that that's not a problem anyway, a
mini-itx board would be a much better choice for our situation.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Kimmo Paasiala
In reply to this post by quartz-2
On Mon, Jul 27, 2015 at 12:46 PM, Quartz <[hidden email]> wrote:

> Some years ago I remember reading that when using OpenBSD (or any OS,
> really) as a router+firewall it was considered inadvisable from a security
> standpoint to have the different networks all attached to a single network
> card with multiple ethernet ports. The thinking being that it was
> theoretically possible for an attacker to exploit bugs in the card's chip to
> short circuit the path and route packets directly across the card in a way
> pf can't control. It was also suggested that in addition to using different
> physical cards, the cards should really use different chipsets too, in case
> an unknown driver bug allows a short circuit.
>
> I swear I read this somewhere on the website, but I can't seem to find it
> now and I'm wondering if the concept is even still valid. The impetus here
> is that I'm building a router+firewall for a cramped location and it's
> turning out rather difficult to find a case that's small enough to fit. I'd
> really like to use an itx system with multiple onboard ethernet jacks and
> cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure
> if that's a good idea, security wise. Any thoughts?
>


It is certainly possible theoretically but you'll have to go to very
great lengths to imagine a scenario where a remote attacker could
exploit such a flaw. It's next to impossible identify the make and
model of the NIC that holds an IP address (if it is even directly
bound to a NIC, CARP and other similar technologies get in the way if
used), the attacker would first have to aquire this information trough
other means.

-Kimmo

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

quartz-2
> It is certainly possible theoretically but you'll have to go to very
> great lengths to imagine a scenario where a remote attacker could
> exploit such a flaw. It's next to impossible identify the make and
> model of the NIC that holds an IP address (if it is even directly
> bound to a NIC, CARP and other similar technologies get in the way if
> used), the attacker would first have to aquire this information trough
> other means.

Well, I'm not convinced that needing to identify the card first is
really a requirement- I feel it's more likely an attacker using these
techniques would just blast out a bunch of probes and figure it out
based on what bounces back, similar concept to port knocking.

I wish I could find/remember where on openbsd.org this was mentioned and
use the wayback machine or something, because it seemed like whoever
wrote about it knew what they were talking about.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Maxim Khitrov
In reply to this post by Christian Weisgerber
On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber
<[hidden email]> wrote:

> On 2015-07-27, Quartz <[hidden email]> wrote:
>
>> Some years ago I remember reading that when using OpenBSD (or any OS,
>> really) as a router+firewall it was considered inadvisable from a
>> security standpoint to have the different networks all attached to a
>> single network card with multiple ethernet ports. The thinking being
>> that it was theoretically possible for an attacker to exploit bugs in
>> the card's chip to short circuit the path and route packets directly
>> across the card in a way pf can't control. It was also suggested that in
>> addition to using different physical cards, the cards should really use
>> different chipsets too, in case an unknown driver bug allows a short
>> circuit.
>
> Those are not realistic concerns.

Intel 82574L packet of death comes to mind as one example of a bug in
the EEPROM that allowed an attacker to bring down an interface:

http://blog.krisk.org/2013/02/packets-of-death.html

These days you have "bypass" features in hardware that allow packets
to flow from one interface to another even if the firewall is turned
off. Who knows what other bugs in such functionality will be
discovered in the future?

Having said that, just throwing random chipsets into the mix is
probably not the right solution. You may actually be increasing your
attack surface. If this is a real concern for you, I think multiple
firewalls, one behind the other (and using different chipsets, if you
really want to), is a better way to go.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Joe Crivello
In reply to this post by quartz-2
If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Raul Miller
Though, of course, if you have been actively developing your system,
or if you have already been subject to other root attempts, a root
attempt runs a significant risk of crashing it.

(And if you have been developing a lot, there's a decent chance you'll
have already crashed it so many times that you will not be able to
distinguish the root attempt from your own work. Or, maybe you will -
it depends on the nature of the update.)

--
Raul



On Mon, Jul 27, 2015 at 9:52 AM, Joseph Crivello
<[hidden email]> wrote:
> If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Giancarlo Razzolini-3
In reply to this post by Kimmo Paasiala
Em 27-07-2015 09:13, Kimmo Paasiala escreveu:
> It's next to impossible identify the make and
> model of the NIC that holds an IP address
With IPv6 and poor configuration, a remote attacker already have that
information. MAC addresses reveal a lot of information about a NIC.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

quartz-2
In reply to this post by Maxim Khitrov
> These days you have "bypass" features in hardware that allow packets
> to flow from one interface to another even if the firewall is turned
> off.

Can you elaborate on this?

Also, that brings up another point wrt motherboards with multiple jacks;
are bios attacks something to worry about?


> Having said that, just throwing random chipsets into the mix is
> probably not the right solution. You may actually be increasing your
> attack surface.

That's always a possibility yes.


> If this is a real concern for you,

The thing is I don't really know if this should be a realistic concern,
that's why I'm asking. A motherboard with multiple ports would certainly
be more convenient, but it's not worth it if it would compromise security.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Stuart Henderson
In reply to this post by quartz-2
On 2015-07-27, Quartz <[hidden email]> wrote:
> This is a little off-topic, but I should clarify that although this
> device's primary purpose is a firewall+router, it also has to provide a
> handful of other network related services that set a few requirements
> vis a vis hardware.

Depends what they are, but those other services are far more likely to
be a problem than a multiport NIC.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Maxim Khitrov
In reply to this post by quartz-2
On Mon, Jul 27, 2015 at 11:10 AM, Quartz <[hidden email]> wrote:
>> These days you have "bypass" features in hardware that allow packets
>> to flow from one interface to another even if the firewall is turned
>> off.
>
> Can you elaborate on this?

Search for "intel nic bypass mode" and you'll find lots of details.
It's an increasingly common feature in server network adapters. If the
host OS is down, the NIC continues forwarding packets between two
ports without any processing. Some older implementations used a
physical jumper to enable or disable this feature. Now it's all done
in software and can even be configured remotely. For example:

http://www.lannerinc.com/applications/product-features/lan-bypass

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Chris Cappuccio
In reply to this post by Joe Crivello
Joseph Crivello [[hidden email]] wrote:
> If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.

If you are running OpenBSD or Bitrig and you have VT-d enabled, someone is working on bringing iommu functionality to both OSes right now. This can prevent runaway DMA. Kinda cool, ya know!

Reply | Threaded
Open this post in threaded view
|

Re: Firewall question: is using a NIC with multiple jacks considered insecure?

Joel Rees-2
In reply to this post by Joe Crivello
On Mon, Jul 27, 2015 at 10:52 PM, Joseph Crivello
<[hidden email]> wrote:
> If someone successfully attacks the firmware on any of your network cards, you are screwed no matter what. Any modern network card is going to have the ability to issue DMAs and can easily root your entire system.
>

(Somewhat of a rhetorical question, but ...) How hard would it be to
design and assemble one's own NIC, and use said design to construct
one's own switch?

(I daydream too much. Right now I'm daydreaming of a switch-on-a-card.
It's been a while since I've seen such things advertised, but maybe
I'm not looking in the right places nowadays.)

--
Joel Rees

Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html