security assessment on a vxlan-based network
TRANSCRIPT
IntroductionVXLAN prototype
Security assessmentQ&A
Security assessment on a VXLAN-based network
Guido Pineda Reyes
MSc. Systems and Networking EngineeringUniversity of Amsterdam
February 5, 2014
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Virtual eXtensible LANIntroduction
Still an Internet Draft, current revision: 7th
Allows to extend logical networks
Encapsulates layer MAC-based Layer 2 frames within a UDPpacket
Up to 16 million logical networks
Security measurements have not been performed yet
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Virtual eXtensible LANTypical use case
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Research questions
Main question: How feasible are the known VLAN attacks ina VXLAN environment?
Subquestions:
Which attacks were successful?What is the difference between these attacks in a VLAN and aVXLAN environment?Is there anyway to prevent them or mitigate them?
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Virtual eXtensible LANResearch questionApproach
Approach
Build the VXLAN prototype.
Deploy the security assessment on the prototype.
Focus on successful attacks.
Understand how this attacks work to give a solution on howto mitigate or prevent them.
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
VXLAN prototypeDesign
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
VXLAN prototypeOptions
VMware vSphere products
VMware vSphere + Cisco Nexus 1000v
VXLAN Linux implementation (needs kernel modification)
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
VXLAN prototypeConnectivity tests: UDP encapsulated traffic
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
VXLAN prototypeConnectivity tests: VXLAN encapsulation
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Security Assessment
MAC Flood Attack
Double-Encapsulated 802.1Q/Nested VLAN Attack
ARP Attack
UDP Flood Attack
Evaluation
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
MAC Flood AttackScenarios
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
MAC Flood Attack
Tool: macof
Results:
Attacker on physical net:SuccessfulAttacker on logical net:Failed
Mitigation/Prevention:
Restrict the number ofMAC addresses to oneportSpecify static MACaddress associationIDS
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Double-Encapsulated 802.1Q/Nested VLAN AttackScenario
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Double-Encapsulated 802.1Q/Nested VLAN AttackConcept
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Double-Encapsulated 802.1Q/Nested VLAN Attack
Tool: scapy
Results:
Attacker on logical net:Failed
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
ARP AttackScenarios
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
ARP AttackSummary
Tool: arpspoof
Results:
Attacker on physical net:SuccessfulAttacker on logical net:Successful
Mitigation/Prevention:
Blocking directcommunication betweenthe attacker and thevictim.
Configuring privatecommunication between thehosts at the service providerlevel.
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
ARP AttackScenarios
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
UDP Flood AttackSummary
Tool: flood.pl
Results:
Attacker on physical net:Failed
Mitigation/Prevention:
IDS to detect unusualUDP traffic
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Further researchPossible vulnerability
Trying to modify the FDB and redirect all traffic to theattacker.
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
Outline
1 IntroductionVirtual eXtensible LANResearch questionApproach
2 VXLAN prototype
3 Security assessmentMAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
4 Q&A
Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
MAC Flood AttackDouble-Encapsulated 802.1Q/Nested VLAN AttackARP AttackUDP Flood AttackFuture researchConclusions
ConclusionsMost relevant points
Building the prototype is not trivial
Some attacks are feasible
Double-Encapsulation attack and MAC flooding attacks failuresshow that VXLAN segments are isolated from each other.
ARP attacks show that Man in the Middle Attacks or DoS arepossible from within any network (physical & logical).
Mitigation and prevention is mainly related to best practices.Guido Pineda Reyes Security assessment on a VXLAN-based network
IntroductionVXLAN prototype
Security assessmentQ&A
Q&A
Questions?
Guido Pineda Reyes Security assessment on a VXLAN-based network